Waf

I、PHP

<?php
function check($str){

$waf="(ord|by|group|floor|select|update|insert|create|delete|drop|grant|truncate|rename|exec|desc|from|table|database|set|where|charset|ascii|bin|char|uncompress|concat|concat_ws|conv|export_set|hex|instr|left|load_file|locate|mid|sub|substring|oct|reverse|right|unhex|sysdatabases|msysaccessobjects|msysqueries|sysmodules|mysql\.db|sys\.database_name|information_schema|sysobjects|sp_makewebtask|xp_cmdshell|sp_oamethod|sp_addextendedproc|sp_oacreate|xp_regread|sys\.dbms_export_extension|'|,|<|>|=|\(|\)|\*|--)"

if (preg_match("/$waf/is",$str)==1||preg_match("/$waf/is",urlencode($str))==1)
                 {
                         print "您的提交带有不合法参数,谢谢合作";
exit();
                 }
 }
check($query_string);
 check($_GET);
 check($_POST);
 check($_COOKIE);
 check($referer);
?>

II、JSP

1、waf

public static String filterContent(String content){
 String flt ="'|and|exec|insert|select|delete|update|count|*|%
 |chr|mid|master|truncate|char|declare|; |or|-|+|,";
 Stringfilter[] = flt.split("|");
 for(int i=0; i {
 content.replace(filter[i], "");
 }
 return content;
 }

2、PreparedStatement

String sql = "select* from users where username=? and password=?";  
         Connection conn = null;  
         PreparedStatement state = null;  
         ResultSet result;  
         conn = JdbcUtil.getConnection();  
         System.out.println(sql);  
         try {  
             state = conn.prepareStatement(sql);  
             state.setString(1, userName);  
             state.setString(2, passWord);  
             result = state.executeQuery();

III、ASP

<%   
 '在所需要防护的页面加入代码  
 '#include virtual="/_safe.asp"
 '就可以做到页面防注入、跨站。  
 '如果想整站防注,就在网站的一个公用文件中,如数据库链接文件conn.asp中!  
 '添加#include virtual="/_safe.asp"来调用本代码 
 On Error Resume Next  
 if request.querystring<>"" then call stophacker(request.querystring,"'|\b(alert|confirm|prompt)\b|<[^>]*?>|^\+/v(8|9)|\bonmouse(over|move)=\b|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")  
 if Request.ServerVariables("HTTP_REFERER")<>"" then call test(Request.ServerVariables("HTTP_REFERER"),"'|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")  
 if request.Cookies<>"" then call stophacker(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")   
 call stophacker(request.Form,"^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")  

 function test(values,re)  
   dim regex  
   set regex=new regexp  
   regex.ignorecase = true  
   regex.global = true  
   regex.pattern = re  
   if regex.test(values) then  
      IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")  
      If IP = "" Then   
         IP=Request.ServerVariables("REMOTE_ADDR")  
      end if  
      'slog("操作IP: "&ip&"操作时间: " & now() & "操作页面:"&Request.ServerVariables("URL")&"提交方式: "&Request.ServerVariables("Request_Method")&"提交参数: "&l_get&"提交数据: "&l_get2)  
     Response.Write("您的提交带有不合法参数,谢谢合作!")  
     Response.end  
    end if  
    set regex = nothing  
 end function   


 function stophacker(values,re)  
  dim l_get, l_get2,n_get,regex,IP  
  for each n_get in values  
   for each l_get in values  
    l_get2 = values(l_get)  
    set regex = new regexp  
    regex.ignorecase = true  
    regex.global = true  
    regex.pattern = re  
    if regex.test(l_get2) then  
       IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")  
       If IP = "" Then   
          IP=Request.ServerVariables("REMOTE_ADDR")  
       end if  
       'slog("操作IP: "&ip&"操作时间: " & now() & "操作页面:"&Request.ServerVariables("URL")&"提交方式: "&Request.ServerVariables("Request_Method")&"提交参数: "&l_get&"提交数据: "&l_get2)  
     Response.Write("您的提交带有不合法参数,谢谢合作!")  
     Response.end  
    end if  
    set regex = nothing  
   next  
  next  
 end function   

 sub slog(logs)  
         dim toppath,fs,Ts  
         toppath = Server.Mappath("/index.asp")  
         Set fs = CreateObject("scripting.filesystemobject")  
         If Not Fs.FILEEXISTS(toppath) Then   
            Set Ts = fs.createtextfile(toppath, True)  
            Ts.close  
         end if  
         Set Ts= Fs.OpenTextFile(toppath,8)  
         Ts.writeline (logs)  
         Ts.Close  
         Set Ts=nothing  
         Set fs=nothing  
 end sub  
 %>