<% '==========以下是安全代码========== Dim GetFlag Rem(提交方式) Dim ErrorSql Rem(非法字符) Dim RequestKey Rem(提交数据) Dim ForI Rem(循环标记) ErrorSql = "'~;~and~(~)~exec~update~count~*~%~<~>~chr~mid~master~truncate~char~declare" Rem(每个敏感字符或者词语请使用半角 "~" 格开) ErrorSql = Split(ErrorSql, "~") If Request.ServerVariables("REQUEST_METHOD") = "GET" Then GetFlag = True Else GetFlag = False End If If GetFlag Then For Each RequestKey In Request.QueryString For ForI = 0 To UBound(ErrorSql) If InStr(LCase(Request.QueryString(RequestKey)), ErrorSql(ForI))<>0 Then call infoback("非法操作！") End If Next Next Else For Each RequestKey In Request.Form For ForI = 0 To UBound(ErrorSql) If InStr(LCase(Request.Form(RequestKey)), ErrorSql(ForI))<>0 Then call infoback("非法操作！") End If Next Next End If Sql_in = "and |or |on |in |select |insert |update |delete |exec |declare |'" Sql = Split(Sql_in, "|") If Request.QueryString<>"" Then For Each Sql_Get In Request.QueryString For Sql_Data = 0 To UBound(Sql) If InStr(LCase(Request.QueryString(Sql_Get)), Sql(Sql_Data))<>0 Then call infoback("非法操作！") End If Next Next End If If Request.Form<>"" Then For Each Sql_Post In Request.Form For Sql_Data = 0 To UBound(Sql) If InStr(LCase(Request.Form(Sql_Post)), Sql(Sql_Data))<>0 Then call infoback("非法操作！") End If Next Next End If %>