down了一个多用户asp的商城系统,在本机上测试,可是一打开就提示本机ip非法登入等信息,我查看了一下index.asp的代码,top上有个link,到conn.asp文件 <% '请填写数据库具体参数 '------------------------------------------------------------ '----------------------------------------------------------- dbpath=dbdns&"/shop/mycartconn/shopcom.asa" 'dbdns 为各文件中设置的路径,请不要改动 connstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(""&dbpath&"") '----------------------------------------------------------- '打开数据库 response.buffer=true '启用缓冲处理 Set conn = Server.CreateObject("ADODB.Connection") 'conn.Open"Provider=sqloledb;user id="&SQLDBUserName&";password="&SQLDBPassword&";initial catalog="&SQLDBName&";data source="&SQLServerName&";" conn.Open connstr '防范未知IP访问及软件攻击 noip1 = Request.ServerVariables("HTTP_X_FORWARDED_FOR") noip2 = Request.ServerVariables("REMOTE_ADDR") if noip1 = "" then noip=noip2 else noip=noip1 end if if (noip1="unknown" or noip2="unknown") or (noip1="" and noip2="") then Response.write "系统拒绝了你的来访IP不明访问请求,如有问题请与河南数据电子商务平台客服中心联系" Response.end end if 'SQL注入式攻击防范get及ID(not)代码 squery=lcase(Request.ServerVariables("QUERY_STRING")) sURL=lcase(Request.ServerVariables("HTTP_HOST")) allquery=squery+sURL if InStr(allquery,"%20")<>0 or InStr(allquery," ")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery," ")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"$")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,":")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"<")<>0 or InStr(allquery,">")<>0 or InStr(allquery,"--")<>0 or InStr(allquery,"sp_")<>0 or InStr(allquery,"xp_")<>0 or InStr(allquery,"exec")<>0 or InStr(allquery,"\")<>0 or InStr(allquery,"delete")<>0 or InStr(allquery,"dir")<>0 or InStr(allquery,"exe")<>0 or InStr(allquery,"select")<>0 or InStr(allquery,"Update")<>0 or InStr(allquery,"cmd")<>0 or InStr(allquery,"*")<>0 or InStr(allquery,"^")<>0 or InStr(allquery,"(")<>0 or InStr(allquery,")")<>0 or InStr(allquery,"+")<>0 or InStr(allquery,"copy")<>0 or InStr(allquery,"format")<>0 or not(isnumeric(request("userid"))) or not(isnumeric(request("id"))) or not(isnumeric(request("lbid"))) or not(isnumeric(request("xlbid"))) or not(isnumeric(request("cpid"))) or not(isnumeric(request("cp_id"))) or not(isnumeric(request("page"))) then win=Request.ServerVariables("HTTP_USER_AGENT") set rs = conn.execute("select js from nosql where ip='"&noip&"'") if not rs.eof then conn.execute("Update nosql set js=js+1 where ip='"&noip&"'") '反击开绐(调用了一个死循环) Response.write "<script language='JavaScript'>" Response.write "while (true)" Response.write "window.alert('非法入侵,你的IP及其它信息已被记录,系统已启动低级入侵自卫反击!!!')</script>" Response.end '反击结束 else conn.execute("Insert into nosql(ip)values('"&noip&"')") Response.Write("<script>alert(""错误提示:系统拒绝了你的不法访问,请确认你的访问的网址是否正确,如有问题请与网站客服中心联系!你的真实IP地址:"&noip&",所用游览器:"&win&"。如果你的不法访问达到二次系统将自动进入初级入侵自卫反击状态。超过3次不法访问,系统将自动进入中高级入侵自卫反击状态。