主要是防asp的几个地方：

一、地址栏参数注入，就是用request.querystring取得值的这个

二、表单参数注入，就是用request.form取得值的这个

三、cookies 

其实可以看成一个理儿，就是能输入值，能交互的让用户输入的地方都得做一下防。

做一个函数，截取这些地方提交的值，与一个数组（里面放着要过滤或检查的敏感字符）做一下对比，献上我的一个过滤函数：

Function ChkStr(Str) 

    if Isnull(Str) then 

        ChkStr = "" 

        exit Function  

    End if 

    Str = Replace(Str,Chr(0),"",1,-1,1) 

    Str = Replace(Str,"""","&quot;","<","&lt;",">","&gt;",1)  

    Str = Replace(Str,"script","&#115;cript",0) 

    Str = Replace(Str,"SCRIPT","&#083;CRIPT","Script","&#083;cript","object","&#111;bject","OBJECT","&#079;BJECT","Object","&#079;bject","applet","&#097;pplet","APPLET","&#065;PPLET","Applet","&#065;pplet","[","&#091;") 

    Str = Replace(Str,"]","&#093;") 

    Str = Replace(Str,"=","&#061;","’","&#039;","select","&#115;elect","execute","&#101;xecute","exec","&#101;xec","join","&#106;oin","union","&#117;nion","where","&#119;here","insert","&#105;nsert","delete","&#100;elete","update","&#117;pdate","like","&#108;ike","drop","&#100;rop","create","&#099;reate","rename","&#114;ename","count","&#099;ount","chr","&#099;hr","mid","&#109;id","truncate","&#116;runcate","nchar","&#110;char","char","&#099;har","alter","&#097;lter","cast","&#099;ast","exists","&#101;xists",VbCrlf," ","  ",1) 

    ChkStr = Str 

End Function

更新数据时，rs(“字段”) = ChkStr(trim(Request.Form("表单参数")))