从网上下了个编辑器,调用提交内容后提示非法注入怎么办?
从网上下了个编辑器,调用提交内容后提示非法注入怎么办?
防注入内容如下:
<%
'自定义需要过滤的字串,用 "-" 分隔
Fy_In = "'-;-and-exec-insert-select-delete-update-count-*-%-chr-mid-master-truncate-char-declare"
'----------------------------------
%>
<%
Fy_Inf = split(Fy_In,"-")
'--------POST部份------------------
If Request.Form<>"" Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
。。。。。。。省略
%>
提交页面:
<link rel="stylesheet" href="../editor/themes/default/default.css" />
<link rel="stylesheet" href="../editor/plugins/code/prettify.css" />
<script charset="utf-8" type="text/javascript" src="../editor/kindeditor.js"></script>
<script charset="utf-8" type="text/javascript" src="../editor/lang/zh_CN.js"></script>
<script charset="utf-8" type="text/javascript" src="../editor/plugins/code/prettify.js"></script>
<script type="text/javascript" src="/js/editor.js"></script>
<form action="?step=xgwzsz" name="form" method="post" onsubmit="return mysbmitwzsz();">
<textarea name="content1" id="content1" style="width:530px;height:400px;visibility:hidden;"><%=rssc("wangzfwtk")%></textarea>
<input type="submit" name="Submit" value="" class="ann">
</form>
写入数据库代码:
if request("step")="xgwzsz" then
rssc("wangzfwtk")=request.form("content1")
。。。。。。省略
------解决方案--------------------insert-select 这两个都是加到防注入过滤了,怎么可能不报错
------解决方案--------------------从编辑器里Request.Form过来的数据你还不让
;'*%这些字符出现,那还用什么编辑器?
防注入重点是防get不是form