SQL注入是一個非常危險的事情，它可能進入我們的管理界面，非法獲取用戶信息或重要資料，使我們蒙受損失，下面介紹一種在ASP中防范SQL注入攻擊的方法：

<%
On Error Resume Next
Dim strTemp

If LCase(Request.ServerVariables("HTTPS")) = "off" Then
     strTemp = "http://"
Else
     strTemp = "https://"
End If

strTemp = strTemp & Request.ServerVariables("SERVER_NAME")

If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT")
strTemp = strTemp & Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
strTemp = LCase(strTemp)

If Instr(strTemp,"select%20") or Instr(strTemp,"insert%20") or Instr(strTemp,"delete%20from") or Instr(strTemp,"count(") or Instr(strTemp,"drop%20table") or Instr(strTemp,"update%20") or Instr(strTemp,"truncate%20") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec%20master") or Instr(strTemp,"net%20localgroup%20administrators") or Instr(strTemp,":") or Instr(strTemp,"net%20user") or Instr(strTemp,"'") or Instr(strTemp,"%20or%20") then
              Response.Write "<script language='Javascript'>"
              Response.Write "alert('地址中含有非法字符！！');"
              Response.Write "location.href='index.asp';"
              Response.Write "<script>"
End If
%>

這樣，我們可以杜絕用戶在地址中傳遞非法參數二達到SQL注入攻擊的目的。