出自ProgWiki
用途
- 在表單GET模式或POST模式的參數在進入SQL或其它處理前,預先攔截。如果有發現有異常的表單變數就轉址到 SafeUrlCheckError.asp
程式碼
SafeUrlCheck.asp
<%
Function IsSafeUrlCheck()
Dim i, j, x, strVar
Dim TestStrArray
TestStrArray = Array( "script", "exec","declare", "")
IsSafeUrlCheck = true
if (IsSafeUrlCheck = true) then
j=Request.Form.Count
For i=1 to j
strVar=LCase(Request.Form.Item(i))
x = 0
while (TestStrArray(x) <> "")
if (instr(strVar,TestStrArray(x))>=1) Then
IsSafeUrlCheck = false
Exit Function
End if
x = x + 1
Wend
Next
End if
if (IsSafeUrlCheck = true) then
j=Request.QueryString.Count
For i=1 to j
strVar=LCase(Request.QueryString.Item(i))
x = 0
while (TestStrArray(x) <> "")
if (instr(strVar,TestStrArray(x))>=1) Then
IsSafeUrlCheck = false
Exit Function
End if
x = x + 1
Wend
Next
End if
IsSafeUrlCheck = true
End Function
if (IsSafeUrlCheck() = false) Then
Response.Redirect("/SafeUrlCheckError.asp")
Response.end
End if
%>
用法
<!--#include file="SafeUrlCheck.asp" -->
相關
<%
dim sql_injdata
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|daxia123|<script|/script>"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language='javascript'>alert('请不要在参数中包含非法字符尝试注入!');history.back(-1)& lt;/Script>"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language='javascript'>alert('请不要在参数中包含非法字符尝试注入!');history.back(-1)& lt;/Script>"
Response.end
end if
next
next
end if
%>
