<%

'判断来源，禁止外部提交
dim server_v1,server_v2
server_v1=Cstr(Request.ServerVariables("HTTP_REFERER"))
server_v2=Cstr(Request.ServerVariables("SERVER_NAME"))

'response.write(server_v2)
'response.write(len(server_v2))
'response.write mid(server_v1,8,len(server_v2))
'mid函数可从字符串中返回指定数目的字符。
if server_v1="" or mid(server_v1,8,len(server_v2))<>server_v2 then
response.write "<SCRIPT language=JavaScript>alert('来源非法，禁止外部提交！');"
response.write "this.location.href='vbscript:history.back()';</SCRIPT>"
response.end
end if

'非法提交字符过滤
Dim GetFlag Rem(提交方式)
 Dim ErrorSql Rem(非法字符)
 Dim RequestKey Rem(提交数据)
 Dim ForI Rem(循环标记)
 ErrorSql = "'~;~and~(~)~select~insert~delete~drop~alter~create~backup~if~else~end~exec~update~count~*~%~chr~mid~master~truncate~char~declare" Rem(每个敏感字符或者词语请使用半角 "~" 格开)
 ErrorSql = split(ErrorSql,"~")
 If Request.ServerVariables("REQUEST_METHOD")="GET" Then
 GetFlag=True
 Else
 GetFlag=False
 End If
 If GetFlag Then
   For Each RequestKey In Request.QueryString
    For ForI=0 To Ubound(ErrorSql)
  If Instr(LCase(Request.QueryString(RequestKey)),ErrorSql(ForI))<>0 Then
  response.write "<script>alert(""警告:\n请不要尝试非法注入！！"");history.go(-1);</script>"
  Response.End
  End If
    Next
   Next
 Else
   For Each RequestKey In Request.Form
    For ForI=0 To Ubound(ErrorSql)
  If Instr(LCase(Request.Form(RequestKey)),ErrorSql(ForI))<>0 Then
  response.write "<script>alert(""警告:\n请不要尝试非法注入！！"");history.go(-1);</script>"
  Response.End
  End If
    Next
   Next
 End If