几种过滤URL和FORM中非法字符的方法

ASP

过滤URL和FORM中非法字符

第一种:

< %
' 检查URL输入 限制非法字符
url = LCase (request.querystring())
ip
= request.ServerVariables( " REMOTE_ADDR " )
pos1
= instr (url, " % " )
pos2
= instr (url, " ' " )
pos3
= instr (url, " ; " )
pos4
= instr (url, " where " )
pos5
= instr (url, " select " )
pos6
= instr (url, " chr " )
pos7
= instr (url, " / " )
pos8
= Instr (url, " and " )
if  pos1 <> 0   or  pos2 <> 0   or  pos3 <> 0   or  pos4 <> 0   or  pos5 <> 0   or  pos6 <> 0   or  pos7 <> 0   or   pos8 <> 0   then
response.Write 
" 你尝试使用危险字符,系统已经对此做了记录如下
您的IP:
" & ip & "
操作时间:
" & date () & ""
response.End()
end   if

' 检查表单输入,限制非法字符
'
使用request.QueryString来索引request的所有资料,作为SQL检查之用
'
如出现非法字符则自动停止输出
for  i_request  =   1   to  request.form.Count
if   instr (request.form(i_request), " ' " ) <> 0   or   instr (request.form(i_request), " ; " ) <> 0   then
Response.Write 
" history.back(); alert('你尝试使用危险字符,系统已经对此做了记录如下您的IP: " & ip & " 操作时间: " & date () & " '); "
response.End()
end   if
next

%
>

 

第二种:

 

< %
On   Error   Resume   Next

dim  sql_injdata,sql_inj,sql_get,sql_data
SQL_injdata
= " '|ox "
SQL_inj 
=   split (SQL_Injdata, " | " )
' 定义过滤字符,可以自己添加,以|分隔
'
"'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
'
对post方式过滤
If  Request.Form <> ""   Then
For   Each  Sql_Post In Request.Form
For  SQL_Data = 0   To   Ubound (SQL_inj)
if   instr (Request.Form(Sql_Post),Sql_Inj(Sql_DATA)) > 0   Then
Response.redirect 
" ss "   ' 出错时转向页面
Response.end
end   if
next
next
end   if

' 对GET方式过滤
If  Request.QueryString <> ""   Then
For   Each  SQL_Get In Request.QueryString
For  SQL_Data = 0   To   Ubound (SQL_inj)
if   instr (Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA)) > 0   Then
Response.redirect 
" ss "   ' 出错时转向页面
Response.end
end   if
next
Next
End   If

%
>

第三种:

 

function  checkstr(str)  ' 过滤非法字符函数
dim  tempstr
if  str = ""   then   exit   function
tempstr
= replace (str, chr ( 34 ), "" '  "
tempstr = replace (tempstr, chr ( 39 ), "" '  '
tempstr = replace (tempstr, chr ( 60 ), "" '  <
tempstr = replace (tempstr, chr ( 62 ), "" '  >
tempstr = replace (tempstr, chr ( 37 ), "" '  %
tempstr = replace (tempstr, chr ( 38 ), "" '  &
tempstr = replace (tempstr, chr ( 40 ), "" '  (
tempstr = replace (tempstr, chr ( 41 ), "" '  )
tempstr = replace (tempstr, chr ( 59 ), "" '  ;
tempstr = replace (tempstr, chr ( 43 ), "" '  +
tempstr = replace (tempstr, chr ( 45 ), "" '  -
tempstr = replace (tempstr, chr ( 91 ), "" '  [
tempstr = replace (tempstr, chr ( 93 ), "" '  ]
tempstr = replace (tempstr, chr ( 123 ), "" '  {
tempstr = replace (tempstr, chr ( 125 ), "" '  }
checkstr = tempstr
end function

 第四种:

 

' ================================================
' 函数名:IsValidStr
' 作 用:判断字符串中是否含有非法字符
' 参 数:str ----原字符串
' 返回值:False‚True -----布尔值
' ================================================
Public   Function  IsValidStr(ByVal str)
IsValidStr 
=   False
On   Error   Resume   Next
If   IsNull (str)  Then   Exit   Function
If   Trim (str)  =   Empty   Then   Exit   Function
Dim  ForbidStr‚ i
ForbidStr 
=   " and|chr|:|=|%|&|$|#|@|+|-|*|/|/|<|>|;|‚|^| "   &   Chr ( 32 &   " | "   &   Chr ( 34 &   " | "   &   Chr ( 39 &   " | "   &   Chr ( 9 )
ForbidStr 
=   Split (ForbidStr‚  " | " )
For  i  =   0   To   UBound (ForbidStr)
If   InStr ( 1 ‚str‚ ForbidStr(i)‚ 1 >   0   Then
IsValidStr 
=   False
Exit   Function
End   If
Next
IsValidStr 
=   True
End Function

 

ASP.NET

 

public  boolean checkParameter(String para)  // 过滤非法字符
     {
        
int flag = 0;
        flag 
+= para.indexOf("'"+ 1;
        flag 
+= para.indexOf(";"+ 1;
        flag 
+= para.indexOf("1=1"+ 1;
        flag 
+= para.indexOf("|"+ 1;
        flag 
+= para.indexOf("<"+ 1;
        flag 
+= para.indexOf(">"+ 1;
        
if (flag != 0)
        
{
            System.
out.println("提交了非法字符!!!");
            
return false;
        }

        
return true;
    }

你可能感兴趣的:(ASP.net,ASP)