½â¾öASP·ÀSQL×¢Èë¹¥»÷³ÌÐòÎÊÌâ

ÏÖÔڱȽÏÁ÷ÐеÄSQL×¢È빤¾ßµÄ¹¤×÷·½Ê½ÊÇͨ¹ýGETºÍPOSTÀ´Íê³É¾ßÌåµÄ×¢Èë¡£ÎÒÃÇ¿ÉÒÔ½«×¢ÈëʱËùÓõ½µÄÒ»ÇзûºÅ¹ýÂ˵ô¡£ÄÇôÎÒÃÇ¿ÉÒÔͨ¹ý¼òµ¥µÄÅжÏÓï¾äÀ´´ïµ½Ä¿µÄ¡£ÎÒÃÇÏÈÀ´¹ýÂËGET°É¡£
´úÂëÈçÏ£º
dim sql_injdata SQL_inj SQL_Get
SQL_injdata = "’|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert(’Çë²»ÒªÔÚ²ÎÊýÖаüº¬·Ç·¨×Ö·û³¢ÊÔ×¢È룡’);history.back(-1)</Script>"
Response.end
end if
next
Next
End If
        ÕâÑùÎÒÃÇͨ¹ý¼òµ¥µÄÓï¾äÎÒÃǾͰÑһЩעÈëËù±ØÐëµÄÓï¾äºÍ·ûºÅ¹ýÂ˵ôÁË¡£·Ç³£Ð¡ÇÉÁé±ã£¬Ö»Òª²åµ½Ïñconn.aspÕâÑùÀàËƱ»µ÷ÓñȽϹ㷺µÄÒ³ÃæÖС£Í¬ÑùPOSTÎÒÃÇÒ²¿ÉÒÔͨ¹ýÈçÏ´úÂë¹ýÂË£¬ÎÒÃÇ¿ÉÒÔ½«Á½¶Î´úÂëÕûºÍµ½Ò»Æð¡£
ÎÒÃÇÀ´¿´¿´´úÂë°É£º
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert(’Çë²»ÒªÔÚ²ÎÊýÖаüº¬·Ç·¨×Ö·û³¢ÊÔ×¢È룡 ’);history.back(-1)</Script>"
Response.end
end if
next
next
end if
ÍøÉÏÓÖÁ÷ÐÐÒ»¸ö¼ÓÇ¿°æµÄASP·À×¢´úÂë¡£
´úÂëÈçÏ£º
<%
'ASP·À×¢ÈëÖ®½â¾ö·½°¸
'ÌØÊâÒ³Ãæ´¦Àí
'ÒòΪÓÐЩҳͨ¹ýÁ÷ʽ´«µÝ(±ÈÈ纬ÓÐÎļþÉÏ´«µÄ±íµ¥)
'Èç¹ûµ¥Ò»Ê¹ÓÃÇî¾ÙForm¶ÔÏóµÄ²Ù×÷¾Í»á³ö´í
'ËùÒÔÒª°ÑÕâЩҳÃæ¹ýÂ˳öÀ´,ͬʱÔÚÒ³ÃæÖÐʹÓÃsql("¼ì²âµÄ×Ö´®")²ÅÐÐ
'½«±¾Ò³ÓÃinclude·½·¨·ÅÔÚÍ·²¿ÒÔÈÃËùÓÐÒ³¶¼¿ÉÒÔµ÷ÓÃ,±ÈÈçincludeÔÚconn.aspÀï
'Èç¹ûÓÐÁ÷ʽÉÏ´«µÄÒ³ÃæÇë°Ñ¸ÃÒ³¼Óµ½±ípageÖÐ,ÒÔ·Àform³åÍ»
Dim N_no,N_noarray,req_Qs,req_F,N_i,N_dbstr,Conn,N_rs,N_userIP,N_thispage
N_userip = Request.ServerVariables("REMOTE_ADDR")
N_thispage = LCase(Request.ServerVariables("URL"))
N_no = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" '¿ÉÒÔ×Ô¼º