當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

ASP之防止外部数据提交的脚本

發布時間：2025/3/21 编程问答 17 豆豆

生活随笔收集整理的這篇文章主要介紹了 ASP之防止外部数据提交的脚本小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

提交時可能會有人修改Script從本地提交，這樣存在安全提交的問題，所以應該要求從服務器斷路徑提交，其他地址提交無效：??

<%?
????????????server_v1=Cstr(Request.ServerVariables("HTTP_REFERER"))?
????????????server_v2=Cstr(Request.ServerVariables("SERVER_NAME"))?
????????????if?mid(server_v1,8,len(server_v2))<>server_v2?then?
????????????response.write?"<br><br><center><table?border=1?cellpadding=20?bordercolor=black?
????????????bgcolor=#EEEEEE?width=450>"?
????????????response.write?"<tr><td?style=“font:9pt?Verdana“>"?
????????????response.write?"你提交的路徑有誤，禁止從站點外部提交數據請不要亂該參數！"?
????????????response.write?"</td></tr></table></center>"?
????????????response.end?
????????????end?if?
%>

請看下面的一個函數

<%
Function isSelfRefer()
Dim sHttp_Referer, sServer_Name
sHttp_Referer = CStr(Request.ServerVariables("HTTP_REFERER"))
sServer_Name = CStr(Request.ServerVariables("SERVER_NAME"))
If Mid(sHttp_Referer, 8, Len(sServer_Name)) = sServer_Name Then
IsSelfRefer = True
Else
IsSelfRefer = False
End If
End Function

if isSelfRefer() then
response.write "ok"
else
response.write "no"
end if

%>

把以上代碼放到aa.asp,如果是直接輸入網址或者是從外部網部鏈接到本站,http://doamain/aa.asp 就會顯示NO,

如果系從本站鏈接到aa.asp,或通過表單提交到aa.asp,將會顯示ok

可以防止一些偽造表單向站內提交數據

防止從外部提交數據的方法
第一種做法，屏蔽特殊字符和關鍵字
fqys=request.servervariables("query_string")
dim nothis(18)
nothis(0)="net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)="net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="%"
errc=false
for i= 0 to ubound(nothis)
if instr(FQYs,nothis(i))<>0 then
errc=true
end if
next
if errc then
response.write "<script language=""javascript"">"
response.write "parent.alert('很抱歉!你正在試圖攻擊本服務器或者想取得本服務器最高管理權!將直接轉向首頁..');"
response.write "self.location.href='default.asp';"
response.write "</script>"
response.end
end if

第二種可以防止客戶從本地提交到網站上
<%
server_v1=Cstr(Request.ServerVariables("HTTP_REFERER"))
server_v2=Cstr(Request.ServerVariables("SERVER_NAME"))
if mid(server_v1,8,len(server_v2))<>server_v2 then
response.write "<br><br><center><table border=1 cellpadding=20 bordercolor=black bgcolor=#EEEEEE width=450>"
response.write "<tr><td style=font:9pt Verdana>"
response.write "你提交的路徑有誤，禁止從站點外部提交數據請不要亂該參數！"
response.write "</td></tr></table></center>"
response.end
end if
%>

第三。這樣可以防止在輸入框上打上or 1=1 的字樣
If Instr(request("username"),"=")>0 or
Instr(request("username"),"%")>0 or
Instr(request("username"),chr(32))>0 or
Instr(request("username"),"?")>0 or
Instr(request("username"),"&")>0 or
Instr(request("username"),";")>0 or
Instr(request("username"),",")>0 or
Instr(request("username"),"'")>0 or
Instr(request("username"),"?")>0 or
Instr(request("username"),chr(34))>0 or
Instr(request("username"),chr(9))>0 or
Instr(request("username"),"　")>0 or
Instr(request("username"),"$")>0 or
Instr(request("username"),">")>0 or
Instr(request("username"),"<")>0 or
Instr(request("username"),"""")>0 then

第一種做法，屏蔽特殊字符和關鍵字

fqys=request.servervariables("query_string")

dim nothis(18)

nothis(0)="net user"

nothis(1)="xp_cmdshell"

nothis(2)="/add"

nothis(3)="exec%20master.dbo.xp_cmdshell"

nothis(4)="net localgroup administrators"

nothis(5)="select"

nothis(6)="count"

nothis(7)="asc"

nothis(8)="char"

nothis(9)="mid"

nothis(10)="'"

nothis(11)=":"

nothis(12)=""""

nothis(13)="insert"

nothis(14)="delete"

nothis(15)="drop"

nothis(16)="truncate"

nothis(17)="from"

nothis(18)="%"

errc=false

for i= 0 to ubound(nothis)

if instr(FQYs,nothis(i))<>0 then

errc=true

end if

if errc then

response.write " <script></script> "

response.end

end if

第二種可以防止客戶從本地提交到網站上

第三。這樣可以防止在輸入框上打上or 1=1 的字樣

If Instr(request("username"),"=")>0 or

Instr(request("username"),"%")>0 or

Instr(request("username"),chr(32))>0 or

Instr(request("username"),"?")>0 or

Instr(request("username"),"&")>0 or

Instr(request("username"),";")>0 or

Instr(request("username"),",")>0 or

Instr(request("username"),"'")>0 or

Instr(request("username"),"?")>0 or

Instr(request("username"),chr(34))>0 or

Instr(request("username"),chr(9))>0 or

Instr(request("username"),"　")>0 or

Instr(request("username"),"$")>0 or

Instr(request("username"),">")>0 or

Instr(request("username"),"<")>0 or

Instr(request("username"),"""")>0 then

<%
Function isSelfRefer()
Dim sHttp_Referer, sServer_Name
sHttp_Referer = CStr(Request.ServerVariables("HTTP_REFERER"))
sServer_Name = CStr(Request.ServerVariables("SERVER_NAME"))
If Mid(sHttp_Referer, 8, Len(sServer_Name)) = sServer_Name Then
IsSelfRefer = True
Else
IsSelfRefer = False
End If
End Function

if isSelfRefer() then
response.write "ok"
else
response.write "no"
end if

%>

把以上代碼放到aa.asp,如果是直接輸入網址或者是從外部網部鏈接到本站,http://doamain/aa.asp 就會顯示NO,

如果系從本站鏈接到aa.asp,或通過表單提交到aa.asp,將會顯示ok

可以防止一些偽造表單向站內提交數據

總結

以上是生活随笔為你收集整理的ASP之防止外部数据提交的脚本的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： JS特效 -- 网页图片飞起来
下一篇： asp批量生成html静态页面方法