<%
Dim N_no,N_noarray,req_Qs,req_F,N_i,N_dbstr,Conn,N_rs,N_userIP,N_thispage
N_userip = Request.ServerVariables("REMOTE_ADDR")
N_thispage = LCase(Request.ServerVariables("URL"))
N_no = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" '
可以自己修改怀疑是注入操作的字串
N_noarray = split(LCase(N_no),"|")
If Request.Form<>"" Then
For Each req_F In Request.Form
N_check req_F,Request.Form(req_F),"POST"
Next
end if
If Request.QueryString<>"" Then
For Each req_Qs In Request.QueryString
N_check req_Qs,Request.QueryString(req_Qs),"GET"
Next
end if
'检测
sub N_check(ag,agsql,sqltype)
For N_i=0 To Ubound(N_noarray)
If Instr(LCase(agsql),N_noarray(N_i))<>0 Then
call N_regsql(ag,agsql,sqltype)
Response.Write "MO"
end if
Next
end sub
'停止并输出 您可以将此纪录入库,这里只是输出
sub N_regsql(ag,agsql,sqltype)
Response.Write "<Script Language=JavaScript>alert(′请不要在参数中包含非法字符尝试注入!′);</Script>"
Response.Write "<span style=′font-size:12px′>非法操作!系统做了如下记录↓<br>"
Response.Write "操作IP:"&N_userip&"<br>"
Response.Write "操作时间:"&Now&"<br>"
Response.Write "提交方式:"&sqltype&"<br>"
Response.Write "提交参数:"&ag&"<br>"
Response.Write "提交数据:"&agsql&"</span>"
Response.end
end sub
'以上为防SQL注入部分,敏感词可以在N_no中添加
'**************************
'连接MSSQL
'**************************
'Public UConnStr As String = "Persist Security Info=False;User ID=sa;Initial Catalog=dbQueue;Data Source=."
set conn = Server.CREATEOBJECT("ADODB.Connection")
'conn.Open "Persist Security Info=False;User ID=sa;pwd=;Initial Catalog=dbTouch;Data Source=."
conn.Open "PROVIDER=SQLOLEDB;DATA SOURCE=192.168.1.2;DATABASE=News;UID=sa;PWD=dasiyebushuo" '连接MSSQL数据库
'**************************
'连接ACCESS
'**************************
'db=dbpath&"db@hbngzy/#I2O5N6J7D9M5S2S0K3E4J4X8K6#.asp" dbpath包含数据库文件的asp网页与数据库的相对地址,方便调用
'Set conn = Server.CreateObject("ADODB.Connection")
'connstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(db)
'conn.Open connstr
%>