您所在位置:主题:[讨论]sql防注入与文件上传功能冲突?
soeken
[专家分:0] 发布于 2009-04-26 09:02:00
数据库conn使用以下防止sql注入代码后,网站中 文件上传功能就不能使用,且点击上传时没有出错信息。如果把
防注入代码中的 POST部份 去掉,就可以上传。请问问题在哪里,如何更改。谢谢!
------------------------------------------------------------------------------------------
防止sql注入代码:
<%
'--------定义部份------------------
Dim Fy_Post,Fy_Get,Fy_cook,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,aa
On Error Resume Next
Fy_In = "'|exec|insert|select|delete|update|count|chr|truncate|char|declare|--|script|*|char|set|(|)"
aa="heike.txt" '------------------------------------------如入侵记录保存文件
Fy_Inf = split(Fy_In,"|")
'1--------POST部份------------------
If Request.Form<>"" Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
flyaway1=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")
&"+'post'+"&Fy_post&"+"&replace(Request.Form(Fy_post),"'","*")&""
set fs=server.CreateObject("Scripting.FileSystemObject")
set file=fs.OpenTextFile(server.MapPath(aa),8,True)
file.writeline flyaway1
file.close
set file=nothing
set fs=nothing
call aaa()
End If
Next
Next
End If
'2--------GET部份-------------------
If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
flyaway2=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")
&"+'get'+"&Fy_get&"+"&replace(Request.QueryString(Fy_get),"'","*")&""
set fs=server.CreateObject("Scripting.FileSystemObject")
set file=fs.OpenTextFile(server.MapPath(aa),8,True)
file.writeline flyaway2
file.close
set file=nothing
set fs=nothing
call aaa()
End If
Next
Next
End If
'3--------cookies部份-------------------
If Request.Cookies<>"" Then
For Each Fy_cook In Request.Cookies
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Cookies(Fy_cook)),Fy_Inf(Fy_Xh))<>0 Then
flyaway3=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")
&"+'cook'+"&Fy_cook&"+"&replace(Request.Cookies(Fy_cook),"'","*")&""
set fs=server.CreateObject("Scripting.FileSystemObject")
set file=fs.OpenTextFile(server.MapPath(aa),8,True)
file.writeline flyaway3
file.close
set file=nothing
set fs=nothing
call aaa()
End If
Next
Next
End If
Sub aaa()
Response.Write "<Script Language=JavaScript>alert('请不要在信息中包含* %等非法字符!');location.href
= 'javascript:history.back()';</Script>"
Response.Write "
<hr>"
Response.End
end Sub
-------------------------------------------------------------------------------------
文件上传功能上传代码:
sub down()
if Request.QueryString("submit")="down" then
uploadpath="uploadFile/softdown/"
uploadsize="2048"
uploadtype="zip/rar/cab/doc"
Set Uprequest=new UpLoadClass
Uprequest.SavePath=uploadpath
Uprequest.MaxSize=uploadsize*1024
Uprequest.FileType=uploadtype
AutoSave=true
Uprequest.open
if Uprequest.form("file_Err") <>0 then
select case Uprequest.form("file_Err")
case 1:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件超过"&uploadsize&"k [ <a href='javascript:history.go(-1)'>重新上传 </a>] </font> </div>"
case 2:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件格式不对 [ <a href='javascript:history.go(-1)']>重新上传 </a>] </font> </div>"
case 3:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件太大且格式不对 [ <a href='javascript:history.go(-1)'>重新上传 </a>] </font> </div>"
end select
response.write str
else
response.write " <script language=""javascript"">parent.form1.url1.value='"&Uprequest.SavePath&Uprequest.Form("file")&"';"
response.write " </script>"
response.write " </script>"
size=Uprequest.Form("file_size")
showsize=size & " Byte"
if size>1024 then
size=(size\1024)
showsize=size & " KB"
end if
if size>1024 then
size=(size/1024)
showsize=formatnumber(size,2) & " MB"
end if
response.write " <script language=""javascript"">parent.form1.size.value='"&showsize&"';"
response.write " </script>"
response.write " <div style=""padding-top:5px;padding-bottom:5px;""> <font color=red>文件上传成功 </font> [ <a href='javascript:history.go(-1)'>重新上传 </a>] </div>"
end if
Set Uprequest=nothing
end if
response.write " <form name=form action=?action=down&submit=down method=post enctype=multipart/form-data>"
response.write " <input type=file name=file class='tx' size='20'> "
response.write " <input type=submit name=submit value=上传 class=""tx1"">"
response.write " </form>"
end sub
防注入代码中的 POST部份 去掉,就可以上传。请问问题在哪里,如何更改。谢谢!
