2. Tech
  3. ASP anti-injection solution - enhanced version

ASP anti-injection solution - enhanced version

xiaoxiao2021-03-06  20

<%

'ASP anti-injection solution' Special page handling 'Because some pages pass through streaming (such as forms containing file uploads)' If the operation of single use of exhaustive FORM objects is wrong, ', so you have to filter out these pages, at the same time Use SQL ("Detected String") in the page, 'Garbage Pig ZERO@new57.com'Http://blog.9cbs.net/cfaq

'Play this page in the head to make all pages can be called, such as include in conn.asp' If there is a stream upload page, add this page to Table Page to prevent FORM conflicts

Dim N_no, N_noarray, req_Qs, req_F, N_i, N_dbstr, Conn, N_rs, N_userIP, N_thispageN_userip = Request.ServerVariables ( "REMOTE_ADDR") N_thispage = LCase (Request.ServerVariables ( "URL"))

N_no = "'|; | | And | Exec | INSERT | SELECT | DELETE | Update | Count | * |% | CHR | MID | MASTER | TRUNCATE | CHAR | DECLARE" "You can modify yourself is the string n_noarray = Split (Lcase (n_no), "|")

Call dbopen () call n_check_qs () call n_checkpage () Call dbclose ()

'Detect whether the current page is a special page is called n_check_form () sub n_checkpage ()

Set n_rs = server.createObject ("AdoDb.Recordset") n_rs.open "Select * from page where spcpage like '%" & n_thispage & "%'", conn, 1, 1 if (n_rs.eof and n_rs.bof) THEN CALL N_CHECK_FORM () end if n_rs.close () set n_rs = nothing

End Sub

'Detecting the String Scen Sub N_SQL (AGSQL)' This is not logged database, if you want to change your own modification n_check "cus", req_qs, "other" End Sub

'Test Request.FormSub N_Check_form () if Request.form <> "" "" "" "the for Each Req_f in request.form n_check req_f, request.form (req_f)," post "next end ifend sub

'Test Request.QueryStringsUB n_check_qs () if Request.QueryString <> "" THEN for Each Req_qs in Request.QueryString n_check req_qs, request.queryString (req_qs), "get" Next End End End Sub

'Test Sub N_Check (AG, AGSQL, SQLTYPE) for n_i = 0 to Ubound (n_noarray) if IF INSTR (LCase (AGSQL), N_Noarray (N_i)) <> 0 THEN CALL N_REGSQL (AG, AGSQL, SQLTYPE) Response.write " Mo "end if nextend sub 'records and stops output' AG name 'agsql content' SQLTYPE Type SUB N_REGSQL (AG, AGSQL, SQLTYPE) IF (SQLTYPE <>" Other ") THEN CONN.EXECUTE (" INSERT INTO SQLIN (SQLIN_IP, SQLIN_WEB, SQLIN_FS, SQLIN_CS, SQLIN_SJ) VALUES ('"& n_userip &",' "& n_thispage &", '"& sqltype &",' "& ags &" "" & agsql & ")") End if Response.write