Usamos cookies para medir audiência e melhorar sua experiência. Você pode aceitar ou recusar a qualquer momento. Veja sobre o iMasters.
Boas utilizei o script do xan para bloquear sql injection mas ele agora esta-me a bloquear tudo, como fiz uma ou outra alteração sera que mudei algo que nao devia??
<!--#include file="connecttodb.asp"-->
<%
ip=Request.ServerVariables("REMOTE_ADDR")
function sqlInjection()
badbadwords = array ("select", "drop", ";", "--", "insert", "delete", "xp_", "$", "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "update", "-shutdown", "|","'or'1'='1'")for each item in request.QueryString
for j = lbound(badbadwords) to ubound(badbadwords)
if instr(lcase(Request.QueryString(item)), lcase(badbadwords(j))) > 0 then
instotal = "select * from security"
rs.open instotal,conn,1,2
rs.addnew
rs.fields("ip")=ip
rs.fields("data")= date()
rs.fields("hora")= time()
rs.fields("evento")= "SQL Injection Attempt thru Querystring"
rs.update
rs.close
conn.closeresponse.Redirect("index.asp?erro=That is not allowed")
end if
next
next
for each item in request.form
for j = lbound(badbadwords) to ubound(badbadwords)
if instr(lcase(Request.form(item)), lcase(badbadwords(j))) > 0 then
instotal = "select * from security"
rs.open instotal,conn,1,2
rs.addnew
rs.fields("ip")=ip
rs.fields("data")= date()
rs.fields("hora")= time()
rs.fields("evento")= "SQL Injection Attempt thru Form"
rs.update
rs.close
conn.closeresponse.Redirect("index.asp?erro=That is not allowed")
end if
next
next
for each item in request.Cookies
for j = lbound(badbadwords) to ubound(badbadwords)
if instr(lcase(Request.Cookies(item)), lcase(badbadwords(j))) > 0 then
instotal = "select * from security"
rs.open instotal,conn,1,2
rs.addnew
rs.fields("ip")=ip
rs.fields("data")= date()
rs.fields("hora")= time()
rs.fields("evento")= "SQL Injection Attempt thru Cookies"
rs.update
rs.close
conn.closeresponse.Redirect("index.asp?erro=That is not allowed")
end if
next
next
end function
sqlInjection()
%>
Carregando comentários...