改进的SQL防注入(加强抑错)-ASP教程,安全加密

<%

asp防注入之解决方案
特殊页面处理
因为有些页通过流式传递(比如含有文件上传的表单)
如果单一使用穷举form对象的操作就会出错
所以要把这些页面过滤出来,同时在页面中使用sql(“检测的字串”)才行
垃圾猪zero@new57.com
http://blog.csdn.net/cfaq

源码下载http://www.new57.com/softback/sql.rar

将本页用include方法放在头部以让所有页都可以调用,比如include在conn.asp里
如果有流式上传的页面请把该页加到表page中,以防form冲突

dim n_no,n_noarray,req_qs,req_f,n_i,n_dbstr,conn,n_rs,n_userip,n_thispage
n_userip = request.servervariables(“remote_addr”)
n_thispage = lcase(request.servervariables(“url”))

n_no =  “|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare” 可以自己修改怀疑是注入操作的字串
n_noarray = split(lcase(n_no),”|”)

call dbopen()
call n_check_qs()
call n_checkpage()
call dbclose()

检测当前页是否是特殊页是就调用 n_check_form()
sub n_checkpage()

 set n_rs = server.createobject(“adodb.recordset”)
  n_rs.open “select * from page where spcpage like %”&n_thispage&”%”,conn,1,1
  if  (n_rs.eof and n_rs.bof) then
   call n_check_form()
  end if
  n_rs.close()
 set n_rs = nothing

end sub

检测给定字串
sub n_sql(agsql)
 这里是不记录数据库,如果要改请自己修改
 n_check “cus”,req_qs,”other”
end sub

检测request.form
sub n_check_form()
 if request.form<>”” then
 for each req_f in request.form
   n_check req_f,request.form(req_f),”post”
 next
 end if
end sub

检测request.querystring
sub n_check_qs()
 if request.querystring<>”” then
  for each req_qs in request.querystring
   n_check req_qs,request.querystring(req_qs),”get”
  next
 end if
end sub

检测
sub n_check(ag,agsql,sqltype)
 for n_i=0 to ubound(n_noarray)
  if instr(lcase(agsql),n_noarray(n_i))<>0 then
  call n_regsql(ag,agsql,sqltype)
  response.write “mo”
  end if
 next
end sub

记录并停止输出
ag 名称
agsql 内容
sqltype 类型
sub n_regsql(ag,agsql,sqltype)
 if(sqltype<>”other”) then
  conn.execute(“insert into sqlin(sqlin_ip,sqlin_web,sqlin_fs,sqlin_cs,sqlin_sj) values(“&n_userip&”,”&n_thispage&”,”&sqltype&”,”&ag&”,”&agsql&”)”)
 end if
  response.write “<script language=javascript>alert(请不要在参数中包含非法字符尝试注入！);</script>”
  response.write “<span style=font-size:12px>非法操作！系统做了如下记录↓<br>”
  response.write “操作ｉｐ：”&n_userip&”<br>”
  response.write “操作时间：”&now&”<br>”
  response.write “操作页面：”&n_thispage&”<br>”
  response.write “提交方式：”&sqltype&”<br>”
  response.write “提交参数：”&ag&”<br>”
  response.write “提交数据：”&agsql&”</span>”
   
  response.end
end sub

sub dbopen()
 n_dbstr=”dbq=”+server.mappath(“sql.mdb”)+”;defaultdir=;driver={microsoft access driver (*.mdb)};”
 set conn=server.createobject(“adodb.connection”)
 conn.open n_dbstr
end sub

sub dbclose()
 conn.close
 set conn = nothing
end sub
%>