<% StrTemp=request.servervariables("server_name")&request.servervariables("url")&"?"&Request.QueryString StrTemp=LCase(StrTemp) If Instr(StrTemp,"select%20") or Instr(StrTemp,"insert%20") or Instr(StrTemp,"delete%20from") or Instr(StrTemp,"count(") or Instr(StrTemp,"drop%20table") or Instr(StrTemp,"asc(") or Instr(StrTemp,"truncate%20") or Instr(StrTemp,"update%20") or Instr(StrTemp,"mid(") or Instr(StrTemp,"chat(") or Instr(StrTemp,"xp_cmdshell") or Instr(StrTemp,"exec%20master") or Instr(StrTemp,"net%20localgroup administrator") or Instr(StrTemp,"net%20user") or Instr(StrTemp,"%20or") or Instr(StrTemp,"%20and") or Instr(StrTemp,"""") or Instr(StrTemp,"‘") or Instr(StrTemp,"“") or Instr(StrTemp,"”") or Instr(StrTemp,":") or Instr(StrTemp,": ") or Instr(StrTemp,";") or Instr(StrTemp,"; ") or Instr(StrTemp,",") or Instr(StrTemp,", ") or Instr(StrTemp,"-") or Instr(StrTemp,"%27") then Response.Write"<script language=‘javascript‘>alert(‘错误的参数传递,请不要企图破解程序! ‘);history.back();</script>" Response.end End If |
|