日期:2014-05-17  浏览次数:20981 次

请问如何过滤'or'='or'漏洞?
怎么样过滤一些特定的字符?如 "= "   " ' "
麻烦说详细点

------解决方案--------------------
<%

Function cs(s, n)
'防SQL注入 1为数值型,0为字符型, 2为ID参数类型
'返回类型Boolean
Dim r, p
Set r = new RegExp
If n = 0 Then
p = "^[^ ' " "]+$ "
ElseIf n = 1 Then
p = "^\d+$ "
Else
p = "^\d*[1-9]\d*(,\s*\d*[1-9]\d*)*$ "
End If
r.Pattern = p
cs = r.Test(s)
Set r = Nothing
End Function


admin=request.form( "admin ")
password=request.form( "password ")

If cs(admin, 0) And cs(password, 2) Then
sql= "select * from admin where admin= ' "&admin& " ' and password= ' "&password& " ' "
set rs=conn.execute(sql)
if rs.eof or rs.bof then
response.write " <script language=javascript> "
response.write "alert( '用户或密码不对! '); "
response.write "javascript:history.go(-1); "
response.write " </script> "
else
session( "admin ")=admin
response.redirect "admin_manage.asp "
end if
Else
Response.Write "参数不合法(不允许为空)... "
End If
%>