asp过滤非法字符[智睿软件

智睿软件_技术交流论坛 → 综合站长 → Web程序开发 → asp过滤非法字符

共有22431人关注过本帖树形打印主题：asp过滤非法字符

zhirui

小大 1楼 个性首页 | 信息 | 搜索 | 邮箱 | 主页 | UC

加好友

发短信

等级：管理员帖子：520 积分：8740 威望：0 精华：5 注册：2009-07-07

asp过滤非法字符 发帖心情

Post By：2013-07-27 21:43:54

<%
function strleach(str)'过滤非法字符函数
dim strg
if str="" then exit function
strg=replace(str,chr(34),"")' "
strg=replace(strg,chr(39),"")' '
strg=replace(strg,chr(60),"")' <
strg=replace(strg,chr(62),"")' >
strg=replace(strg,chr(37),"")' %
strg=replace(strg,chr(38),"")' &
strg=replace(strg,chr(40),"")' (
strg=replace(strg,chr(41),"")' )
strg=replace(strg,chr(59),"")' ;
strg=replace(strg,chr(43),"")' +
strg=replace(strg,chr(45),"")' -
strg=replace(strg,chr(91),"")' [
strg=replace(strg,chr(93),"")' ]
strg=replace(strg,chr(123),"")' {
strg=replace(strg,chr(125),"")' }
strleach=strg
end function
Public Function DecodeFilter(html, filter)
              html=LCase(html)
              filter=split(filter,",")
              For Each i In filter
                     Select Case i
                            Case "SCRIPT"              ' 去除所有客户端脚本javascipt,vbscript,jscript,js,vbs,event,...
                                   html = exeRE("(javascript|jscript|vbscript|vbs):", "#", html)
                                   html = exeRE("</?script[^>]*>", "", html)
                                   html = exeRE("on(mouse|exit|error|click|key)", "", html)
                            Case "TABLE":              ' 去除表格<table><tr><td><th>
                                   html = exeRE("</?table[^>]*>", "", html)
                                   html = exeRE("</?tr[^>]*>", "", html)
                                   html = exeRE("</?th[^>]*>", "", html)
                                   html = exeRE("</?td[^>]*>", "", html)
                                   html = exeRE("</?tbody[^>]*>", "", html)
                            Case "CLASS"              ' 去除样式类class=""
                                   html = exeRE("(<[^>]+) class=[^ |^>]*([^>]*>)", "$1 $2", html)
                            Case "STYLE"              ' 去除样式style=""
                                   html = exeRE("(<[^>]+) style=""[^""]*""([^>]*>)", "$1 $2", html)
                                   html = exeRE("(<[^>]+) style='[^']*'([^>]*>)", "$1 $2", html)
                            Case "IMG"              ' 去除样式style=""
                                   html = exeRE("</?img[^>]*>", "", html)
                            Case "XML"              ' 去除XML<?xml>
                                   html = exeRE("<[^>]*>", "", html)
                            Case "NAMESPACE"       ' 去除命名空间<o></o>
                                   html = exeRE("<\/?[a-z]+:[^>]*>", "", html)
                            Case "FONT"              ' 去除字体<font></font>
                                   html = exeRE("</?font[^>]*>", "", html)
                                   html = exeRE("</?a[^>]*>", "", html)
                                   html = exeRE("</?span[^>]*>", "", html)
                                   html = exeRE("</?br[^>]*>", "", html)
                            Case "MARQUEE"              ' 去除字幕<marquee></marquee>
                                   html = exeRE("</?marquee[^>]*>", "", html)
                            Case "OBJECT"              ' 去除对象<object><param><embed></object>
                                   html = exeRE("</?object[^>]*>", "", html)
                                   html = exeRE("</?param[^>]*>", "", html)
                                   'html = exeRE("</?embed[^>]*>", "", html)
                            Case "EMBED"
                               html = exeRE("</?embed[^>]*>", "", html)
                            Case "DIV"              ' 去除对象<object><param><embed></object>
                                   html = exeRE("</?div([^>])*>", "$1", html)
                                   html = exeRE("</?p([^>])*>", "$1", html)
                            Case "ONLOAD"              ' 去除样式style=""
                                   html = exeRE("(<[^>]+) "]*""([^>]*>)", "$1 $2", html)
                                   html = exeRE("(<[^>]+) ]*'([^>]*>)", "$1 $2", html)
                            Case "ONCLICK"              ' 去除样式style=""
                                   html = exeRE("(<[^>]+) "]*""([^>]*>)", "$1 $2", html)
                                   html = exeRE("(<[^>]+) ]*'([^>]*>)", "$1 $2", html)
                            Case "ONDBCLICK"              ' 去除样式style=""
                                   html = exeRE("(<[^>]+) "]*""([^>]*>)", "$1 $2", html)
                                   html = exeRE("(<[^>]+) ]*'([^>]*>)", "$1 $2", html)

