ASP网站的动态参数传递一直是个不小的安全问题,如不进行安全过滤经常会被黑客利用,一般的注入便是由于网站设计时没有注意好传递过来的参数进行过滤,比如http://www.52banmian.com/news.asp?id=5直接用request("id")来获取ID=5,黑客则可轻易利用此入侵。
方法一:
<%'过滤安全字符Function SafeRequest(ParaName,ParaType) '--- 传入参数 --- 'ParaName:参数名称-字符型 'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)Dim ParaValue ParaValue=Request(ParaName) If ParaType=1 then If not isNumeric(ParaValue) then Response.write "参数" & ParaName & "必须为数字型!<br /><br />" Response.end End if Else ParaValue=replace(ParaValue,"'","''") ParaValue = Replace(ParaValue, "select", "select") ParaValue = Replace(ParaValue, "join", "join") ParaValue = Replace(ParaValue, "union", "union") ParaValue = Replace(ParaValue, "where", "where") ParaValue = Replace(ParaValue, "insert", "insert") ParaValue = Replace(ParaValue, "delete", "delete") ParaValue = Replace(ParaValue, "update", "update") ParaValue = Replace(ParaValue, "like", "like") ParaValue = Replace(ParaValue, "drop", "drop") ParaValue = Replace(ParaValue, "create", "create") ParaValue = Replace(ParaValue, "modify", "modify") ParaValue = Replace(ParaValue, "rename", "rename") ParaValue = Replace(ParaValue, "alter", "alter") ParaValue = Replace(ParaValue, "cast", "cast") ParaValue = Replace(ParaValue, "and", "and") ParaValue = Replace(ParaValue, "or", "or")End if SafeRequest=ParaValue End function%>
用法:当传递过来的参数ID为数字时,用safeRequest("id",1)接收;当传递的ID为字符时,用safeRequest("id",0)接收,这样便可防御一般黑客的参数注入。
方法二:
简单过滤黑客需要用到的常用注入符号:<%id=replace(request("id"), " ' ", " ' ' ")%>