网站攻击大多来源于网站数据提交过滤的问题:过滤直接提交是程序员防范攻击的重点之一:过滤用户输入加有效的验证码能起到很好的保护网站安全的作用!网上下载的普通验证码已经不起作用了!写一个安全高效的验证码很重要~关于过滤的方法每个人想法不一样,写法有较大的区别,下面是我们针对ASP程序写的一种过滤方法:
strTemp = Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
If Trim(Request.Form) <> "" Then strTemp = strTemp & "?" & Trim(Request.Form)
sqlerr="NO"
strTesl = strTemp
strTemp = strTemp & Request("id") & Request("xid") & Request("aa") & Request("bb") & Request("cc") & Request("dd") & Request("ff") & Request("ee") & Request("jj")
If Instr(strTemp,"select") or Instr(strTemp,"insert") or Instr(strTemp,"delete from") or Instr(strTemp,"count(") or Instr(strTemp,"drop table") or Instr(strTemp,"update") or Instr(strTemp,"truncate") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec master") or Instr(strTemp,"net localgroup administrators") or Instr(strTemp," : ") or Instr(strTemp,"net user") or Instr(strTemp,"'") or Instr(strTemp,"""") or Instr(strTemp," or ") or Instr(strTemp,"script") or Instr(strTemp,"textarea") or Instr(strTemp,"iframe") or Instr(strTemp,"alert") or Instr(strTemp,"onmouseover") then
response.write "对不起,您输入的内容可能包含非法字符。<br>系统仅允许输入中英文、数字及常用字符(如+、-、*、/、=、.等)。<br>禁止特殊符号(含'号)及select、insert、iframe等命令词符。<br>为了系统和您的安全,请返回重新输入。谢谢。"
response.end
end if
if len(Request("id"))>100 or len(Request("gid"))>100 or len(Request("sele"))>100 or len(Request("sele2"))>100 or len(Request("search"))>100 or len(Request("text"))>100 or len(Request("fl"))>100 or len(Request("zpname"))>100 or len(Request("cxjx"))>100 or len(Request("beex"))>100 or len(Request("ze"))>100 or len(Request("tel"))>100 or len(Request("add"))>100 or len(Request("mail"))>100 or len(Request("lsdz"))>100 or len(Request("doc"))>100 or len(Request("jl"))>100 or len(Request("xb"))>100 or len(Request("xezx"))>100 or len(Request("xl"))>100 or len(Request("besj"))>100 or len(Request("lename"))>100 or len(Request("lemail"))>100 or len(Request("qh_ez"))>100 or len(Request("ad_name"))>100 or len(Request("ad_pas"))>100 or len(Request("lyname"))>100 or len(Request("lygss"))>100 or len(Request("fax"))>100 or len(Request("eb"))>100 or len(Request("bt"))>100 or len(Request("em"))>100 or len(Request("new"))>100 or len(Request("oth1"))>100 or len(Request("oth2"))>100 or len(Request("oth3"))>100 or len(Request("nr"))>1000 or len(Request("lenr"))>1000 then
response.write "对不起,您输入部分内容过长,请缩减长度,请返回重新输入。谢谢。"
response.end
end if
php防注入可能用正则和系统涵数addslashes,mysql_real_escape_string等,结合使用,能起到很好的防范效果!