<% 'ASP anti-injection solution' Special page processing 'Because some pages pass through streaming (such as forms containing file uploads)' If a single use of exhaustive FORM objects will be wrong, ', so filter out these pages. At the same time, use SQL ("Detected String") in the page, 'Garbage Pig ZERO@new57.com'http://blog.9cbs.net/cfaq' source code download http://www.new57.com/ Softback / Sql.rar 'puts this page with the include method to make all pages can be called, such as include in Conn.asp' If there is a stream upload page, please add this page to the table Page, anti form of conflict Dim N_no, N_noarray, req_Qs, req_F, n_i, N_dbstr, Conn, N_rs, N_userIP, N_thispageN_userip = Request.ServerVariables ( "REMOTE_ADDR") N_thispage = LCase (Request.ServerVariables ( "URL")) N_no = " '| ; | | exec | INSERT | SELECT | DELETE | Update | Count | * |% | CHR | MID | MASTER | TRUNCATE | CHAR | DECLARE "" You can modify yourself is the string n_noarray = split (lcase (n_no) ), "|") Call dbopen () call n_check_qs () call n_checkpage () Call dbclose () 'Detecting whether the current page is a special page is called n_check_form () sub n_checkpage () set n_rs = server.createObject ("AdoDB. Recordset ") n_rs.open" Select * from page where spcpage like '% "& n_thispage &"%' ", conn, 1, 1 if (n_rs.eof and n_rs.bof) THEN CALL N_CHECK_FORM () end if n_rs.close () SET N_RS = NothingNGEND SUB 'Detects to Stroke Sub N_SQL (AGSQL)' This is not logged database, if you want to change your own modification n_check "cus", Re Q_Qs, "Other" end sub 'detection request.formsub n_check_form () if Request.form <> "" The for Each Req_f in request.form n_check req_f, request.form (REQ_F), "post" next "NEXT END IFEND SUB' detection Request.QueryStringsub N_check_Qs () If Request.QueryString <> "" Then For Each req_Qs In Request.QueryString N_check req_Qs, Request.QueryString (req_Qs), "GET" Next end ifend sub 'detection sub N_check (ag, agsql, sqltype) For n_i = 0 to Ubound (n_noarray) if IF INSTR (LCase (AGSQL), N_Noarray (n_i)) <>
