UC知道ASP注入问题
来源:百度知道 编辑:UC知道 时间:2024/07/06 11:16:18
弄了个小站谁知道弄好一检测有个注入漏洞求高帮忙解决下看有啥好解决办法没没感激不尽啊 小弟Q11886661
<%
response.write rs("title")&"</a>"
if trim(rs("firstImageName"))<>"" then
response.write " <img src='news/images/news.gif' border=0>"
end if
%>
<a title="<%=rs("addtime")%>"><font color=#cccccc><i>(<%=FormatDateTime(rs("addtime"),vbshortdate)%> 浏览:<%=rs("hits")%>
<%
response.write rs("title")&"</a>"
if trim(rs("firstImageName"))<>"" then
response.write " <img src='news/images/news.gif' border=0>"
end if
%>
<a title="<%=rs("addtime")%>"><font color=#cccccc><i>(<%=FormatDateTime(rs("addtime"),vbshortdate)%> 浏览:<%=rs("hits")%>
防止SQL注入其实就是屏蔽一些可执行的语句,如select,execute等,附常用的代码:
<%
Dim SQL_injdata,SQL_inj,SQL_Get,SQL_Data,Sql_Post
SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
'防止地址栏参数执行非法字符:
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "非法访问"
Response.end
end if
next
Next
End If
'防止表单提交执行非法字符:
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "非法访问"
Response.end