asp对于sql注入和xss的过滤函数
[ 2011-01-27 13:43:26 | 作者: admin ]
'*********************************************
'检查SQL字符串,并进行过滤
'*********************************************
function ChkSql(mysql)
if isnull(mysql) or isempty(mysql) or mysql="" then
mysql = ""
elseif IsNumeric(mysql) then
mysql = mysql
else
mysql = trim(mysql)
mysql = replace(mysql,"'","‘",1,-1,1)'不区分大小写
mysql = replace(mysql,"exec","e xec",1,-1,1)
'mysql = replace(mysql,";",";",1,-1,1) '此项会将 替换掉
mysql = replace(mysql,"declare","d eclare",1,-1,1)
mysql = replace(mysql,"(","(",1,-1,1)
mysql = replace(mysql,")",")",1,-1,1)
mysql = replace(mysql,"--","- -",1,-1,1)
mysql = replace(mysql,"%","%",1,-1,1)
mysql = replace(mysql,"del","d elete",1,-1,1)
mysql = replace(mysql,"update","u pdate",1,-1,1)
mysql = replace(mysql,"insert","i nsert",1,-1,1)
mysql = replace(mysql,"select","s elect",1,-1,1)
mysql = replace(mysql,"dbo.","d bo.",1,-1,1)
mysql = replace(mysql,"chr.","c hr",1,-1,1)
mysql = replace(mysql,"union.","u nion",1,-1,1)
mysql = replace(mysql,"script","s cript",1,-1,1)
mysql = replace(mysql,"iframe","i frame",1,-1,1)
end if
chksql = mysql
end function
'*************************************
'防XSS注入函数 更新于2009-04-21 by evio
'与ChkSql()相比, ChkXss更加安全
'*************************************
Function ChkXss(byVal ChkStr)
Dim Str
Str = ChkStr
If IsNull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str, "&", "&")
Str = Replace(Str, "'", "´")
Str = Replace(Str, """", """)
Str = Replace(Str, "<", "<")
Str = Replace(Str, ">", ">")
Str = Replace(Str, "/", "/")
Str = Replace(Str, "*", "*")
Str = Replace(Str, "(", "(")
Str = Replace(Str, ")", ")")
Dim re
Set re = New RegExp
re.IgnoreCase = True
re.Global = True
re.Pattern = "(w)(here)"
Str = re.Replace(Str, "$1here")
re.Pattern = "(s)(elect)"
Str = re.Replace(Str, "$1elect")
re.Pattern = "(i)(nsert)"
Str = re.Replace(Str, "$1nsert")
re.Pattern = "(c)(reate)"
Str = re.Replace(Str, "$1reate")
re.Pattern = "(d)(rop)"
Str = re.Replace(Str, "$1rop")
re.Pattern = "(a)(lter)"
Str = re.Replace(Str, "$1lter")
re.Pattern = "(d)(elete)"
Str = re.Replace(Str, "$1elete")
re.Pattern = "(u)(pdate)"
Str = re.Replace(Str, "$1pdate")
re.Pattern = "(\s)(or)"
Str = re.Replace(Str, "$1or")
re.Pattern = "(\n)"
Str = re.Replace(Str, "$1or")
'----------------------------------
re.Pattern = "(java)(script)"
Str = re.Replace(Str, "$1script")
re.Pattern = "(j)(script)"
Str = re.Replace(Str, "$1script")
re.Pattern = "(vb)(script)"
Str = re.Replace(Str, "$1script")
'----------------------------------
If Instr(Str, "expression") > 0 Then
Str = Replace(Str, "expression", "e­xpression", 1, -1, 0) '防止xss注入
End If
Set re = Nothing
Str = replace(Str,"script","",1,-1,1)
Str = replace(Str,"iframe","",1,-1,1)
Str = replace(Str,"confirm","",1,-1,1)
Str = replace(Str,"alert","",1,-1,1)
ChkXss = Str
End Function
