杭州交通信息网三国英杰传手机版ios:asp与asp.net高手指点下?注入过滤
来源:百度文库 编辑:杭州交通信息网 时间:2024/05/05 23:47:15
请问以下两个函数能完全过滤掉SQL注入吗?
<%
Function SafeSql(str) ''提交过滤---就是这个:能完全过滤SQL注入吗?
Str = replace(Str, ">", ">")
Str = replace(Str, "<", "<")
Str=Replace(Str,"&","&") '过滤&
Str=Replace(Str,"\","\")
Str=Replace(Str,"--","--")
Str = Replace(Str, CHR(32), " ")
Str = Replace(Str, CHR(9), " ")
Str = Replace(Str, CHR(34), """)
Str = Replace(Str, "'", "'") ''过滤'
Str = Replace(Str, CHR(13), "")
Str = Replace(Str, CHR(10) & CHR(10), "</P><P> ")
Str = Replace(Str, CHR(10), "<BR> ")
Str = Replace(Str, "select", "select")
Str = Replace(Str, "join", "join")
Str = Replace(Str, "union", "union")
Str = Replace(Str, "where", "where")
Str = Replace(Str, "insert", "insert")
Str = Replace(Str, "delete", "delete")
Str = Replace(Str, "update", "update")
Str = Replace(Str, "like", "like")
Str = Replace(Str, "drop", "drop")
Str = Replace(Str, "create", "create")
Str = Replace(Str, "modify", "modify")
Str = Replace(Str, "rename", "rename")
Str = Replace(Str, "alter", "alter")
Str = Replace(Str, "cast", "cast")
SafeSql=Str
end Function
Function HTMLDecode(refStringing) 'HTML解码函数
Dim fString:fString=refStringing
If Not IsNull(fString) Then
fString = Replace(fString, "&", "&")
fString = Replace(fString, ">", ">")
fString = Replace(fString, "<", "<")
fString = Replace(fString, """,CHR(34))
fString=Replace(fString,"\","\")
fString=Replace(fString,"--","--")
fString = Replace(fString, " ", " ")
fString = Replace(fString, "'", "'")
fString = Replace(fString, "", CHR(13))
fString = Replace(fString, "<br>", CHR(10))
fString = Replace(fString, "select", "select")
fString = Replace(fString, "join", "join")
fString = Replace(fString, "union", "union")
fString = Replace(fString, "where", "where")
fString = Replace(fString, "insert", "insert")
fString = Replace(fString, "delete", "delete")
fString = Replace(fString, "update", "update")
fString = Replace(fString, "like", "like")
fString = Replace(fString, "drop", "drop")
fString = Replace(fString, "create", "create")
fString = Replace(fString, "modify", "modify")
fString = Replace(fString, "rename", "rename")
fString = Replace(fString, "alter", "alter")
fString = Replace(fString, "cast", "cast")
HTMLDecode = fString
End If
End Function
%>
<%
Function SafeSql(str) ''提交过滤---就是这个:能完全过滤SQL注入吗?
Str = replace(Str, ">", ">")
Str = replace(Str, "<", "<")
Str=Replace(Str,"&","&") '过滤&
Str=Replace(Str,"\","\")
Str=Replace(Str,"--","--")
Str = Replace(Str, CHR(32), " ")
Str = Replace(Str, CHR(9), " ")
Str = Replace(Str, CHR(34), """)
Str = Replace(Str, "'", "'") ''过滤'
Str = Replace(Str, CHR(13), "")
Str = Replace(Str, CHR(10) & CHR(10), "</P><P> ")
Str = Replace(Str, CHR(10), "<BR> ")
Str = Replace(Str, "select", "select")
Str = Replace(Str, "join", "join")
Str = Replace(Str, "union", "union")
Str = Replace(Str, "where", "where")
Str = Replace(Str, "insert", "insert")
Str = Replace(Str, "delete", "delete")
Str = Replace(Str, "update", "update")
Str = Replace(Str, "like", "like")
Str = Replace(Str, "drop", "drop")
Str = Replace(Str, "create", "create")
Str = Replace(Str, "modify", "modify")
Str = Replace(Str, "rename", "rename")
Str = Replace(Str, "alter", "alter")
Str = Replace(Str, "cast", "cast")
SafeSql=Str
end Function
Function HTMLDecode(refStringing) 'HTML解码函数
Dim fString:fString=refStringing
If Not IsNull(fString) Then
fString = Replace(fString, "&", "&")
fString = Replace(fString, ">", ">")
fString = Replace(fString, "<", "<")
fString = Replace(fString, """,CHR(34))
fString=Replace(fString,"\","\")
fString=Replace(fString,"--","--")
fString = Replace(fString, " ", " ")
fString = Replace(fString, "'", "'")
fString = Replace(fString, "", CHR(13))
fString = Replace(fString, "<br>", CHR(10))
fString = Replace(fString, "select", "select")
fString = Replace(fString, "join", "join")
fString = Replace(fString, "union", "union")
fString = Replace(fString, "where", "where")
fString = Replace(fString, "insert", "insert")
fString = Replace(fString, "delete", "delete")
fString = Replace(fString, "update", "update")
fString = Replace(fString, "like", "like")
fString = Replace(fString, "drop", "drop")
fString = Replace(fString, "create", "create")
fString = Replace(fString, "modify", "modify")
fString = Replace(fString, "rename", "rename")
fString = Replace(fString, "alter", "alter")
fString = Replace(fString, "cast", "cast")
HTMLDecode = fString
End If
End Function
%>
不用这么复杂,
首先GET值最好都用数字
然后用IsNumeric函数判断传来的值是不是数字就行了
如果它是数字,通过,它就注入不了了
其实判断URL的方法是最好的了,还可以防跨站,不过我不记得做法了,前段时间在网上看到过几句经典代码。绝赞,
完全够了,
不过我现在一般都使用存储过程