asp:sqlinjection
防止方法:一
- 程式流程圖
- Code
- 1
<% Function searchChk(sqlstr) Attack=Array("'","or") searchChk=sqlstr for i=0 to Ubound(Attack) if instr(sqlstr,Attack(i))<>0 then searchChk=Replace(sqlstr,Attack(i),"") exit function end if next End Function %>
防止方法二:
- 使用方法
1.載入<!--Include file="sqlinjection.asp"--> 2.ErrorPage (錯誤顯示頁面,和執行頁面放置一起) 3.CheckStringForSQL(str) 'str表參數
- ErrorPage Code
- 1
<% '可以導向到其他頁面或頁面訊息 response.Redirect("index.html") %>
- sqlinjection Code
- 1
<% ' SqlCheckInclude.asp ' ' Author: Nazim Lala ' ' This is the include file to use with your asp pages to ' validate input for SQL injection. Dim BlackList, ErrorPage, s ' ' Below is a black list that will block certain SQL commands and ' sequences used in SQL injection will help with input sanitization ' ' However this is may not suffice, because: ' 1) These might not cover all the cases (like encoded characters) ' 2) This may disallow legitimate input ' ' Creating a raw sql query strings by concatenating user input is ' unsafe programming practice. It is advised that you use parameterized ' SQL instead. Check http://support.microsoft.com/kb/q164485/ for information ' on how to do this using ADO from ASP. ' ' Moreover, you need to also implement a white list for your parameters. ' For example, if you are expecting input for a zipcode you should create ' a validation rule that will only allow 5 characters in [0-9]. ' BlackList = Array("--", ";", "/*", "*/", "@@", "@",_ "char", "nchar", "varchar", "nvarchar",_ "alter", "begin", "cast", "create", "cursor",_ "declare", "delete", "drop", "end", "exec",_ "execute", "fetch", "insert", "kill", "open",_ "select", "sys", "sysobjects", "syscolumns",_ "table", "update","'") ' Populate the error page you want to redirect to in case the ' check fails. ErrorPage = "./ErrorPage.asp" ''''''''''''''''''''''''''''''''''''''''''''''''''' ' This function does not check for encoded characters ' since we do not know the form of encoding your application ' uses. Add the appropriate logic to deal with encoded characters ' in here ''''''''''''''''''''''''''''''''''''''''''''''''''' Function CheckStringForSQL(str) On Error Resume Next Dim lstr ' If the string is empty, return true If ( IsEmpty(str) ) Then CheckStringForSQL = false Exit Function ElseIf ( StrComp(str, "") = 0 ) Then CheckStringForSQL = false Exit Function End If lstr = LCase(str) ' Check if the string contains any patterns in our ' black list For Each s in BlackList If ( InStr (lstr, s) <> 0 ) Then CheckStringForSQL = true Exit Function End If Next CheckStringForSQL = false End Function ''''''''''''''''''''''''''''''''''''''''''''''''''' ' Check forms data ''''''''''''''''''''''''''''''''''''''''''''''''''' For Each s in Request.Form If ( CheckStringForSQL(Request.Form(s)) ) Then ' Redirect to an error page Response.Redirect(ErrorPage) End If Next ''''''''''''''''''''''''''''''''''''''''''''''''''' ' Check query string ''''''''''''''''''''''''''''''''''''''''''''''''''' For Each s in Request.QueryString If ( CheckStringForSQL(Request.QueryString(s)) ) Then ' Redirect to error page Response.Redirect(ErrorPage) End If Next ''''''''''''''''''''''''''''''''''''''''''''''''''' ' Check cookies ''''''''''''''''''''''''''''''''''''''''''''''''''' For Each s in Request.Cookies If ( CheckStringForSQL(Request.Cookies(s)) ) Then ' Redirect to error page Response.Redirect(ErrorPage) End If Next ''''''''''''''''''''''''''''''''''''''''''''''''''' ' Add additional checks for input that your application ' uses. (for example various request headers your app ' might use) ''''''''''''''''''''''''''''''''''''''''''''''''''' %>
asp/sqlinjection.txt · 上一次變更: 2013/07/06 01:28 (外部編輯)
若無特別註明,本 wiki 上的內容都是採用以下授權方式: CC Attribution-Share Alike 3.0 Unported
