sqlin.asp 地方成人教育中心整站源代码 1 - ASP源码程序

www.gusucode.com > 地方成人教育中心整站源代码 1 > 地方成人教育中心整站源代码 1.0/inc/sqlin.asp
    <%
'--------定义部份------------------
Dim Idea_Post,Idea_Get,Idea_In,Idea_Inf,Idea_Xh,Idea_db,Idea_dbstr
'自定义需要过滤的字串,用 "|" 分隔
Idea_In = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
'----------------------------------
%>

<%
Idea_Inf = split(Idea_In,"|")
'--------POST部份------------------
If Request.Form<>"" Then
  For Each Idea_Post In Request.Form
    For Idea_Xh=0 To Ubound(Idea_Inf)
      If Instr(LCase(Request.Form(Idea_Post)),Idea_Inf(Idea_Xh))<>0 Then
        '--------写入数据库--头--------
		Call idea.exec("",-1)
		set rs = server.createobject("adodb.recordset")
        conn.Execute("insert into Idea_Sqlin(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Idea_Post&"','"&replace(Request.Form(Idea_Post),"'","’")&"')")
		conn.close
        Set conn = Nothing
        set rs=nothing
        '--------写入数据库--尾--------

        Response.Write "<Script Language=JavaScript>alert('严重警告：请不要在参数中包含非法字符尝试注入！');</Script>"
        Response.Write "非法操作：系统做了如下记录<br>"
        Response.Write "操作ＩＰ："&Request.ServerVariables("REMOTE_ADDR")&"<br>"
        Response.Write "操作时间："&Now&"<br>"
        Response.Write "操作页面："&Request.ServerVariables("URL")&"<br>"
        Response.Write "提交方式：ＰＯＳＴ<br>"
        Response.Write "提交参数："&Idea_Post&"<br>"
        Response.Write "提交数据："&Request.Form(Idea_Post)
        Response.End
      End If
    Next
  Next
End If
'----------------------------------

'--------GET部份-------------------
If Request.QueryString<>"" Then
  For Each Idea_Get In Request.QueryString
    For Idea_Xh=0 To Ubound(Idea_Inf)
      If Instr(LCase(Request.QueryString(Idea_Get)),Idea_Inf(Idea_Xh))<>0 Then
        '--------写入数据库--头--------
        Call idea.exec("",-1)
		set rs = server.createobject("adodb.recordset")
        conn.Execute("insert into Idea_Sqlin(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Idea_Get&"','"&replace(Request.QueryString(Idea_Get),"'","’")&"')")
		conn.close
        Set conn = Nothing
        set rs=nothing
        '--------写入数据库--尾--------
        Response.Write "<Script Language=JavaScript>alert('严重警告：请不要在参数中包含非法字符尝试注入！');</Script>"
        Response.Write "非法操作：系统做了如下记录<br>"
        Response.Write "操作ＩＰ："&Request.ServerVariables("REMOTE_ADDR")&"<br>"
        Response.Write "操作时间："&Now&"<br>"
        Response.Write "操作页面："&Request.ServerVariables("URL")&"<br>"
        Response.Write "提交方式：ＧＥＴ<br>"
        Response.Write "提交参数："&Idea_Get&"<br>"
        Response.Write "提交数据："&Request.QueryString(Idea_Get)
        Response.End
      End If
    Next
  Next
End If
%>