请教怎么过滤'or'='or'漏洞
日期:2014-05-17 浏览次数:21027 次
请问如何过滤'or'='or'漏洞?
怎么样过滤一些特定的字符?如 "= " " ' "
麻烦说详细点
------解决方案--------------------
<%
Function cs(s, n)
'防SQL注入 1为数值型,0为字符型, 2为ID参数类型
'返回类型Boolean
Dim r, p
Set r = new RegExp
If n = 0 Then
p = "^[^ ' " "]+$ "
ElseIf n = 1 Then
p = "^\d+$ "
Else
p = "^\d*[1-9]\d*(,\s*\d*[1-9]\d*)*$ "
End If
r.Pattern = p
cs = r.Test(s)
Set r = Nothing
End Function
admin=request.form( "admin ")
password=request.form( "password ")
If cs(admin, 0) And cs(password, 2) Then
sql= "select * from admin where admin= ' "&admin& " ' and password= ' "&password& " ' "
set rs=conn.execute(sql)
if rs.eof or rs.bof then
response.write " <script language=javascript> "
response.write "alert( '用户或密码不对! '); "
response.write "javascript:history.go(-1); "
response.write " </script> "
else
session( "admin ")=admin
response.redirect "admin_manage.asp "
end if
Else
Response.Write "参数不合法(不允许为空)... "
End If
%>
怎么样过滤一些特定的字符?如 "= " " ' "
麻烦说详细点
------解决方案--------------------
<%
Function cs(s, n)
'防SQL注入 1为数值型,0为字符型, 2为ID参数类型
'返回类型Boolean
Dim r, p
Set r = new RegExp
If n = 0 Then
p = "^[^ ' " "]+$ "
ElseIf n = 1 Then
p = "^\d+$ "
Else
p = "^\d*[1-9]\d*(,\s*\d*[1-9]\d*)*$ "
End If
r.Pattern = p
cs = r.Test(s)
Set r = Nothing
End Function
admin=request.form( "admin ")
password=request.form( "password ")
If cs(admin, 0) And cs(password, 2) Then
sql= "select * from admin where admin= ' "&admin& " ' and password= ' "&password& " ' "
set rs=conn.execute(sql)
if rs.eof or rs.bof then
response.write " <script language=javascript> "
response.write "alert( '用户或密码不对! '); "
response.write "javascript:history.go(-1); "
response.write " </script> "
else
session( "admin ")=admin
response.redirect "admin_manage.asp "
end if
Else
Response.Write "参数不合法(不允许为空)... "
End If
%>
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
