<% @language=vbscript codepage=936 %>
<%
'Option Explicit
'强制浏览器重新访问服务器下载页面,而不是从缓存读取页面
Response.Buffer = True
Response.Expires = -1
Response.ExpiresAbsolute = Now() - 1
Response.Expires = 0
Response.CacheControl = "no-cache"
Response.Buffer = True
'-------------------------------全局常量---------------------------
'数据库类型(0为Access数据库),布尔类型的值,时间类型的隔离符
Const IsSqlDataBase = 0
Const DBTrue = "True"
Const DBTime = "#"
'定义站点名称
Const WebsiteName = "黑夜"
'定义站点域名
Const WebsiteDomain = ""
'定义加密类型
Const MD5Type = "32"
'-------------------------------全局变量---------------------------
Dim Conn
Call ConnectionDatabase
Sub ConnectionDatabase
Dim ConnStr
If IsSqlDataBase = 1 Then
Dim SqlDatabaseName,SqlPassword,SqlUsername,SqlLocalName
SqlDatabaseName = ""
SqlPassword = ""
SqlUsername = ""
SqlLocalName = "(local)"
ConnStr = "Provider = Sqloledb; User ID = " & SqlUsername & "; Password = " & SqlPassword & "; Initial Catalog = " & SqlDatabaseName & "; Data Source = " & SqlLocalName & ";"
Else
dim db
Db = "db/#ruiutend&anxiu.mdb"
ConnStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(db) & ";Persist Security Info=False"
End If
On Error Resume Next
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.open ConnStr
If Err Then
err.Clear
Set Conn = Nothing
response.Write Server.MapPath(db)
Response.Write "数据库连接出错,请检查连接字串。"
Response.End
End If
End Sub
%>
请问,要在哪里加入防注入代码啊?
要用什么防注入代码啊?
高手帮我加下,加的好,测试能通过,我追分……
DIM ISTR_FORM,SQL_KILL,SQL_KILL_1,SQL_KILL_2,ISTR_KILL
IF ISTR="" THEN EXIT FUNCTION
ISTR=LCase(ISTR)
ISTR_FORM=ISTR
SQL_KILL="'|and|exec|insert
|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|set|;|from|="
SQL_KILL_1=SPLIT(SQL_KILL,"|")
FOR EACH SQL_KILL_2 IN SQL_KILL_1
ISTR=REPLACE(ISTR,SQL_KILL_2,"")
NEXT
CHECKSTR=ISTR
ISTR_KILL=REPLACE(ISTR_FORM,ISTR,"")
IF ISTR<>ISTR_FORM THEN
RESPONSE.WRITE "<script>alert('警告: 您提交的数据["&ISTR_FORM&"]中含有非法字符 ["&ISTR_KILL&"]');history.back();</Script>"
RESPONSE.END
END IF
END FUNCTION