                     End Select
              Next
              'html = Replace(html,"<table","<")
              'html = Replace(html,"<tr","<")
              'html = Replace(html,"<td","<")
              DecodeFilter = html
       End Function

网络投票评选管理系统，投票评选的合作伙伴支持(0) 中立(0) 反对(0)

zhirui

小大 2楼 个性首页 | 信息 | 搜索 | 邮箱 | 主页 | UC

加好友

发短信

等级：管理员帖子：520 积分：8740 威望：0 精华：5 注册：2009-07-07

Post By：2013-07-27 21:44:01

'==========================
'过滤提交表单中的SQL
'==========================
function ForSqlForm()
dim fqys,errc,i,items
dim nothis(18)
nothis(0)="net user"

nothis(1)="xp_cmdshell"

nothis(2)="/add"

nothis(3)="exec%20master.dbo.xp_cmdshell"

nothis(4)="net localgroup administrators"

nothis(5)="select"

nothis(6)="count"

nothis(7)="asc"

nothis(8)="char"

nothis(9)="mid"

nothis(10)="'"

nothis(11)=":"

nothis(12)=""""

nothis(13)="insert"

nothis(14)="delete"

nothis(15)="drop"

nothis(16)="truncate"

nothis(17)="from"

nothis(18)="%"

'nothis(19)="@"

errc=false

for i= 0 to ubound(nothis)
for each items in request.Form
if instr(request.Form(items),nothis(i))<>0 then
   response.write("<div>")
   response.write("你所填写的信息:" & server.HTMLEncode(request.Form(items)) & "<br>含非法字符:" & nothis(i))
   response.write("</div>")
   response.write("对不起,你所填写的信息含非法字符！<a href=""#"" ">返回</a>")
   response.End()
end if
next
next
end function
'==========================
'过滤查询中的SQL
'==========================
function ForSqlInjection()
dim fqys,errc,i
dim nothis(19)
fqys = request.ServerVariables("QUERY_STRING")
nothis(0)="net user"

nothis(1)="xp_cmdshell"

nothis(2)="/add"

nothis(3)="exec%20master.dbo.xp_cmdshell"

nothis(4)="net localgroup administrators"

nothis(5)="select"

nothis(6)="count"

nothis(7)="asc"

nothis(8)="char"

nothis(9)="mid"

nothis(10)="'"

nothis(11)=":"

nothis(12)=""""

nothis(13)="insert"

nothis(14)="delete"

nothis(15)="drop"

nothis(16)="truncate"

nothis(17)="from"

nothis(18)="%"

nothis(19)="@"

errc=false

for i= 0 to ubound(nothis)

if instr(FQYs,nothis(i))<>0 then

errc=true

end if

if errc then
response.write "查询信息含非法字符！<a href=""#"" ">返回</a>"
response.end

end if

end function

网络投票评选管理系统，投票评选的合作伙伴支持(0) 中立(0) 反对(0)

下一主题 >> << 上一主题

主题：asp过滤非法字符