好用的asp防SQL注入代码

  以下为引用的内容:
dim sql_injdata,SQL_inj,SQL_Get,SQL_Data,Sql_Post

SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write ""
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write ""
Response.end
end if
next
next
end if


正则

SQL注入是黑客常用的攻击方式,下面介绍如何利用正则表达式编写通用的SQL防注入asp程序。一般的http请求不外乎get和post,所以只要我们在asp文件中过滤所有post或者get请求中的参数信息中非法字符即可,我们实现http请求信息过滤就可以判断是是否受到SQL注入攻击。


在连接数据库的Conn.asp文件中加入以下代码:

<%

Response.Buffer = True

Const EnableStopInjection = True

If EnableStopInjection = True Then

    If Request.QueryString <> "" Then Call StopInjection(Request.QueryString)

    If Request.Cookies <> "" Then Call StopInjection(Request.Cookies)

    If Request.Form <> "" Then Call StopInjection(Request.Form)

End If


Sub StopInjection(Values)

Dim regEx

Set regEx = New RegExp

    regEx.IgnoreCase = True

    regEx.Global = True

    regEx.Pattern = "'|;|#|([\s\b+()]+(select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add|set|open|close|use|begin|retun|as|go|exists)[\s\b+]*)"

    Dim sItem, sValue

    For Each sItem In Values

        sValue = Values(sItem)

        If regEx.Test(sValue) Then

            Response.Write "检测到SQL注入危险, 请确认你提交的信息不含有危险信息并清空IE缓存,重新提交信息。"

            Response.End

        End If

    Next

    Set regEx = Nothing

End Sub

%>
 
 
360:

<% 

On Error Resume Next

if request.querystring<>"" then call stophacker(request.querystring,"'|(and|or)\b.+?(>|<|=|in|like)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")

if request.Form<>"" then call stophacker(request.Form,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")

if request.Cookies<>"" then call stophacker(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") 

ms()

function stophacker(values,re)

 dim l_get, l_get2,n_get,regex,IP

 for each n_get in values

  for each l_get in values

   l_get2 = values(l_get)

   set regex = new regexp

   regex.ignorecase = true

   regex.global = true

   regex.pattern = re

   if regex.test(l_get2) then

                                IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")

                                If IP = "" Then 

                                  IP=Request.ServerVariables("REMOTE_ADDR")

                                end if

                                'slog("

操作IP: "&ip&"
操作时间: " & now() & "
操作页面:"&Request.ServerVariables("URL")&"
提交方式: "&Request.ServerVariables("Request_Method")&"
提交参数: "&l_get&"
提交数据: "&l_get2)

    Response.Write "360websec notice:Illegal operation!"

    Response.end

   end if

   set regex = nothing

  next

 next

end function 


sub slog(logs)

        dim toppath,fs,Ts

        toppath = Server.Mappath("/log.htm")

                                Set fs = CreateObject("scripting.filesystemobject")

                                If Not Fs.FILEEXISTS(toppath) Then 

                                    Set Ts = fs.createtextfile(toppath, True)

                                    Ts.close

                                end if

                                    Set Ts= Fs.OpenTextFile(toppath,8)

                                    Ts.writeline (logs)

                                    Ts.Close

                                    Set Ts=nothing

                                    Set fs=nothing

end sub

sub ms()

        dim path,fs

        path = Server.Mappath("update360.asp")

        Set fs = CreateObject("scripting.filesystemobject")

        If Fs.FILEEXISTS(path) Then 

        Response.Write "请重命名升级文件update360.asp防止黑客利用"

        Response.End

        end if

        Set fs=nothing

end sub

%>



 

 function killn(byval s1) '过滤数值型参数 

if not isnumeric(s1) then 
killn=0 
else 
if s1<0 or s1>2147483647 then 
killn=0 
else 
killn=clng(s1) 
end if 
end if 
end function 

function killc(byval s1) 过滤货币型参数 
if not isnumeric(s1) then 
killc=0 
else 
killc=formatnumber(s1,2,-1,0,0) 
end if 
end function 

function killw(byval s1) '过滤字符型参数 
if len(s1)=0 then 
killw="" 
else 
killw=trim(replace(s1,"'","")) 
end if 
end function 

function killbad(byval s1) 过滤所有危险字符,包括跨站脚本 
If len(s1) = 0 then 
killbad="" 
else 
killbad = trim(replace(replace(replace(replace(replace(replace(replace(replace(s1,Chr(10), "
"), Chr(34), """), ">", ">"), "<", "<"), "&", "&"),chr(39),"'"),chr(32)," "),chr(13),"")) 

end if 
end function 


 

你可能感兴趣的:(asp,sql)