程序体(1)
另外,值得我们注意的是,很多站点在用户注册,或者是用户资料修改的页面上也缺少脚本的过滤,或者是只在其中之一进行过滤,注册进入后修改资料仍然可以进行脚本攻击。对用户提交的数据进行检测和过滤,程序体(2) 如下:
‘以下是过滤函数
If Instr(request("username"),"=")>0 or
Instr(request("username"),"%")>0 or
Instr(request("username"),chr(32))>0 or
Instr(request("username"),"?")>0 or
Instr(request("username"),"&")>0 or
Instr(request("username"),";")>0 or
Instr(request("username"),",")>0 or
Instr(request("username"),"'")>0 or
Instr(request("username"),"?")>0 or
Instr(request("username"),chr(34))>0 or
Instr(request("username"),chr(9))>0 or
Instr(request("username"),"?K")>0 or
Instr(request("username"),"$")>0 or
Instr(request("username"),">")>0 or
Instr(request("username"),"<")>0 or
Instr(request("username"),"""")>0 then
response.write "朋友,你的提交用户名含有非法字符,请更改,谢谢合作 <a href='****:window.history.go(-1);'>返回</a>"
response.end
end if
程序体(2)
为了提供工作效率我们再将过滤内容程序化,这样对多个参数的过滤效率将有很大程度上的提高:如
程序体(3)
‘以下为程序主体
dim Bword(18)
Bword(0)="?"
Bword(1)=";"
Bword(2)=">"
Bword(3)="<"
Bword(4)="-"
Bword(5)="’"
Bword(6)="””"
Bword(7)="&"
Bword(8)="%"
Bword(9)="$"
Bword(10)="'"
Bword(11)=":"
Bword(12)=" "
Bword(13)="("
Bword(14)=")"
Bword(15)="--"
Bword(16)=" chr(9)"
Bword(17)=" chr(34)"
Bword(18)=" chr(32)"
errc=false
‘以下是应用实例部分
for i= 0 to ubound(Bword)
if instr(FQYs,Bword(i))<>0 then
errc=true
end if
next
if errc then
response.write "<script language=""****"">"
response.write "parent.alert('很抱歉!您的操作违法了);"
response.write "history,back();"
response.write "</script>"
response.end
end if
……