弄了个小站谁知道弄好一检测有个注入漏洞求高帮忙解决下看有啥好解决办法没没感激不尽啊 小弟Q11886661
<%
response.write rs("title")&"</a>"
if trim(rs("firstImageName"))<>"" then
response.write " <img src='news/images/news.gif' border=0>"
end if
%>
<a title="<%=rs("addtime")%>"><font color=#cccccc><i>(<%=FormatDateTime(rs("addtime"),vbshortdate)%> 浏览:<%=rs("hits")%>
防止SQL注入其实就是屏蔽一些可执行的语句,如select,execute等,附常用的代码:
<%
Dim SQL_injdata,SQL_inj,SQL_Get,SQL_Data,Sql_Post
SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
'防止地址栏参数执行非法字符:
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "非法访问"
Response.end
end if
next
Next
End If
'防止表单提交执行非法字符:
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "非法访问"
Response.end
end if
next
next
end if
%>
此外,建议你在调式完网站所有程序后在Conn.asp中加上一个语句:
<%
On Error Resume Next
……
Set Conn=Server.CreateObject("adodb.connection")
……
Conn.open Connstr
if Err then
Err.clear
else
……
end if
%>
<%
Dim SQL_injdata,SQL_inj,SQL_Get,SQL_Data,Sql_Post
SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
'防止地址栏参数执行非法字符:
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "非法访问"
Response.end
end if
next
Next
End If
'防止表单提交执行非法字符:
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "非法访问"
Response.end
end if
next
next
end if
%>
此外,建议你在调式完网站所有程序后在Conn.asp中加上一个语句:
<%
On Error Resume Next
……
Set Conn=Server.CreateObject("adodb.connection")
……
Conn.open Connstr
if Err then
Err.clear
else
……
end if
%>
温馨提示:答案为网友推荐,仅供参考
第1个回答 2007-11-03
你贴的代码与安全没有关系。