'检查SQL字符串,并进行过滤
'*********************************************
function ChkSql(mysql)
if isnull(mysql) or isempty(mysql) or mysql="" then
mysql = ""
elseif IsNumeric(mysql) then
mysql = mysql
else
mysql = trim(mysql)
mysql = replace(mysql,"'","‘",1,-1,1)'不区分大小写
mysql = replace(mysql,"exec","e xec",1,-1,1)
'mysql = replace(mysql,";",";",1,-1,1) '此项会将 替换掉
mysql = replace(mysql,"declare","d eclare",1,-1,1)
mysql = replace(mysql,"(","(",1,-1,1)
mysql = replace(mysql,")",")",1,-1,1)
mysql = replace(mysql,"--","- -",1,-1,1)
mysql = replace(mysql,"%","%",1,-1,1)
mysql = replace(mysql,"del","d elete",1,-1,1)
mysql = replace(mysql,"update","u pdate",1,-1,1)
mysql = replace(mysql,"insert","i nsert",1,-1,1)
mysql = replace(mysql,"select","s elect",1,-1,1)
mysql = replace(mysql,"dbo.","d bo.",1,-1,1)
mysql = replace(mysql,"chr.","c hr",1,-1,1)
mysql = replace(mysql,"union.","u nion",1,-1,1)
mysql = replace(mysql,"script","s cript",1,-1,1)
mysql = replace(mysql,"iframe","i frame",1,-1,1)
end if
chksql = mysql
end function
'*************************************
'防XSS注入函数 更新于2009-04-21 by evio
'与ChkSql()相比, ChkXss更加安全
'*************************************
Function ChkXss(byVal ChkStr)
Dim Str
Str = ChkStr
If IsNull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str, "&", "&")
Str = Replace(Str, "'", "´")
Str = Replace(Str, """", """)
Str = Replace(Str, "<", "<")
Str = Replace(Str, ">", ">")
Str = Replace(Str, "/", "/")
Str = Replace(Str, "*", "*")
Str = Replace(Str, "(", "(")
Str = Replace(Str, ")", ")")
Dim re
Set re = New RegExp
re.IgnoreCase = True
re.Global = True
re.Pattern = "(w)(here)"
Str = re.Replace(Str, "$1here")
re.Pattern = "(s)(elect)"
Str = re.Replace(Str, "$1elect")
re.Pattern = "(i)(nsert)"
Str = re.Replace(Str, "$1nsert")
re.Pattern = "(c)(reate)"
Str = re.Replace(Str, "$1reate")
re.Pattern = "(d)(rop)"
Str = re.Replace(Str, "$1rop")
re.Pattern = "(a)(lter)"
Str = re.Replace(Str, "$1lter")
re.Pattern = "(d)(elete)"
Str = re.Replace(Str, "$1elete")
re.Pattern = "(u)(pdate)"
Str = re.Replace(Str, "$1pdate")
re.Pattern = "(\s)(or)"
Str = re.Replace(Str, "$1or")
re.Pattern = "(\n)"
Str = re.Replace(Str, "$1or")
'----------------------------------
re.Pattern = "(java)(script)"
Str = re.Replace(Str, "$1script")
re.Pattern = "(j)(script)"
Str = re.Replace(Str, "$1script")
re.Pattern = "(vb)(script)"
Str = re.Replace(Str, "$1script")
'----------------------------------
If Instr(Str, "expression") > 0 Then
Str = Replace(Str, "expression", "e­xpression", 1, -1, 0) '防止xss注入
End If
Set re = Nothing
Str = replace(Str,"script","",1,-1,1)
Str = replace(Str,"iframe","",1,-1,1)
Str = replace(Str,"confirm","",1,-1,1)
Str = replace(Str,"alert","",1,-1,1)
ChkXss = Str
End Function
[最后修改由 admin, 于 2018-10-31 15:51:09]
评论Feed: http://blog.xg98.com/feed.asp?q=comment&id=1632
这篇日志没有评论。
此日志不可发表评论。
