主要是防asp的几个地方:
一、地址栏参数注入,就是用request.querystring取得值的这个
二、表单参数注入,就是用request.form取得值的这个
三、cookies
其实可以看成一个理儿,就是能输入值,能交互的让用户输入的地方都得做一下防。
做一个函数,截取这些地方提交的值,与一个数组(里面放着要过滤或检查的敏感字符)做一下对比,献上我的一个过滤函数:
Function ChkStr(Str)
if Isnull(Str) then
ChkStr = ""
exit Function
End if
Str = Replace(Str,Chr(0),"",1,-1,1)
Str = Replace(Str,"""",""","<","<",">",">",1)
Str = Replace(Str,"script","script",0)
Str = Replace(Str,"SCRIPT","SCRIPT","Script","Script","object","object","OBJECT","OBJECT","Object","Object","applet","applet","APPLET","APPLET","Applet","Applet","[","[")
Str = Replace(Str,"]","]")
Str = Replace(Str,"=","=","’","'","select","select","execute","execute","exec","exec","join","join","union","union","where","where","insert","insert","delete","delete","update","update","like","like","drop","drop","create","create","rename","rename","count","count","chr","chr","mid","mid","truncate","truncate","nchar","nchar","char","char","alter","alter","cast","cast","exists","exists",VbCrlf," "," ",1)
ChkStr = Str
End Function
更新数据时,rs(“字段”) = ChkStr(trim(Request.Form("表单参数")))
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。