本文转自风讯官方论坛,某个爱好风讯的朋友改良的SQL过滤注入函数,感觉很的相当不错,留下做个记号,谢谢那们朋友提供优秀防注入函数。其原理是使用正则来过滤SQL注入问题。
Function NoSqlHack(inputStr)
'通过构造常用必备SQL语句来达到较为准确的过滤而非见到select update insert 就拦截,而真正想拦截的却拦截不掉。
'为此我觉得应该把常见的必须的SQL语句针对性过滤 可防范 insert%0D%0A%0D%0Ainto%20FS_MF_Admin%20(Admin_Name, Admin_Pass_Word)
'values(0x6F006C006400630061006900,0x3800330061006100340030003000610066003400360034006300370036006400)-- 这类高级注入
'其实很简单,主要用到的正则表达有 非空白字符\S 空白字符\s +至少一个以上 *可有可无 ?碰到后面的字符串立即停止
'如:insert into FS_ME_Users(a,b,c)values(1,2,3) 或 insert into FS_ME_Users values(1,2,3)
'替换后为 insert(\s+)into(\s+)\S+([\s\S]+?)values\(([\s\S]+?)\)|
Dim regEx, HackStr
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = False
HackStr = "insert(\s+)into(\s+)\S+([\s\S]+?)values\s*\(([\s\S]+?)\)|"
HackStr = HackStr & "update(\s+\S+?\s+)set(\s+\S+?\s*)=|"
HackStr = HackStr & "delete([\s\S]+?)from(\s+\S+)|"
HackStr = HackStr & "select(\s+\S+?\s+)from(\s+\S+)|"
HackStr = HackStr & "and(\s+\S+?\s*)[=<>]|or(\s+\S+?\s*)[=<>]|"
HackStr = HackStr & "(execute|exec|eval|drop|create|backup|select)(\s*\S+)|'"
regEx.Pattern = HackStr
If regEx.test(inputStr) Then
Response.Write "<html><title>警告</title><body bgcolor=""EEEEEE"" leftmargin=""60"" topmargin=""30""><font style=""font-size:16px;font-weight:bolder;color:blue;""><li>您提交的数据有恶意字符</li></font><font style=""font-size:14px;font-weight:bolder;color:red;""><br><li>提交的内容怀疑有SQL注入!</li><li>您的数据已经被记录!</li><br><li>您的IP:" & Request.ServerVariables("Remote_Addr") & "</li><br><li>操作日期:" & Now & "</li></font></body></html>"
Response.End
'FX_inputStr=regEx.replace(FX_inputStr,"")
End If
Set regEx = Nothing
NoSqlHack = inputStr
End Function
Function NoHtmlHackInput(inputStr)
' 过滤跨站脚本和HTML标签
Dim regEx, HackStr
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
HackStr = "((<|<)(script|iframe|frame)[^>]*(>|>))|on[\w]+|(execute|eval|exec) *\(?"
regEx.Pattern = HackStr
NoHtmlHackInput = regEx.Replace(inputStr, "")
Set regEx = Nothing
End Function
订阅