几种过滤URL和FORM中非法字符的方法
几种过滤URL和FORM中非法字符的方法
ASP
过滤URL和FORM中非法字符
第一种:
' 检查URL输入 限制非法字符
url = LCase (request.querystring())
ip = request.ServerVariables( " REMOTE_ADDR " )
pos1 = instr (url, " % " )
pos2 = instr (url, " ' " )
pos3 = instr (url, " ; " )
pos4 = instr (url, " where " )
pos5 = instr (url, " select " )
pos6 = instr (url, " chr " )
pos7 = instr (url, " / " )
pos8 = Instr (url, " and " )
if pos1 <> 0 or pos2 <> 0 or pos3 <> 0 or pos4 <> 0 or pos5 <> 0 or pos6 <> 0 or pos7 <> 0 or pos8 <> 0 then
response.Write " 你尝试使用危险字符,系统已经对此做了记录如下<Br>您的IP: " & ip & " <br>操作时间: " & date () & ""
response.End()
end if
' 检查表单输入,限制非法字符
' 使用request.QueryString来索引request的所有资料,作为SQL检查之用
' 如出现非法字符则自动停止输出
for i_request = 1 to request.form.Count
if instr (request.form(i_request), " ' " ) <> 0 or instr (request.form(i_request), " ; " ) <> 0 then
Response.Write " <script language='javascript'>history.back(); alert('你尝试使用危险字符,系统已经对此做了记录如下您的IP: " & ip & " 操作时间: " & date () & " ');</script> "
response.End()
end if
next
% >
第二种:
< %
On Error Resume Next
dim sql_injdata,sql_inj,sql_get,sql_data
SQL_injdata = " '|ox "
SQL_inj = split (SQL_Injdata, " | " )
' 定义过滤字符,可以自己添加,以|分隔
' "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
' 对post方式过滤
If Request.Form <> "" Then
For Each Sql_Post In Request.Form
For SQL_Data = 0 To Ubound (SQL_inj)
if instr (Request.Form(Sql_Post),Sql_Inj(Sql_DATA)) > 0 Then
Response.redirect " ss " ' 出错时转向页面
Response.end
end if
next
next
end if
' 对GET方式过滤
If Request.QueryString <> "" Then
For Each SQL_Get In Request.QueryString
For SQL_Data = 0 To Ubound (SQL_inj)
if instr (Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA)) > 0 Then
Response.redirect " ss " ' 出错时转向页面
Response.end
end if
next
Next
End If
% >
第三种:
function checkstr(str) ' 过滤非法字符函数
dim tempstr
if str = "" then exit function
tempstr = replace (str, chr ( 34 ), "" ) ' "
tempstr = replace (tempstr, chr ( 39 ), "" ) ' '
tempstr = replace (tempstr, chr ( 60 ), "" ) ' <
tempstr = replace (tempstr, chr ( 62 ), "" ) ' >
tempstr = replace (tempstr, chr ( 37 ), "" ) ' %
tempstr = replace (tempstr, chr ( 38 ), "" ) ' &
tempstr = replace (tempstr, chr ( 40 ), "" ) ' (
tempstr = replace (tempstr, chr ( 41 ), "" ) ' )
tempstr = replace (tempstr, chr ( 59 ), "" ) ' ;
tempstr = replace (tempstr, chr ( 43 ), "" ) ' +
tempstr = replace (tempstr, chr ( 45 ), "" ) ' -
tempstr = replace (tempstr, chr ( 91 ), "" ) ' [
tempstr = replace (tempstr, chr ( 93 ), "" ) ' ]
tempstr = replace (tempstr, chr ( 123 ), "" ) ' {
tempstr = replace (tempstr, chr ( 125 ), "" ) ' }
checkstr = tempstr
end function
第四种:
' ================================================
' 函数名:IsValidStr
' 作 用:判断字符串中是否含有非法字符
' 参 数:str ----原字符串
' 返回值:False‚True -----布尔值
' ================================================
Public Function IsValidStr(ByVal str)
IsValidStr = False
On Error Resume Next
If IsNull (str) Then Exit Function
If Trim (str) = Empty Then Exit Function
Dim ForbidStr‚ i
ForbidStr = " and|chr|:|=|%|&|$|#|@|+|-|*|/|/|<|>|;|‚|^| " & Chr ( 32 ) & " | " & Chr ( 34 ) & " | " & Chr ( 39 ) & " | " & Chr ( 9 )
ForbidStr = Split (ForbidStr‚ " | " )
For i = 0 To UBound (ForbidStr)
If InStr ( 1 ‚str‚ ForbidStr(i)‚ 1 ) > 0 Then
IsValidStr = False
Exit Function
End If
Next
IsValidStr = True
End Function
ASP.NET
public boolean checkParameter(String para) // 过滤非法字符
... {
int flag = 0;
flag += para.indexOf("'") + 1;
flag += para.indexOf(";") + 1;
flag += para.indexOf("1=1") + 1;
flag += para.indexOf("|") + 1;
flag += para.indexOf("<") + 1;
flag += para.indexOf(">") + 1;
if (flag != 0)
...{
System.out.println("提交了非法字符!!!");
return false;
}
return true;
}