由此造成的一切后果自负!"");location.href=""/"";</script>") Response.End end if rs.close end if '完了 '//在线总人:online_line,在线会员:online_huiyuan,在线游客:online_youke,最高在线:online_s if Request.ServerVariables("HTTP_X_FORWARDED_FOR") = "" then ip=Request.ServerVariables("REMOTE_ADDR") else ip= Request.ServerVariables("HTTP_X_FORWARDED_FOR") end if conn.execute("delete from online where datediff('n',sj,now())>1000") if session("huiyuan")="" then set jilu=conn.execute("select ip from online where ip='"&ip&"'") if jilu.eof then conn.execute("insert into online (ip,name)VALUES('"&ip&"','游客')") else conn.execute("update online set sj='"&now()&"' where ip='"&ip&"'") end if jilu.close:set jilu=nothing else set jilu=conn.execute("select name from online where name='"&replace(session("huiyuan"),"'","''")&"'") if jilu.eof then conn.execute("Delete from online where ip='"&ip&"'") conn.execute("insert into online (name,ip,pic)VALUES('"&replace(session("huiyuan"),"'","''")&"','"&ip&"',1)") else conn.execute("update online set sj='"&now()&"' where name='"&replace(session("huiyuan"),"'","''")&"'") end if jilu.close:set jilu=nothing end if online_huiyuan=conn.execute("Select count(id)from online where pic=1")(0) online_line=conn.execute("Select count(id)from online")(0) if int(online_line)>int(online_s) then online_s=online_line end if online_youke=online_line-online_huiyuan '==================================================================== %> <% response.buffer=true squery=lcase(Request.ServerVariables("QUERY_STRING")) sURL=lcase(Request.ServerVariables("HTTP_HOST")) allquery=squery+sURL if InStr(allquery,"%20")<>0 or InStr(allquery," ")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery," ")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"$")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"<")<>0 or InStr(allquery,"%3e")<>0 or InStr(allquery,">")<>0 or InStr(allquery,"%28")<>0 or InStr(allquery,"(")<>0 or InStr(allquery,"%29")<>0 or InStr(allquery,")")<>0 or InStr(allquery,"%5c")<>0 or InStr(allquery,"\")<>0 then response.write "非法访问" Response.End end if Set conn = Server.CreateObject("ADODB.Connection") 'conn.ConnectionTimeout = 10 '设置connection对象连接数据库的逾期时间 'conn.CommandTimeout = 20 '设置执行execute方法时间 'conn.CursorLocation = 3 '将记录存放在游览器端 '打开数据库 response.buffer=true '启用缓冲处理 Set conn = Server.CreateObject("ADODB.Connection") 'conn.Open"Provider=sqloledb;user id="&SQLDBUserName&";password="&SQLDBPassword&";initial catalog="&SQLDBName&";data source="&SQLServerName&";" conn.Open connstr FUNCTION nohack(String) dim noyes,nono nono="'|\|;|(|)| |%20|<|>" if not isnull(String) then noyes = split(nono, "|") for i = 0 to ubound(noyes) String = Replace(String, noyes(i),"") next nohack = String end if END FUNCTION %> <%'post过滤sql注入代防范及HTML防护开始 function nosql(str) if isnull(str) then str = "" exit function end if str=trim(str) str=replace(str,"&","&") '& str=replace(str,";",";") '分号 str=replace(str,"'","'") '单引号 str=replace(str,"""",""") '双引号 str=replace(str,"chr(9)"," ") '空格 str=replace(str,"chr(10)","<br>") '回车 str=replace(str,"chr(13)","<br>") '回车 str=replace(str,"chr(32)"," ") '空格 str=replace(str,"chr(34)",""") '双引号 str=replace(str,"chr(39)","'") '单引号 str=Replace(str, "script", "script")'script str=replace(str,"<","<") '左< str=replace(str,">",">") '右> str=replace(str,"(","(") '左( str=replace(str,")",")") '右) str=replace(str,"*","*") '* str=replace(str,"--","--") 'SQL注释符 nosql=str end function%> 如何解除这样的限制??? 本人不懂asp 哪位asp高手帮看看,解解。多多谢谢!!