www.gusucode.com > 地方成人教育中心整站源代码 1 > 地方成人教育中心整站源代码 1.0/inc/sqlin.asp
<% '--------定义部份------------------ Dim Idea_Post,Idea_Get,Idea_In,Idea_Inf,Idea_Xh,Idea_db,Idea_dbstr '自定义需要过滤的字串,用 "|" 分隔 Idea_In = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" '---------------------------------- %> <% Idea_Inf = split(Idea_In,"|") '--------POST部份------------------ If Request.Form<>"" Then For Each Idea_Post In Request.Form For Idea_Xh=0 To Ubound(Idea_Inf) If Instr(LCase(Request.Form(Idea_Post)),Idea_Inf(Idea_Xh))<>0 Then '--------写入数据库--头-------- Call idea.exec("",-1) set rs = server.createobject("adodb.recordset") conn.Execute("insert into Idea_Sqlin(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Idea_Post&"','"&replace(Request.Form(Idea_Post),"'","’")&"')") conn.close Set conn = Nothing set rs=nothing '--------写入数据库--尾-------- Response.Write "<Script Language=JavaScript>alert('严重警告:请不要在参数中包含非法字符尝试注入!');</Script>" Response.Write "非法操作:系统做了如下记录<br>" Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>" Response.Write "操作时间:"&Now&"<br>" Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>" Response.Write "提交方式:POST<br>" Response.Write "提交参数:"&Idea_Post&"<br>" Response.Write "提交数据:"&Request.Form(Idea_Post) Response.End End If Next Next End If '---------------------------------- '--------GET部份------------------- If Request.QueryString<>"" Then For Each Idea_Get In Request.QueryString For Idea_Xh=0 To Ubound(Idea_Inf) If Instr(LCase(Request.QueryString(Idea_Get)),Idea_Inf(Idea_Xh))<>0 Then '--------写入数据库--头-------- Call idea.exec("",-1) set rs = server.createobject("adodb.recordset") conn.Execute("insert into Idea_Sqlin(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Idea_Get&"','"&replace(Request.QueryString(Idea_Get),"'","’")&"')") conn.close Set conn = Nothing set rs=nothing '--------写入数据库--尾-------- Response.Write "<Script Language=JavaScript>alert('严重警告:请不要在参数中包含非法字符尝试注入!');</Script>" Response.Write "非法操作:系统做了如下记录<br>" Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>" Response.Write "操作时间:"&Now&"<br>" Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>" Response.Write "提交方式:GET<br>" Response.Write "提交参数:"&Idea_Get&"<br>" Response.Write "提交数据:"&Request.QueryString(Idea_Get) Response.End End If Next Next End If %>