| 一个检查变量的过程,查看是否有不应该出现的代码。如果有的,去掉。
例如:
简单的:
防范sql注入:
-----------------
<%
if IsNumeric(request.QueryString("id"))=False then
response.write("请勿输入非法字符")
response.end
end if
%>
严格一点你也可以……
strTemp=request.querystring("id")
If Instr(strTemp,"select%20") or Instr(strTemp,"insert%20") or Instr(strTemp,"delete%20from") or Instr(strTemp,"count(") or Instr(strTemp,"drop%20table") or Instr(strTemp,"update%20") or Instr(strTemp,"truncate%20") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec%20master") or Instr(strTemp,"net%20localgroup%20administrators") or Instr(strTemp,":") or Instr(strTemp,"net%20user") or Instr(strTemp,"'") or Instr(strTemp,"%20or%20") then
Response.Write "
|
