复制代码 代码如下:

'获取参数值

Function getForm(element,ftype)

Select case ftype

case "get"

getForm=trim(request.QueryString(element))

case "post"

getForm=trim(request.Form(element))

case "both"

if isNul(request.QueryString(element)) then getForm=trim(request.Form(element)) else getForm=trim(request.QueryString(element))

End Select

getForm=replace(getForm,CHR(34),""")

getForm=replace(getForm,CHR(39),"'")

End Function

'主要功能就是获取参数值，比直接用request("element")要安全很多

'过滤参数

Function filterPara(byVal Para)

filterPara=preventSqlin(Checkxss(Para))

End Function

Function preventSqlin(content)

dim sqlStr,sqlArray,i,speStr

sqlStr="<|>|%|%27|'|''|;|*|and|exec|dbcc|alter|drop|insert|select|update|delete|count|master|truncate|char|declare|where|set|declare|mid|chr"

if isNul(content) then Exit Function

sqlArray=split(sqlStr,"|")

for i=lbound(sqlArray) to ubound(sqlArray)

if instr(lcase(content),sqlArray(i))<>0 then

select case sqlArray(i)

case "<":speStr="<"

case ">":speStr=">"

case "'","""":speStr="""

'case ";":speStr="；"

case else:speStr=""

end select

content=replace(content,sqlArray(i),speStr,1,-1,1)

end if

next

preventSqlin=content

End Function

'上面的参数过滤函主要是防止sql注入，加强的防护。