<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<%Dim k_Post,k_Get,k_In,k_Inf,k_Xh,k_db,k_dbstrk_In = "'//;//and//exec//insert//select//delete//update//count//*//%//chr//mid//master//truncate//char//declare"%><%
Fy_Inf = split(k_In,"//")If Request.Form<>"" Then
For Each k_Post In Request.FormFor k_Xh=0 To Ubound(k_Inf)
If Instr(LCase(Request.Form(k_Post)),k_Inf(k_Xh))<>0 Then
Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入!');</Script>"
Response.Write "<table width='400' height='20' border='0' align='center' cellpadding='0' cellspacing='0'>"
Response.Write "<tr><td width='400' height='20'>非法操作!系统做了如下记录<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作时间:"&Now&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作页面:"&Request.ServerVariables("URL")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交方式:POST<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交参数:"&k_Post&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交数据:"&Request.Form(k_Post)&"<br></td></tr></table>"
Response.End
End If
NextNext
End IfIf Request.QueryString<>"" Then
For Each k_Get In Request.QueryStringFor k_Xh=0 To Ubound(k_Inf)
If Instr(LCase(Request.QueryString(k_Get)),k_Inf(k_Xh))<>0 ThenSet k_db = Server.CreateObject("ADODB.Connection")
k_dbstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath("inc/SqlIn.mdb")
k_db.Open k_dbstr
k_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&Fy_Get&"','"&replace(Request.QueryString(Fy_Get),"'","''")&"')")
k_db.close
set k_db=nothing
Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入!');</Script>"
Response.Write "<table width='400' height='20' border='0' align='center' cellpadding='0' cellspacing='0'>"
Response.Write "<tr><td width='400' height='20'>非法操作!系统做了如下记录<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作时间:"&Now&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作页面:"&Request.ServerVariables("URL")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交方式:POST<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交参数:"&k_get&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交数据:"&Request.QueryString(k_get)&"<br></td></tr></table>"
Response.End
End If
Next
Next
End If%>
在数据库连接文件中,加上上面的代码以后 不能正常登陆,登陆的表单也被当做被过滤的字符 怎么办?
防SQL注入的小程序,不能登陆怎么办
