ASP上两个防止SQL注入式攻击Function

function ForSqlForm()

dim fqys,errc,i,items

dim nothis(18)

nothis(0)="net user"



nothis(1)="xp_cmdshell"



nothis(2)="/add"



nothis(3)="exec%20master.dbo.xp_cmdshell"



nothis(4)="net localgroup administrators"



nothis(5)="select"



nothis(6)="count"



nothis(7)="asc"



nothis(8)="char"



nothis(9)="mid"



nothis(10)="'"



nothis(11)=":"



nothis(12)=""""



nothis(13)="insert"



nothis(14)="delete"



nothis(15)="drop"



nothis(16)="truncate"



nothis(17)="from"



nothis(18)="%"



'nothis(19)="@"



errc=false



for i= 0 to ubound(nothis)

for each items in request.Form

if instr(request.Form(items),nothis(i))<>0 then

response.write("<div>")

response.write("你所填写的信息:" & server.HTMLEncode(request.Form(items)) & "<br>含非法字符:" & nothis(i))

response.write("</div>")

response.write("对不起,你所填写的信息含非法字符！<a href=""#"" onclick=""history.back()"">返回</a>")

response.End()

end if

next

next

end function

'==========================

'过滤查询中的SQL

'==========================

function ForSqlInjection()

dim fqys,errc,i

dim nothis(19)

fqys = request.ServerVariables("QUERY_STRING")

nothis(0)="net user"



nothis(1)="xp_cmdshell"



nothis(2)="/add"



nothis(3)="exec%20master.dbo.xp_cmdshell"



nothis(4)="net localgroup administrators"



nothis(5)="select"



nothis(6)="count"



nothis(7)="asc"



nothis(8)="char"



nothis(9)="mid"



nothis(10)="'"



nothis(11)=":"



nothis(12)=""""



nothis(13)="insert"



nothis(14)="delete"



nothis(15)="drop"



nothis(16)="truncate"



nothis(17)="from"



nothis(18)="%"



nothis(19)="@"



errc=false



for i= 0 to ubound(nothis)



if instr(FQYs,nothis(i))<>0 then



errc=true



end if



next



if errc then

response.write "查询信息含非法字符！<a href=""#"" onclick=""history.back()"">返回</a>"

response.end



end if



end function