Functions used to prevent SQL injection attacks can be used directly, but you can't just use them. We need to enhance security awareness.
The code copy is as follows:
'===================================
'Filter SQL in Submit Form
'===================================
functionForSqlForm()
dimfqys,errc,i,items
dimnothis(18)
nothing(0)=netuser
nothing(1)=xp_cmdshell
nothing(2)=/add
nothing(3)=exec%20master.dbo.xp_cmdshell
nothing(4)=netlocalgroupadministrators
nothing(5)=select
nothing(6)=count
nothing(7)=asc
nothing(8)=char
nothing(9)=mid
nothing(10)='
nothing(11)=:
nothing(12)=
nothing(13)=insert
nothing(14)=delete
nothing(15)=drop
nothing(16)=truncate
nothing(17)=from
nothing(18)=%
'nothis(19)=@
errc=false
fori=0toubound(not this)
foreachitemsinrequest.Form
ifinstr(request.Form(items),notis(i))<>0then
response.write(<div>)
response.write(The information you filled in:&server.HTMLEncode(request.Form(items))&<br>Contains illegal characters:¬his(i))
response.write(</div>)
response.write(Sorry, the information you filled in contains illegal characters! <ahref=#onclick=history.back()>Return</a>)
response.End()
endif
next
next
endfunction
'===================================
'Filter SQL in query
'===================================
functionForSqlInjection()
dimfqys,errc,i
dimnothis(19)
fqys=request.ServerVariables(QUERY_STRING)
nothing(0)=netuser
nothing(1)=xp_cmdshell
nothing(2)=/add
nothing(3)=exec%20master.dbo.xp_cmdshell
nothing(4)=netlocalgroupadministrators
nothing(5)=select
nothing(6)=count
nothing(7)=asc
nothing(8)=char
nothing(9)=mid
nothing(10)='
nothing(11)=:
nothing(12)=
nothing(13)=insert
nothing(14)=delete
nothing(15)=drop
nothing(16)=truncate
nothing(17)=from
nothing(18)=%
nothing(19)=@
errc=false
fori=0toubound(not this)
ifinstr(FQYs, not this(i))<>0then
errc=true
endif
next
iferrcthen
response.write query information contains illegal characters! <ahref=#onclick=history.back()>Return</a>
response.end
endif
endfunction