www.gusucode.com > 良精ASP微博管理系统 V1.0 > 良精ASP微博管理系统 V1.0\code\Include\sqlin.asp
<%
'--------定义部份------------------
Dim N_Post,N_Get,N_In,N_Inf,N_Xh,N_db,N_dbstr,Kill_IP,WriteSql
Dim aApplicationValue
If IsArray(Application("config_info"))=False Then Call PutApplicationValue()
aApplicationValue = Application("config_info")
'获取配置信息
N_In = aApplicationValue(0)
Kill_IP = aApplicationValue(1)
WriteSql = aApplicationValue(2)
alert_url = aApplicationValue(3)
alert_info = aApplicationValue(4)
kill_info = aApplicationValue(5)
N_type = aApplicationValue(6)
Sec_Forms = aApplicationValue(7)
Sec_Form_open = aApplicationValue(8)
'安全页面参数
Sec_Form = split(Sec_Forms,"|")
N_Inf = split(N_In,"|")
If Kill_IP=1 Then Stop_IP
If Request.Form<>"" Then StopInjection(Request.Form)
If Request.QueryString<>"" Then StopInjection(Request.QueryString)
If Request.Cookies<>"" Then StopInjection(Request.Cookies)
'输出警告信息
Function N_Alert(alert_info)
Dim str
str = "<"&"Script Language=JavaScript"&">"
Select Case N_type
Case 3
str = str & "location.href='"&alert_url&"';"
end select
str = str & "<"&"/Script"&">"
response.write str
End Function
'判断注入类型函数
Function intype(values)
Select Case values
Case Request.Form
intype = "Post"
Case Request.QueryString
intype = "Get"
Case Request.Cookies
intype = "Cookies"
end Select
End Function
'sql通用防注入主函数
Function StopInjection(values)
For Each N_Get In values
If Sec_Form_open = 1 Then
For N_i=0 To UBound(Sec_Form)
If Instr(LCase(SelfName),Sec_Form(N_i))> 0 Then
Exit Function
else
Select_BadChar(values)
End If
Next
Else
Select_BadChar(values)
End If
Next
End Function
Function Select_BadChar(values)
For N_Xh=0 To Ubound(N_Inf)
If Instr(LCase(values(N_Get)),N_Inf(N_Xh))<>0 Then
If WriteSql = 1 Then InsertInfo(values)
'N_Alert(alert_info)
Response.End
End If
Next
End Function
Function N_Replace(N_urlString)
N_urlString = Replace(N_urlString,"'","''")
N_urlString = Replace(N_urlString, ">", ">")
N_urlString = Replace(N_urlString, "<", "<")
N_Replace = N_urlString
End Function
sub PutApplicationValue()
Redim ApplicationValue(9)
ApplicationValue(0)="'|;|and|(|)|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
'N_In
ApplicationValue(1) ="0" 'kill_ip
ApplicationValue(2)="0" 'WriteSql
ApplicationValue(3)="default.asp" 'alert_url
ApplicationValue(4)="请不要在参数中包含非法字符尝试注入!\n\n"'alert_info
ApplicationValue(5)="你的Ip已经被本系统自动锁定!\n\n如想访问本站请和管理员联系!"'kill_info
ApplicationValue(6)="3" 'N_type
ApplicationValue(7)="test.asp|123123|" 'Sec_Forms
ApplicationValue(8)="0" 'Sec_Form_open
Application.Lock
set Application("config_info")=nothing
Application("config_info")=ApplicationValue
Application.unlock
end Sub
'获取本页文件名
Function SelfName()
SelfName = Mid(Request.ServerVariables("URL"),InstrRev(Request.ServerVariables("URL"),"/")+1)
End Function
%>