|
|
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TR>
<TD> <BR>一个可以通用的防注入脚本程序<BR>SQL注入攻击的的通用防护了!好了 看下面的程序~<BR><BR>for each item in request.form<BR>stritem=lcase(server.HTMLEncode(Request.form(item)))<BR>if instr(stritem,"select ")>=1 or instr(stritem,"insert ")>=1 or instr(stritem,"update ")>=1 or instr(stritem,"delete ")>=1 or instr(stritem,"exec ")>=1 or instr(stritem,"declare ")>=1 then<BR>response.write ("对不起,请不要输入非法字符!")<BR>response.end<BR>end if<BR>next<BR>我屏蔽了表单来防止注入攻击<BR>在此基础上我又想到了'屏蔽通过地址栏攻击<BR>url=Request.ServerVariables("QUERY_STRING")<BR>if instr(url,";")>=1 then<BR>url=Replace(url,";",";") : Response.Redirect("?" ; url)<BR>end if<BR>呵呵 `这样防护,网站就比较安全了。<BR></TD></TR></TABLE> |
|
|Archiver|手机版|小黑屋|嘉缘软件官网
( 沪ICP备12042403号-2 )
发表于 2005-11-4 02:26:17
发表于 2005-11-30 01:31:01
