asp实现防止从外部提交数据的三种方法

2019-10-06 10:36asp教程网 ASP教程

asp实现防止从外部提交数据的三种方法

防止从外部提交数据的方法

第一种做法，屏蔽特殊字符和关键字

fqys=request.servervariables("query_string")

dim nothis(18)

nothis(0)="net user"

nothis(1)="xp_cmdshell"

nothis(2)="/add"

nothis(3)="exec%20master.dbo.xp_cmdshell"

nothis(4)="net localgroup administrators"

nothis(5)="select"

nothis(6)="count"

nothis(7)="asc"

nothis(8)="char"

nothis(9)="mid"

nothis(10)="'"

nothis(11)=":"

nothis(12)=""""

nothis(13)="insert"

nothis(14)="delete"

nothis(15)="drop"

nothis(16)="truncate"

nothis(17)="from"

nothis(18)="%"

errc=false

for i= 0 to ubound(nothis)

if instr(FQYs,nothis(i))<>0 then

errc=true

end if

next

if errc then

response.write "<script language=""javascript"">"

response.write "parent.alert('很抱歉!你正在试图攻击本服务器或者想取得本服务器最高管理权!将直接转向首页..');"

response.write "self.location.href='default.asp';"

response.write "</script>"

response.end

end if

第二种可以防止客户从本地提交到网站上

<%

server_v1=Cstr(Request.ServerVariables("HTTP_REFERER"))

server_v2=Cstr(Request.ServerVariables("SERVER_NAME"))

if mid(server_v1,8,len(server_v2))<>server_v2 then

response.write "<br><br><center><table border=1 cellpadding=20 bordercolor=black bgcolor=#EEEEEE width=450>"

response.write "<tr><td style=font:9pt Verdana>"

response.write "你提交的路径有误，禁止从站点外部提交数据请不要乱该参数！"

response.write "</td></tr></table></center>"

response.end

end if

%>

第三。这样可以防止在输入框上打上or 1=1 的字样

If Instr(request("username"),"=")>0 or

Instr(request("username"),"%")>0 or

Instr(request("username"),chr(32))>0 or

Instr(request("username"),"?")>0 or

Instr(request("username"),"&")>0 or

Instr(request("username"),";")>0 or

Instr(request("username"),",")>0 or

Instr(request("username"),"'")>0 or

Instr(request("username"),"?")>0 or

Instr(request("username"),chr(34))>0 or

Instr(request("username"),chr(9))>0 or

Instr(request("username"),"　")>0 or

Instr(request("username"),"$")>0 or

Instr(request("username"),">")>0 or

Instr(request("username"),"<")>0 or

Instr(request("username"),"""")>0 then