3초기억력

asp - sql injection 방지 function 본문

플밍_ASP

asp - sql injection 방지 function

잠수콩 2010. 3. 24. 12:35



 Function IsInjectionParam()
  Dim QueryString
  QueryString = LCase(Request.ServerVariables("QUERY_STRING"))

  IsInjectionParam = False
  If InStr(QueryString, "execute") > 0 Or InStr(QueryString, "xp_") > 0 Or InStr(QueryString, "sp_") > 0 Then
   IsInjectionParam = True
   Exit Function
  End If

  If (InStr(QueryString, "select") > 0 And InStr(QueryString, "from") > 0) Or (InStr(QueryString, "update") > 0 And InStr(QueryString, "set") > 0) Or (InStr(QueryString, "delete") > 0 And InStr(QueryString, "from") > 0) Then
   IsInjectionParam = True
   Exit Function
  End If
  If InStr(QueryString, "truncate") > 0 Or (InStr(QueryString, "table") > 0 And (InStr(QueryString, "drop") > 0 Or InStr(QueryString, "create") > 0 Or InStr(QueryString, "alter") > 0)) Then
   IsInjectionParam = True
   Exit Function
  End If
  If  (InStr(QueryString, "net") > 0 And (InStr(QueryString, "localgroup") > 0 Or InStr(QueryString, "user") > 0)) Then
   IsInjectionParam = True
   Exit Function
  End If

  If  (InStr(QueryString, "<")) > 0 And (InStr(QueryString, "script")) > 0 Then
   IsInjectionParam = True
   Exit Function
  End If
  
  If  (InStr(QueryString, "3C")) > 0 And (InStr(QueryString, "script")) > 0 Then
   IsInjectionParam = True
   Exit Function
  End If

  If  (InStr(QueryString, "script")) > 0 Then
   IsInjectionParam = True
   Exit Function
  End If

  If  (InStr(QueryString, "'")) > 0 Or (InStr(QueryString, "%27")) > 0Then
   IsInjectionParam = True
   Exit Function
  End If

  If  (InStr(QueryString, "+or")) > 0 Then
   IsInjectionParam = True
   Exit Function
  End If

 End Function

Comments