get請求中防止sql注入的方法:
通過瀏覽器地址欄傳遞的數據過濾,例如:
Public Function ChkSqlIn()
Dim Fy_Get, Fy_In, Fy_Inf, Fy_Xh
Fy_In = "'|;|or|and|(|)|*|%|exec|insert|select|delete|update|count|chr|char|nchar|asc|
unicode|mid|substring|master|truncate|drop|declare|%20from|cmdshell|admin|net%20user
|net%20localgroup|1=1|1=2|user>0|id=1"
Fy_Inf = Split(Fy_In, "|")
If Request.QueryString <> "" Then
For Each Fy_Get In Request.QueryString
For Fy_Xh = 0 To UBound(Fy_Inf)
If InStr(LCase(Request.QueryString(Fy_Get)), Fy_Inf(Fy_Xh)) <> 0 Then
Response.Write "<Script>alert('對不起,可能出錯了!');</Script>"
Fy_Get = ""
Fy_In = ""
Fy_Inf = ""
Fy_Xh = ""
Response.End
End If
Next
Next
End If
Fy_Get = "": Fy_In = "": Fy_Inf = "": Fy_Xh = ""
End Function
