第三步: 根据数据库JS注入的特性(会包括 < script、 < /script > 和http://这样的字符),在conn.asp里面放入如下代码:
Function Cheack_Sqljs()'防止数据库外链JS注入:true为发现外链JS注入。
Dim F_Post
Dim F_Get
Cheack_Sqljs = False
If Request.Form <> "" Then'表单提交时的检测For Each F_Post In Request.Form If (Instr(LCase(Request.Form(F_Post)),"<script")<>0 or Instr(LCase(Request.Form(F_Post)),"</script>")<>0) and Instr(LCase(Request.Form(F_Post)),"http://")<>0 Then
Cheack_Sqljs = True
Exit For
End If
Next
End If
If Request.QueryString <> "" Then'QueryString提交时的检测For Each F_Get In Request.QueryString If (Instr(LCase(Request.Form(F_Get)),"<script")<>0 or Instr(LCase(Request.Form(F_Get)),"</script>")<>0) and Instr(LCase(Request.Form(F_Get)),"http://")<>0 Then
Cheack_Sqljs = True
Exit For
End If
Next
End If
End Function
Function CheckDataFrom()'检查提交数据来源:True为数据从站外提交过来的
CheckDataFrom = True
server_v1 = CStr(Request.ServerVariables("HTTP_REFERER")) server_v2 = CStr(Request.ServerVariables("SERVER_NAME")) If Mid(server_v1,8,Len(server_v2)) <> server_v2 Then
CheckDataFrom = False
End If
End Function
If Cheack_Sqljs Or CheckDataFrom Then
Response.Write "<Script Language=JavaScript>alert('禁止执行,非法操作。');</Script>" Response.End()
End If