| 网站首页 | 业界新闻 | 小组 | 威客 | 人才 | 下载频道 | 博客 | 代码贴 | 在线编程 | 编程论坛
欢迎加入我们,一同切磋技术
用户名:   
 
密 码:  
共有 607 人关注过本帖
标题:sql防注入与文件上传功能冲突?
只看楼主 加入收藏
myosotis
Rank: 5Rank: 5
等 级:职业侠客
帖 子:72
专家分:377
注 册:2009-8-4
结帖率:71.43%
收藏
 问题点数:0 回复次数:0 
sql防注入与文件上传功能冲突?
数据库conn使用以下防止sql注入代码后,网站中 文件上传功能就不能使用,且点击上传时没有出错信息。如果把

防注入代码中的 POST部份 去掉,就可以上传。请问问题在哪里,如何更改。谢谢!




------------------------------------------------------------------------------------------
防止sql注入代码:

程序代码:
<%

'--------定义部份------------------
Dim Fy_Post,Fy_Get,Fy_cook,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,aa 
On Error Resume Next 
Fy_In = "'|exec|insert|select|delete|update|count|chr|truncate|char|declare|--|script|*|char|set|(|)" 
aa="heike.txt" '------------------------------------------如入侵记录保存文件 
Fy_Inf = split(Fy_In,"|") 

'1--------POST部份------------------ 
If Request.Form<>"" Then 
For Each Fy_Post In Request.Form 
For Fy_Xh=0 To Ubound(Fy_Inf) 
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then 
flyaway1=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")

&"+'post'+"&Fy_post&"+"&replace(Request.Form(Fy_post),"'","*")&"" 
set fs=server.CreateObject("Scripting.FileSystemObject") 
set file=fs.OpenTextFile(server.MapPath(aa),8,True) 
file.writeline flyaway1 
file.close 
set file=nothing 
set fs=nothing 
call aaa() 
End If 
Next 
Next 
End If 
'2--------GET部份------------------- 
If Request.QueryString<>"" Then 
For Each Fy_Get In Request.QueryString 
For Fy_Xh=0 To Ubound(Fy_Inf) 
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then 
flyaway2=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")

&"+'get'+"&Fy_get&"+"&replace(Request.QueryString(Fy_get),"'","*")&"" 
set fs=server.CreateObject("Scripting.FileSystemObject") 
set file=fs.OpenTextFile(server.MapPath(aa),8,True) 
file.writeline flyaway2 
file.close 
set file=nothing 
set fs=nothing 
call aaa() 
End If 
Next 
Next 
End If 
'3--------cookies部份------------------- 
If Request.Cookies<>"" Then 
For Each Fy_cook In Request.Cookies 
For Fy_Xh=0 To Ubound(Fy_Inf) 
If Instr(LCase(Request.Cookies(Fy_cook)),Fy_Inf(Fy_Xh))<>0 Then 
flyaway3=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")

&"+'cook'+"&Fy_cook&"+"&replace(Request.Cookies(Fy_cook),"'","*")&"" 
set fs=server.CreateObject("Scripting.FileSystemObject") 
set file=fs.OpenTextFile(server.MapPath(aa),8,True) 
file.writeline flyaway3 
file.close 
set file=nothing 
set fs=nothing 
call aaa() 
End If 
Next 
Next 
End If 
Sub aaa() 
Response.Write "<Script Language=JavaScript>alert('请不要在信息中包含* %等非法字符!');location.href 

= 'javascript:history.back()';</Script>"
Response.Write "
<hr>" 
Response.End 
end Sub



-------------------------------------------------------------------------------------
文件上传功能上传代码:

程序代码:
sub down() 
if Request.QueryString("submit")="down" then 
uploadpath="uploadFile/softdown/" 
uploadsize="2048" 
uploadtype="zip/rar/cab/doc" 
Set Uprequest=new UpLoadClass 
    Uprequest.SavePath=uploadpath 
    Uprequest.MaxSize=uploadsize*1024 
    Uprequest.FileType=uploadtype 
    AutoSave=true 
    Uprequest.open 
  if Uprequest.form("file_Err") <>0  then 
  select case Uprequest.form("file_Err") 
  case 1:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件超过"&uploadsize&"k [ <a href='javascript:history.go(-1)'>重新上传 </a>] </font> </div>" 
  case 2:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件格式不对 [ <a href='javascript:history.go(-1)']>重新上传 </a>] </font> </div>" 
  case 3:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件太大且格式不对 [ <a href='javascript:history.go(-1)'>重新上传 </a>] </font> </div>" 
  end select 
  response.write str 
  else 
  response.write " <script language=""javascript"">parent.form1.url1.value='"&Uprequest.SavePath&Uprequest.Form("file")&"';" 
  response.write " </script>" 
  response.write " </script>" 
size=Uprequest.Form("file_size") 
showsize=size & " Byte"  
if size>1024 then  
  size=(size\1024)  
  showsize=size & " KB"  
end if  
if size>1024 then  
  size=(size/1024)  
  showsize=formatnumber(size,2) & " MB"   
end if 
  response.write " <script language=""javascript"">parent.form1.size.value='"&showsize&"';" 
  response.write " </script>" 
  response.write " <div style=""padding-top:5px;padding-bottom:5px;""> <font color=red>文件上传成功 </font> [ <a href='javascript:history.go(-1)'>重新上传 </a>] </div>" 
  end if 
Set Uprequest=nothing 
end if 
response.write " <form name=form action=?action=down&submit=down method=post enctype=multipart/form-data>" 
response.write " <input type=file name=file class='tx' size='20'>&nbsp;" 
response.write " <input type=submit name=submit value=上传 class=""tx1"">" 
response.write " </form>" 
end sub 

搜索更多相关主题的帖子: 传功 文件 sql 
2009-09-18 18:07
快速回复:sql防注入与文件上传功能冲突?
数据加载中...
 
   



关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.024576 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved