智睿软件_技术交流论坛综合站长Web程序开发 → asp过滤非法字符


  共有20557人关注过本帖树形打印

主题:asp过滤非法字符
帅哥哟,离线,有人找我吗?
zhirui
   1楼 个性首页 | 信息 | 搜索 | 邮箱 | 主页 | UC


加好友 发短信
等级:管理员 帖子:520 积分:8740 威望:0 精华:5 注册:2009-07-07 		asp过滤非法字符  发帖心情 Post By:2013-07-27 21:43:54

<%
function strleach(str)'过滤非法字符函数
dim strg
if str="" then exit function
strg=replace(str,chr(34),"")' "
strg=replace(strg,chr(39),"")' '
strg=replace(strg,chr(60),"")' <
strg=replace(strg,chr(62),"")' >
strg=replace(strg,chr(37),"")' %
strg=replace(strg,chr(38),"")' &
strg=replace(strg,chr(40),"")' (
strg=replace(strg,chr(41),"")' )
strg=replace(strg,chr(59),"")' ;
strg=replace(strg,chr(43),"")' +
strg=replace(strg,chr(45),"")' -
strg=replace(strg,chr(91),"")' [
strg=replace(strg,chr(93),"")' ]
strg=replace(strg,chr(123),"")' {
strg=replace(strg,chr(125),"")' }
strleach=strg
end function
Public Function DecodeFilter(html, filter)
              html=LCase(html)
              filter=split(filter,",")
              For Each i In filter
                     Select Case i
                            Case "SCRIPT"              ' 去除所有客户端脚本javascipt,vbscript,jscript,js,vbs,event,...
                                   html = exeRE("(javascript|jscript|vbscript|vbs):", "#", html)
                                   html = exeRE("</?script[^>]*>", "", html)
                                   html = exeRE("on(mouse|exit|error|click|key)", "", html)
                            Case "TABLE":              ' 去除表格<table><tr><td><th>
                                   html = exeRE("</?table[^>]*>", "", html)
                                   html = exeRE("</?tr[^>]*>", "", html)
                                   html = exeRE("</?th[^>]*>", "", html)
                                   html = exeRE("</?td[^>]*>", "", html)
                                   html = exeRE("</?tbody[^>]*>", "", html)
                            Case "CLASS"              ' 去除样式类class=""
                                   html = exeRE("(<[^>]+) class=[^ |^>]*([^>]*>)", "$1 $2", html)
                            Case "STYLE"              ' 去除样式style=""
                                   html = exeRE("(<[^>]+) style=""[^""]*""([^>]*>)", "$1 $2", html)
                                   html = exeRE("(<[^>]+) style='[^']*'([^>]*>)", "$1 $2", html)
                            Case "IMG"              ' 去除样式style=""
                                   html = exeRE("</?img[^>]*>", "", html)
                            Case "XML"              ' 去除XML<?xml>
                                   html = exeRE("<[^>]*>", "", html)
                            Case "NAMESPACE"       ' 去除命名空间<o></o>
                                   html = exeRE("<\/?[a-z]+:[^>]*>", "", html)
                            Case "FONT"              ' 去除字体<font></font>
                                   html = exeRE("</?font[^>]*>", "", html)
                                   html = exeRE("</?a[^>]*>", "", html)
                                   html = exeRE("</?span[^>]*>", "", html)
                                   html = exeRE("</?br[^>]*>", "", html)
                            Case "MARQUEE"              ' 去除字幕<marquee></marquee>
                                   html = exeRE("</?marquee[^>]*>", "", html)
                            Case "OBJECT"              ' 去除对象<object><param><embed></object>
                                   html = exeRE("</?object[^>]*>", "", html)
                                   html = exeRE("</?param[^>]*>", "", html)
                                   'html = exeRE("</?embed[^>]*>", "", html)
                            Case "EMBED"
                               html = exeRE("</?embed[^>]*>", "", html)
                            Case "DIV"              ' 去除对象<object><param><embed></object>
                                   html = exeRE("</?div([^>])*>", "$1", html)
                                   html = exeRE("</?p([^>])*>", "$1", html)
                            Case "ONLOAD"              ' 去除样式style=""
                                   html = exeRE("(<[^>]+) "]*""([^>]*>)", "$1 $2", html)
                                   html = exeRE("(<[^>]+) ]*'([^>]*>)", "$1 $2", html)
                            Case "ONCLICK"              ' 去除样式style=""
                                   html = exeRE("(<[^>]+) "]*""([^>]*>)", "$1 $2", html)
                                   html = exeRE("(<[^>]+) ]*'([^>]*>)", "$1 $2", html)
                            Case "ONDBCLICK"              ' 去除样式style=""
                                   html = exeRE("(<[^>]+) "]*""([^>]*>)", "$1 $2", html)
                                   html = exeRE("(<[^>]+) ]*'([^>]*>)", "$1 $2", html)
                                  
                     End Select
              Next
              'html = Replace(html,"<table","<")
              'html = Replace(html,"<tr","<")
              'html = Replace(html,"<td","<")
              DecodeFilter = html
       End Function
支持(0中立(0反对(0回到顶部
帅哥哟,离线,有人找我吗?
zhirui
   2楼 个性首页 | 信息 | 搜索 | 邮箱 | 主页 | UC


加好友 发短信
等级:管理员 帖子:520 积分:8740 威望:0 精华:5 注册:2009-07-07 		  发帖心情 Post By:2013-07-27 21:44:01

'==========================
'过滤提交表单中的SQL
'==========================
function ForSqlForm()
dim fqys,errc,i,items
dim nothis(18)
nothis(0)="net user"

nothis(1)="xp_cmdshell"

nothis(2)="/add"

nothis(3)="exec%20master.dbo.xp_cmdshell"

nothis(4)="net localgroup administrators"

nothis(5)="select"

nothis(6)="count"

nothis(7)="asc"

nothis(8)="char"

nothis(9)="mid"

nothis(10)="'"

nothis(11)=":"

nothis(12)=""""

nothis(13)="insert"

nothis(14)="delete"

nothis(15)="drop"

nothis(16)="truncate"

nothis(17)="from"

nothis(18)="%"

'nothis(19)="@"

errc=false

for i= 0 to ubound(nothis)
for each items in request.Form
if instr(request.Form(items),nothis(i))<>0 then
   response.write("<div>")
   response.write("你所填写的信息:" & server.HTMLEncode(request.Form(items)) & "<br>含非法字符:" & nothis(i))
   response.write("</div>")
   response.write("对不起,你所填写的信息含非法字符!<a href=""#"" ">返回</a>")
   response.End()
end if
next
next
end function
'==========================
'过滤查询中的SQL
'==========================
function ForSqlInjection()
dim fqys,errc,i
dim nothis(19)
fqys = request.ServerVariables("QUERY_STRING")
nothis(0)="net user"

nothis(1)="xp_cmdshell"

nothis(2)="/add"

nothis(3)="exec%20master.dbo.xp_cmdshell"

nothis(4)="net localgroup administrators"

nothis(5)="select"

nothis(6)="count"

nothis(7)="asc"

nothis(8)="char"

nothis(9)="mid"

nothis(10)="'"

nothis(11)=":"

nothis(12)=""""

nothis(13)="insert"

nothis(14)="delete"

nothis(15)="drop"

nothis(16)="truncate"

nothis(17)="from"

nothis(18)="%"

nothis(19)="@"

errc=false

for i= 0 to ubound(nothis)

if instr(FQYs,nothis(i))<>0 then

errc=true

end if

next

if errc then
response.write "查询信息含非法字符!<a href=""#"" ">返回</a>"
response.end

end if

end function

%>
政府公安政府系统,专注于政府媒体,公安公众信息系统 支持(0中立(0反对(0回到顶部
RSS2.0  Xhtml无图版  Xslt无图版 Copyright © 2007 - 2013 Zhirui.Net    Powered By Dvbbs Version 8.2.0