4 个解决方案
#1
变量使用了一个 VBScript 中不支持的 Automation 类型
#2
变量 不是返回值
#3
是啊,为什么 传参数可以穿char*型,返回值确不能获取呢,同样是char* 的。
#4
<%
'dim DBServer,DBname,DBuid,DBpwd,strsql,conn,sql_injdata,sql_inj,SQL_Get,SQL_Data,CloseConn
DBServer = "(local)" '数据库服务器IP地址(本地可用“127.0.0.1”或“(local)”,非本机请用真实IP)
DBname = "ying" '数据库名称
DBuid = "sauser" '数据库服务器用户名
DBpwd = "123456" '数据库服务器用户密码
'strsql="provider=sqloledb;data source=(Local)\GSQL;User ID=testtest;pwd=1234567890;Initial Catalog=siren"
strsql="Provider=sqloledb;Data Source="&DBServer&";Initial Catalog="&DBname&";User Id="&DBuid&";Password="&DBpwd&";"
set conn = server.createobject("adodb.connection")
conn.open strsql
%>
<%
'加入到conn.asp中的SQL通用防注入
'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare
'各个字符用"|"隔开,,然后我们判断的得到的Request.QueryString
'具体代码如下
sql_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|declare"
sql_inj = split(SQL_Injdata,"|")
if Request.QueryString<>"" then
for each SQL_Get in Request.QueryString
for SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "alert('系统提示↓请不要在参数中包含非法字符尝试注入!');history.back(-1)"
Response.end
end if
next
next
end if
if Request.Form<>"" then
for each Sql_Post in Request.Form
for SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 then
Response.Write "alert('系统提示↓请不要在参数中包含非法字符尝试注入!');history.back(-1)"
Response.end
end if
next
next
end if
sub CloseConn222()
conn.close
set conn=nothing
end sub
%>
23行报错(if Request.QueryString<>"" then)
'dim DBServer,DBname,DBuid,DBpwd,strsql,conn,sql_injdata,sql_inj,SQL_Get,SQL_Data,CloseConn
DBServer = "(local)" '数据库服务器IP地址(本地可用“127.0.0.1”或“(local)”,非本机请用真实IP)
DBname = "ying" '数据库名称
DBuid = "sauser" '数据库服务器用户名
DBpwd = "123456" '数据库服务器用户密码
'strsql="provider=sqloledb;data source=(Local)\GSQL;User ID=testtest;pwd=1234567890;Initial Catalog=siren"
strsql="Provider=sqloledb;Data Source="&DBServer&";Initial Catalog="&DBname&";User Id="&DBuid&";Password="&DBpwd&";"
set conn = server.createobject("adodb.connection")
conn.open strsql
%>
<%
'加入到conn.asp中的SQL通用防注入
'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare
'各个字符用"|"隔开,,然后我们判断的得到的Request.QueryString
'具体代码如下
sql_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|declare"
sql_inj = split(SQL_Injdata,"|")
if Request.QueryString<>"" then
for each SQL_Get in Request.QueryString
for SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "alert('系统提示↓请不要在参数中包含非法字符尝试注入!');history.back(-1)"
Response.end
end if
next
next
end if
if Request.Form<>"" then
for each Sql_Post in Request.Form
for SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 then
Response.Write "alert('系统提示↓请不要在参数中包含非法字符尝试注入!');history.back(-1)"
Response.end
end if
next
next
end if
sub CloseConn222()
conn.close
set conn=nothing
end sub
%>
23行报错(if Request.QueryString<>"" then)
#1
变量使用了一个 VBScript 中不支持的 Automation 类型
#2
变量 不是返回值
#3
是啊,为什么 传参数可以穿char*型,返回值确不能获取呢,同样是char* 的。
#4
<%
'dim DBServer,DBname,DBuid,DBpwd,strsql,conn,sql_injdata,sql_inj,SQL_Get,SQL_Data,CloseConn
DBServer = "(local)" '数据库服务器IP地址(本地可用“127.0.0.1”或“(local)”,非本机请用真实IP)
DBname = "ying" '数据库名称
DBuid = "sauser" '数据库服务器用户名
DBpwd = "123456" '数据库服务器用户密码
'strsql="provider=sqloledb;data source=(Local)\GSQL;User ID=testtest;pwd=1234567890;Initial Catalog=siren"
strsql="Provider=sqloledb;Data Source="&DBServer&";Initial Catalog="&DBname&";User Id="&DBuid&";Password="&DBpwd&";"
set conn = server.createobject("adodb.connection")
conn.open strsql
%>
<%
'加入到conn.asp中的SQL通用防注入
'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare
'各个字符用"|"隔开,,然后我们判断的得到的Request.QueryString
'具体代码如下
sql_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|declare"
sql_inj = split(SQL_Injdata,"|")
if Request.QueryString<>"" then
for each SQL_Get in Request.QueryString
for SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "alert('系统提示↓请不要在参数中包含非法字符尝试注入!');history.back(-1)"
Response.end
end if
next
next
end if
if Request.Form<>"" then
for each Sql_Post in Request.Form
for SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 then
Response.Write "alert('系统提示↓请不要在参数中包含非法字符尝试注入!');history.back(-1)"
Response.end
end if
next
next
end if
sub CloseConn222()
conn.close
set conn=nothing
end sub
%>
23行报错(if Request.QueryString<>"" then)
'dim DBServer,DBname,DBuid,DBpwd,strsql,conn,sql_injdata,sql_inj,SQL_Get,SQL_Data,CloseConn
DBServer = "(local)" '数据库服务器IP地址(本地可用“127.0.0.1”或“(local)”,非本机请用真实IP)
DBname = "ying" '数据库名称
DBuid = "sauser" '数据库服务器用户名
DBpwd = "123456" '数据库服务器用户密码
'strsql="provider=sqloledb;data source=(Local)\GSQL;User ID=testtest;pwd=1234567890;Initial Catalog=siren"
strsql="Provider=sqloledb;Data Source="&DBServer&";Initial Catalog="&DBname&";User Id="&DBuid&";Password="&DBpwd&";"
set conn = server.createobject("adodb.connection")
conn.open strsql
%>
<%
'加入到conn.asp中的SQL通用防注入
'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare
'各个字符用"|"隔开,,然后我们判断的得到的Request.QueryString
'具体代码如下
sql_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|declare"
sql_inj = split(SQL_Injdata,"|")
if Request.QueryString<>"" then
for each SQL_Get in Request.QueryString
for SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "alert('系统提示↓请不要在参数中包含非法字符尝试注入!');history.back(-1)"
Response.end
end if
next
next
end if
if Request.Form<>"" then
for each Sql_Post in Request.Form
for SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 then
Response.Write "alert('系统提示↓请不要在参数中包含非法字符尝试注入!');history.back(-1)"
Response.end
end if
next
next
end if
sub CloseConn222()
conn.close
set conn=nothing
end sub
%>
23行报错(if Request.QueryString<>"" then)