<% 'This file can include any ASP file header that needs to call the database, directly at the illegal injection' call method is: function safe (str) ' This function is used to determine whether the transferred variable contains special characters, did not return True Dim S_Badstr, N, I S_Badstr = "& <>?% ,;: ()` ~! @ # $ ^ {} [] | // - = "& chr (34) & chr (9) & chr (32) n = len (s_badstr) Safe = True for i = 1 to n if INSTR (STR, MID (S_Badstr, I, 1)> 0 THEN SAFE = false exit function end if nextend function 'The following code directly determines whether the URL of the request is included with illegal characters on Error Resume Nextdim Strtemp
If LCASE ("HTTPS")) = "OFF" damp = "http: //" Else Strtemp = "https: //" end ifstrtemp = setmp & recommended.servervariables ("server_name") if Request. ServerVariables ( "SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables ( "SERVER_PORT") strTemp = strTemp & Request.ServerVariables ( "URL") If Trim (Request.QueryString) <> "" Then STRTEMP = STRTEMP & "?" & TRIM (Request.QueryString) Strtemp = LCASE (Strtemp) or INSTR (Strtemp, "INSERT% 20") OR INSTR (StRTEMP, "Delete% 20FROM ") OR INSTR (") OR INSTR (Strtemp, "Drop% 20Table") OR (Strtemp, "Update% 20") or Instr (Strtemp, "Truncate% 20") OR INSTR (StRTEMP , "ASC (") or Instr (Strtemp, "MID (") or Instr (Strtemp, ") OR INSTR (Strtemp," XP_Cmdshell ") or Instr (Strtemp," EXEC% 20master ") or Instr (strTemp , "Net% 20Localgroup% 20Administrators") or INSTR (Strtemp, "DB_NAME (") or INSTR (Strtemp, "Net% 20User") OR (Strtemp, "'") or Instr (Strtemp, "% 20or") or INSTR (Strtemp, "Backup% 20") n response.write "
