网站安全

goback add

网站如何防SQL注入

4453 点击·0 回帖

灯火互联

楼主


	网站如何防SQL注入步骤/方法第一种： squery=lcase(Request.ServerVariables("QUERY_STRING")) sURL=lcase(Request.ServerVariables("HTTP_HOST")) SQL_injdata =":\|;\|>\|<\|--\|sp_\|xp_\|\|dir\|cmd\|^\|(\|)\|+\|$\|'\|copy\|format\|and\|exec\|insert\|select\|delete\|update\|count\|\|%\|chr\|mid\|master\|truncate\|char\|declare" SQL_inj = split(SQL_Injdata,"\|") For SQL_Data=0 To Ubound(SQL_inj) if instr(squery;sURL,Sql_Inj(Sql_DATA))>0 Then Response.Write "SQL通用防注入系统" Response.end end if next 第二种： SQL_injdata =":\|;\|>\|<\|--\|sp_\|xp_\|\|dir\|cmd\|^\|(\|)\|+\|$\|'\|copy\|format\|and\|exec\|insert\|select\|delete\|update\|count\|\|%\|chr\|mid\|master\|truncate\|char\|declare" SQL_inj = split(SQL_Injdata,"\|") If Request.QueryString<>"" Then For Each SQL_Get In Request.QueryString For SQL_Data=0 To Ubound(SQL_inj) if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then Response.Write "SQL通用防注入系统" Response.end end if next Next End If If Request.Form<>"" Then For Each Sql_Post In Request.Form For SQL_Data=0 To Ubound(SQL_inj) if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then Response.Write "SQL通用防注入系统" Response.end end if next next end if 第三种 <% '--------定义部份------------------ Dim Str_Post,Str_Get,Str_In,Str_Inf,Str_Xh,Str_db,Str_dbstr '自定义需要过滤的字串,用 "■"分离 Str_In = "'■;■and■exec■insert■select■delete■update■count■■%■chr■mid■master■truncate■char■declare" '---------------------------------- %> <% Str_Inf = split(Str_In,"■") '--------POST部份------------------ If Request.Form<>"" Then For Each Str_Post In Request.Form For Str_Xh=0 To Ubound(Str_Inf) If Instr(LCase(Request.Form(Str_Post)),Str_Inf(Str_Xh))<>0 Then '--------写入数据库----------头----- Str_dbstr="DBQ="+server.mappath("SqlIn.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (.mdb)};" Set Str_db=Server.CreateObject("ADODB.CONNECTION") Str_db.open Str_dbstr Str_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('";Request.ServerVariables("REMOTE_ADDR");"','";Request.ServerVariables("URL");"','POST','";Str_Post;"','";replace(Request.Form(Str_Post),"'","''");"')") Str_db.close Set Str_db = Nothing '--------写入数据库----------尾----- Response.Write "<Script Language=javaScript>alert('请不要在参数中包含非法字符尝试注入！');</Script>" Response.Write "非法操作！系统做了如下记录:<br>" Response.Write "操作IP：";Request.ServerVariables("REMOTE_ADDR");"<br>" Response.Write "操作时间：";Now;"<br>" Response.Write "操作页面：";Request.ServerVariables("URL");"<br>" Response.Write "提交方式：POST<br>" Response.Write "提交参数：";Str_Post;"<br>" Response.Write "提交数据：";Request.Form(Str_Post) Response.End End If Next Next End If '---------------------------------- '--------GET部份------------------- If Request.QueryString<>"" Then For Each Str_Get In Request.QueryString For Str_Xh=0 To Ubound(Str_Inf) If Instr(LCase(Request.QueryString(Str_Get)),Str_Inf(Str_Xh))<>0 Then '--------写入数据库----------头----- Str_dbstr="DBQ="+server.mappath("SqlIn.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};" Set Str_db=Server.CreateObject("ADODB.CONNECTION") Str_db.open Str_dbstr Str_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('";Request.ServerVariables("REMOTE_ADDR");"','";Request.ServerVariables("URL");"','GET','";Str_Get;"','";replace(Request.QueryString(Str_Get),"'","''");"')") Str_db.close Set Str_db = Nothing '--------写入数据库----------尾----- Response.Write "<Script Language=javaScript>alert('请不要在参数中包含非法字符尝试注入！);</Script>" Response.Write "非法操作！系统做了如下记录:<br>" Response.Write "操作IP：";Request.ServerVariables("REMOTE_ADDR");"<br>" Response.Write "操作时间：";Now;"<br>" Response.Write "操作页面：";Request.ServerVariables("URL");"<br>" Response.Write "提交方式：GET<br>" Response.Write "提交参数：";Str_Get;"<br>" Response.Write "提交数据：";Request.QueryString(Str_Get) Response.End End If Next Next End If %> 注意事项第3中方法需要你自己建个数据库表

喜欢0 评分0

回复

您需要登录后才可以回帖，登录或者注册