防注入代码
时间:[2009-1-20 23:28:27] 作者:请作者尽快与我们联系。
asp版本
<%
'Dim yisenceinje_Post,yisenceinje_Get,yisenceinje_In,yisenceinje_Inf,yisenceinje_Xh,yisenceinje_db,yisenceinje_dbstr
'您可以在yisenceinje_In中新增要过滤的参数,用#号隔开
yisenceinje_In = "'#;#and#exec#insert#select#delete#update#count#chr#mid#master#truncate#char#declare"
yisenceinje_Inf = split(yisenceinje_In,"#")
'判断post参数
If Request.Form<>"" Then StopInjection(Request.Form)
'判断get参数
If Request.QueryString<>"" Then StopInjection(Request.QueryString)
'判断cookies参数
If Request.Cookies<>"" Then StopInjection(Request.Cookies)
Function StopInjection(values)
For Each yisenceinje_Get In values
For yisenceinje_Xh=0 To Ubound(yisenceinje_Inf)
If Instr(LCase(values(yisenceinje_Get)),yisenceinje_Inf(yisenceinje_Xh))<>0 Then
Response.Write "<Script Language=JavaScript>alert('防注入系统提示你:\n\n请不要在参数中包含非法字符。');</Script>"
Response.Write "非法操作!系统已经给你做了如下记录:<br>"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间:"&Now&"<br>"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write "提交数据:"&values(yisenceinje_Get)
Response.End
End If
Next
Next
End Function
%>
asp.net
/// <summary>
/// 在 Application_BeginRequest中加入函数StartProcessRequest()
/// </summary>
protected void Application_BeginRequest(Object sender, EventArgs e)
{
StartProcessRequest();
}
#region SQL注入式攻击代码分析
/// <summary>
/// 处理用户提交的请求
/// </summary>
private void StartProcessRequest()
{
try
{
string getkeys = "";
string sqlErrorPage = "/default.aspx";//如果有非法参数,转向的错误提示页面
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Cookies != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].ToString()))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 错误处理: 处理用户提交信息!
}
}
/// <summary>
/// 分析用户请求是否正常
/// </summary>
/// <param name="Str">传入用户提交数据 </param>
/// <returns>返回是否含有SQL注入式攻击代码 </returns>
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "and |exec |insert |select |delete |update |count |* |chr |mid |master |truncate |char |declare";
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion
php
<?php function dowith_sql($str) { $refuse_str="and|or|select|update|from|where|order|by|*|delete|'|insert|into|values|create|table|database"; $arr=explode("|",$refuse_str); for($i=0;$i<count($arr);$i++) { //$replace="[".$arr[$i]."]"; //$str=str_replace($arr[$i],$replace,$str); if(strpos($str,$arr[$i])!=false) { echo "<Script Language=JavaScript>alert('防注入系统提示你:请不要在参数中包含非法字符。');</Script>"; echo "非法操作!系统已经给你做了如下记录:<br>"; echo "操作IP:".$_SERVER["REMOTE_ADDR"]."<br>"; echo "操作时间:".$_SERVER["REQUEST_TIME"]."<br>"; echo "操作页面:".$_SERVER["SCRIPT_NAME"]."<br>"; echo "提交数据:".$str; exit(); } } return $str; } foreach ($_GET as $key=>$value) { $_GET[$key]=dowith_sql($value); } foreach ($_POST as $key=>$value) { $_POST[$key]=dowith_sql($value); } ?>
【声明】本站刊载的《防注入代码》一文如果有侵害你权益的情况,请联系我们。我们将及时采取措施。
QQ:44637339 Email:just6@163.com Tel:13355163107 Lining studios