------------------------------------------------------------------------------------------
防止sql注入代码:
<%
'--------定义部份------------------
Dim Fy_Post,Fy_Get,Fy_cook,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,aa
On Error Resume Next
Fy_In = "'|exec|insert|select|delete|update|count|chr|truncate|char|declare|--|script|*|char|set|(|)"
aa="heike.txt" '------------------------------------------如入侵记录保存文件
Fy_Inf = split(Fy_In,"|")
'1--------POST部份------------------
If Request.Form<>"" Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
flyaway1=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")
&"+'post'+"&Fy_post&"+"&replace(Request.Form(Fy_post),"'","*")&""
set fs=server.CreateObject("Scripting.FileSystemObject")
set file=fs.OpenTextFile(server.MapPath(aa),8,True)
file.writeline flyaway1
file.close
set file=nothing
set fs=nothing
call aaa()
End If
Next
Next
End If
'2--------GET部份-------------------
If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
flyaway2=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")
&"+'get'+"&Fy_get&"+"&replace(Request.QueryString(Fy_get),"'","*")&""
set fs=server.CreateObject("Scripting.FileSystemObject")
set file=fs.OpenTextFile(server.MapPath(aa),8,True)
file.writeline flyaway2
file.close
set file=nothing
set fs=nothing
call aaa()
End If
Next
Next
End If
'3--------cookies部份-------------------
If Request.Cookies<>"" Then
For Each Fy_cook In Request.Cookies
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Cookies(Fy_cook)),Fy_Inf(Fy_Xh))<>0 Then
flyaway3=""&Request.ServerVariables("REMOTE_ADDR")&","&Request.ServerVariables("URL")
&"+'cook'+"&Fy_cook&"+"&replace(Request.Cookies(Fy_cook),"'","*")&""
set fs=server.CreateObject("Scripting.FileSystemObject")
set file=fs.OpenTextFile(server.MapPath(aa),8,True)
file.writeline flyaway3
file.close
set file=nothing
set fs=nothing
call aaa()
End If
Next
Next
End If
Sub aaa()
Response.Write "<Script Language=JavaScript>alert('请不要在信息中包含* %等非法字符!');location.href
= 'javascript:history.back()';</Script>"
Response.Write "
<hr>"
Response.End
end Sub
-------------------------------------------------------------------------------------
文件上传功能上传代码:
sub down()
if Request.QueryString("submit")="down" then
uploadpath="uploadFile/softdown/"
uploadsize="2048"
uploadtype="zip/rar/cab/doc"
Set Uprequest=new UpLoadClass
Uprequest.SavePath=uploadpath
Uprequest.MaxSize=uploadsize*1024
Uprequest.FileType=uploadtype
AutoSave=true
Uprequest.open
if Uprequest.form("file_Err") <>0 then
select case Uprequest.form("file_Err")
case 1:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件超过"&uploadsize&"k [ <a href='javascript:history.go(-1)'>重新上传 </a>] </font> </div>"
case 2:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件格式不对 [ <a href='javascript:history.go(-1)']>重新上传 </a>] </font> </div>"
case 3:str=" <div style=""padding-top:5px;padding-bottom:5px;""> <font color=blue>上传不成功!文件太大且格式不对 [ <a href='javascript:history.go(-1)'>重新上传 </a>] </font> </div>"
end select
response.write str
else
response.write " <script language=""javascript"">parent.form1.url1.value='"&Uprequest.SavePath&Uprequest.Form("file")&"';"
response.write " </script>"
response.write " </script>"
size=Uprequest.Form("file_size")
showsize=size & " Byte"
if size>1024 then
size=(size\1024)
showsize=size & " KB"
end if
if size>1024 then
size=(size/1024)
showsize=formatnumber(size,2) & " MB"
end if
response.write " <script language=""javascript"">parent.form1.size.value='"&showsize&"';"
response.write " </script>"
response.write " <div style=""padding-top:5px;padding-bottom:5px;""> <font color=red>文件上传成功 </font> [ <a href='javascript:history.go(-1)'>重新上传 </a>] </div>"
end if
Set Uprequest=nothing
end if
response.write " <form name=form action=?action=down&submit=down method=post enctype=multipart/form-data>"
response.write " <input type=file name=file class='tx' size='20'> "
response.write " <input type=submit name=submit value=上传 class=""tx1"">"
response.write " </form>"
end sub