www.gusucode.com > 良精ASP微博管理系统 V1.0 > 良精ASP微博管理系统 V1.0\code\Include\sqlin.asp
<% '--------定义部份------------------ Dim N_Post,N_Get,N_In,N_Inf,N_Xh,N_db,N_dbstr,Kill_IP,WriteSql Dim aApplicationValue If IsArray(Application("config_info"))=False Then Call PutApplicationValue() aApplicationValue = Application("config_info") '获取配置信息 N_In = aApplicationValue(0) Kill_IP = aApplicationValue(1) WriteSql = aApplicationValue(2) alert_url = aApplicationValue(3) alert_info = aApplicationValue(4) kill_info = aApplicationValue(5) N_type = aApplicationValue(6) Sec_Forms = aApplicationValue(7) Sec_Form_open = aApplicationValue(8) '安全页面参数 Sec_Form = split(Sec_Forms,"|") N_Inf = split(N_In,"|") If Kill_IP=1 Then Stop_IP If Request.Form<>"" Then StopInjection(Request.Form) If Request.QueryString<>"" Then StopInjection(Request.QueryString) If Request.Cookies<>"" Then StopInjection(Request.Cookies) '输出警告信息 Function N_Alert(alert_info) Dim str str = "<"&"Script Language=JavaScript"&">" Select Case N_type Case 3 str = str & "location.href='"&alert_url&"';" end select str = str & "<"&"/Script"&">" response.write str End Function '判断注入类型函数 Function intype(values) Select Case values Case Request.Form intype = "Post" Case Request.QueryString intype = "Get" Case Request.Cookies intype = "Cookies" end Select End Function 'sql通用防注入主函数 Function StopInjection(values) For Each N_Get In values If Sec_Form_open = 1 Then For N_i=0 To UBound(Sec_Form) If Instr(LCase(SelfName),Sec_Form(N_i))> 0 Then Exit Function else Select_BadChar(values) End If Next Else Select_BadChar(values) End If Next End Function Function Select_BadChar(values) For N_Xh=0 To Ubound(N_Inf) If Instr(LCase(values(N_Get)),N_Inf(N_Xh))<>0 Then If WriteSql = 1 Then InsertInfo(values) 'N_Alert(alert_info) Response.End End If Next End Function Function N_Replace(N_urlString) N_urlString = Replace(N_urlString,"'","''") N_urlString = Replace(N_urlString, ">", ">") N_urlString = Replace(N_urlString, "<", "<") N_Replace = N_urlString End Function sub PutApplicationValue() Redim ApplicationValue(9) ApplicationValue(0)="'|;|and|(|)|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" 'N_In ApplicationValue(1) ="0" 'kill_ip ApplicationValue(2)="0" 'WriteSql ApplicationValue(3)="default.asp" 'alert_url ApplicationValue(4)="请不要在参数中包含非法字符尝试注入!\n\n"'alert_info ApplicationValue(5)="你的Ip已经被本系统自动锁定!\n\n如想访问本站请和管理员联系!"'kill_info ApplicationValue(6)="3" 'N_type ApplicationValue(7)="test.asp|123123|" 'Sec_Forms ApplicationValue(8)="0" 'Sec_Form_open Application.Lock set Application("config_info")=nothing Application("config_info")=ApplicationValue Application.unlock end Sub '获取本页文件名 Function SelfName() SelfName = Mid(Request.ServerVariables("URL"),InstrRev(Request.ServerVariables("URL"),"/")+1) End Function %>