在ASP中防止SQL注入的方法

SQL注入是一个非常危险的事情，它可能进入我们的管理界面，非法获取用户信息或重要资料，使我们蒙受损失，下面介绍一种在ASP中防范SQL注入攻击的方法：

<%
On Error Resume Next
Dim strTemp

If LCase(Request.ServerVariables("HTTPS")) = "off" Then
     strTemp = "http://"
Else
     strTemp = "https://"
End If

strTemp = strTemp & Request.ServerVariables("SERVER_NAME")

If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT")
strTemp = strTemp & Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
strTemp = LCase(strTemp)

If Instr(strTemp,"select%20") or Instr(strTemp,"insert%20") or Instr(strTemp,"delete%20from") or Instr(strTemp,"count(") or Instr(strTemp,"drop%20table") or Instr(strTemp,"update%20") or Instr(strTemp,"truncate%20") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec%20master") or Instr(strTemp,"net%20localgroup%20administrators") or Instr(strTemp,":") or Instr(strTemp,"net%20user") or Instr(strTemp,"'") or Instr(strTemp,"%20or%20") then
              Response.Write "<script language='Javascript'>"
              Response.Write "alert('地址中含有非法字符！！');"
              Response.Write "location.href='index.asp';"
              Response.Write "<script>"
End If
%>

这样，我们可以杜绝用户在地址中传递非法参数二达到SQL注入攻击的目的。

！