过滤对于ASP程序来说是极为重要的,对于每一个带参数的程序来说必须进行严格的过滤。下面以常见的过滤POST和GET提交的数据进行过滤。
说明:过滤要根据自己的实际情况来分别对待,没有100%好的过滤规则。下面是我总结的相对通用的过滤规则,对于ASP来说安全性可以大大增加。代码如下:
<%
'====================================================
'过滤POST非法字符
'====================================================
Function POSTKey
Dim StrTemp2,HK2
IF Trim(Request.Form) <> "" Then StrTemp2 = Trim(Request.Form)
StrTemp2 = LCase(StrTemp2)
HK2 = 0
IF Instr(StrTemp2,"%81") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"%27") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"%22") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"*") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"htw(") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"count(") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"htr(") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"asc(") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"mid(") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"and(") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"or(") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"or%") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"char(") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"xp_cmdshell") <> 0 Then HK2 = 1
IF Instr(StrTemp2,"'") <> 0 Then HK2 = 1
IF HK2 = 1 Then
Call NewUrl (1,"您提交的数据中含有非法字符!","Backlash")
HK2 = 0
Response.End
End IF
End Function
'====================================================
'过滤GET非法字符
'====================================================
Function GETKey
Dim nothis(17),FQYs,Errc,i
FQYs = Request.Servervariables("query_string")
nothis(0) = "net user"
nothis(1) = "xp_cmdshell"
nothis(2) = "/add"
nothis(3) = "exec%20master.dbo.xp_cmdshell"
nothis(4) = "net localgroup administrators"
nothis(5) = "select"
nothis(6) = "count"
nothis(7) = "asc"
nothis(8) = "char"
nothis(9) = "mid"
nothis(10) = "'"
nothis(11) = ":"
nothis(12) = """"
nothis(13) = "insert"
nothis(14) = "delete"
nothis(15) = "drop"
nothis(16) = "truncate"
nothis(17) = "from"
Errc = False
For i = 0 To ubound(nothis)
IF instr(FQYs,nothis(i)) <> 0 Then
Errc = True
End IF
Next
IF Errc Then Call NewUrl (1,"您提交的数据中含有非法字符23!","Backlash")
End Function
%>
更新时间:2010-6-17
豫公网安备 41010502003077号
