UC知道[!!!!!!!!!!]asp提交参数过滤方法[!!!!!!!!!!]
来源:百度知道 编辑:UC知道 时间:2024/06/08 02:26:00
我是初学asp的
我的文件注入漏洞很致命,大家看
id1 = Request("id")
if Request("id")="" then
response.Write("请输入要查看的的ID")
Else
sql="select * from xy_news where id = "+id1
rs.Open sql,conn,1,3
if rs.EOF then
response.redirect "/"
else
在id1 = Request("id")中如何定义id1的类型
我直接在前面写
dim id1 as Integer
dim id as Integer
行不?
我是新手,讲的详细些
我的文件注入漏洞很致命,大家看
id1 = Request("id")
if Request("id")="" then
response.Write("请输入要查看的的ID")
Else
sql="select * from xy_news where id = "+id1
rs.Open sql,conn,1,3
if rs.EOF then
response.redirect "/"
else
在id1 = Request("id")中如何定义id1的类型
我直接在前面写
dim id1 as Integer
dim id as Integer
行不?
我是新手,讲的详细些
前面那个问题我回了,在这里再回一下:
<%
Function SafeReplace(ParaName)
'--- 传入参数 ---
'ParaName:参数名称-字符型
Dim Paravalue
Paravalue=LCase(Trim(ParaName))
Paravalue=Replace(Paravalue,"select","")
Paravalue=Replace(Paravalue,"insert","")
Paravalue=Replace(Paravalue,"updata","")
Paravalue=Replace(Paravalue,"addnew","")
Paravalue=Replace(Paravalue,"delete","")
Paravalue=Replace(Paravalue,"order","")
Paravalue=Replace(Paravalue,"and","")
Paravalue=Replace(Paravalue,"or","")
Paravalue=Replace(Paravalue,"exec","")
Paravalue=Replace(Paravalue,"--","")
Paravalue=Replace(Paravalue,"-","")
Paravalue=Replace(Pa