<%
function sqlcheck(str,errtype)
if instr(lcase(str),"select ") > 0 or instr(lcase(str),"insert ") > 0 or instr(lcase(str),"delete ") > 0 or instr(lcase(str),"delete from ") > 0 or instr(lcase(str),"count(") > 0 or instr(lcase(str),"drop table") > 0 or instr(lcase(str),"update ") > 0 or instr(lcase(str),"truncate ") > 0 or instr(lcase(str),"asc(") > 0 or instr(lcase(str),"mid(") > 0 or instr(lcase(str),"char(") > 0 or instr(lcase(str),"xp_cmdshell") > 0 or instr(lcase(str),"exec master") > 0 or instr(lcase(str),"net localgroup administrators") > 0 or instr(lcase(str),"and ") > 0 or instr(lcase(str),"net user") > 0 or instr(lcase(str),"or ") > 0 then
response.write("<script language=javascript>" & vbcrlf & "window.location.href ='showerror.asp?errtype=" & errtype & "'" & vbcrlf & "</script>")
response.end
end if
str=replace(str,"_","") '过滤sql注入_
str=replace(str,"*","") '过滤sql注入*
str=replace(str," ","") '过滤sql注入空格
str=replace(str,chr(34),"") '过滤sql注入"
str=replace(str,chr(39),"") '过滤sql注入'
str=replace(str,chr(91),"") '过滤sql注入[
str=replace(str,chr(93),"") '过滤sql注入]
str=replace(str,chr(37),"") '过滤sql注入%
str=replace(str,chr(58),"") '过滤sql注入:
str=replace(str,chr(59),"") '过滤sql注入;
str=replace(str,chr(43),"") '过滤sql注入+
str=replace(str,"{","") '过滤sql注入{
str=replace(str,"}","") '过滤sql注入}
sqlcheck=str '返回经过上面字符替换后的str
end function
%>
自己写一个防止SQL注入函数
[入库:2005年8月18日] [更新:2007年3月25日]
本文简介:选择自 qileroro 的 blog
本文关键:自己写一个防止SQL注入函数
本站最佳浏览方式为 分辨率 1024x768 IE 6.0(或更高版本的 IE浏览器)
