'Dim ParaValue
       'ParaValue=Request(ParaName)函数里面是不要加引号
       If ParaType=1 then
              If not isNumeric(ParaValue) then
                   Response.write " 参数" & ParaName & "必须为数字型åQ?
                     Response.end
              End if
       Else
              ParaValue=replace(ParaValue,"'","")
     ParaValue=replace(ParaValue,";and 1=1","")
     ParaValue=replace(ParaValue,";and 1=2","")
     ParaValue=replace(ParaValue,";and user>0","")
     ParaValue=replace(ParaValue,">","")
     ParaValue=replace(ParaValue,"<","")
     ParaValue=replace(ParaValue,"=","")
     ParaValue=replace(ParaValue,"count","")
     ParaValue=replace(ParaValue,"select","")
     ParaValue=replace(ParaValue,"drop","")
     ParaValue=replace(ParaValue,"delect","")
     ParaValue=replace(ParaValue,"insert","")
     ParaValue=replace(ParaValue,"execute","")
     ParaValue=replace(ParaValue,"update","")    
     ParaValue=replace(ParaValue,"mid","")
     ParaValue=replace(ParaValue,"exec","")
     ParaValue=replace(ParaValue,"master","")
     ParaValue=replace(ParaValue,"char","")
     ParaValue=replace(ParaValue,"declare","")
     ParaValue=replace(ParaValue,"*","")
     ParaValue=replace(ParaValue,"%","")
     ParaValue=replace(ParaValue,"chr","")
     ParaValue=replace(ParaValue,"truncate","")
       End if
       SafeRequest=ParaValue
End function
'调用方式
DirID=Request("DirID")'///数据目录名称参数/无则表示全部数据
DirID=SafeRequest(DirID,1)


Dim SQL_inbreakstr
SQL_inbreakstr = "'|or|and|exec|insert|select|delete|update|drop|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inbreak = split(SQL_inbreakstr,"|")
R_Q=Request.QueryString
R_F=Request.Form
IF R_Q<>"" THEN
 For i=0 To Ubound(SQL_inbreak)
  IF instr(R_Q,SQL_inbreak(i))>0 THEN
   Response.Write "*****"
                           Response.End
  END IF
 Next
End IF

IF R_F<>"" THEN
 For i=0 To Ubound(SQL_inbreak)
  IF instr(R_F,SQL_inbreak(i))>0 THEN
   Response.Write "*****"
                           Response.End
  END IF
 Next
END IF


<%
'--------版权说明------------------
'SQL通用防注入程åº?V2.0 完美ç‰?BR>'本程序由 火狐-枫知¿U?独立开å?BR>'å¯ÒŽœ¬½E‹åºæœ‰ä“Q何疑问请联系本äh
'QQ:613548

'--------定义部䆾------------------
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr
'自定义需要过滤的字串,�"� 分隔
Fy_In = "'æž?æž«andæž«execæž«insertæž«selectæž«deleteæž«updateæž«countæž?æž?æž«chræž«midæž«masteræž«truncateæž«charæž«declare"
'----------------------------------
%>

Response.Write "<Script Language=JavaScript>alert('枫网SQL通用防注入系¾lŸæ½Cºâ†“\n\n请不要在参数中包含非法字½W¦å°è¯•æ³¨å…¥ï¼\n\nHTTP://WwW.WrSkY.CoM  ¾pȝ»Ÿç‰ˆæœ¬:V2.0(ASP)完美ç‰?);</Script>"
Response.Write "非法操作åQç³»¾lŸåšäº†å¦‚下记录↓<br>"
Response.Write "操作åQ©ï¼°åQ?&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作旉™—´åQ?&Now&"<br>"
Response.Write "操作™åµé¢åQ?&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式åQšï¼§åQ¥ï¼´<br>"
Response.Write "提交参数åQ?&Fy_Get&"<br>"
Response.Write "提交数据åQ?&Request.QueryString(Fy_Get)
Response.End
End If
Next
Next
End If
'----------------------------------
%>

可以防止所有得sql注入åQ?BR>Function SafeRequest(ParaName,ParaType)
 '--- 防止SQL注入 ---
 'ParaName:参数名称-字符åž?BR> 'ParaType:参数¾cÕdž‹-æ•°å­—åž?1表示以上参数是数字，0表示以上参数为字½W?
 Dim ParaValue
 ParaValue=Request(ParaName)
 If ParaType=1 then
  If not isNumeric(ParaValue) then
   Response.write "<br><br><br><center><font color=red>参数" & ParaName & "必须为数字型åQ?
   Response.end
  End if
 Else
  ParaValue=replace(ParaValue,"'","''")
 End if
 SafeRequest=ParaValue
End function
来源åQ?A >http://www.yesky.com/305/1899305.shtml

import java.sql.*;
import java.util.*;
import fibernews.framework.db.*;
import fibernews.beans.Employee;
import fibernews.util.function.HandleString;
import fibernews.framework.logging.Logger;

/**
 * @author Administrator
 *
 * TODO To change the template for this generated type comment go to
 * Window - Preferences - Java - Code Style - Code Templates
 */
public class ListEmpAction extends Action {

 List list ;
 public String process(HttpServletRequest request, HttpServletResponse response) {
     Connection conn=DBHelper.getConnection();
 Statement st=null;
     PreparedStatement pst=null;
     ResultSet rs=null ;
        String  query=HandleString.toChinese(request.getParameter("query"));
        if ((query==null)||query.trim().equals("")) query="lmsun";
  try{
 
      String sql="select * from employee_email where name like '%"+query+"%' or email like '%"+query+"%'" ;
      //st=conn.createStatement();
  pst=conn.prepareStatement(sql);
  rs=pst.executeQuery();
  list=new ArrayList();
  Employee emp;
  while (rs.next()){
   emp=new Employee();
   emp.setId(rs.getString("id"));
   emp.setEmployee_bh(rs.getString("employee_bh"));
   emp.setName(rs.getString("name"));
   emp.setEmail(rs.getString("email"));
   emp.setDepartment1(rs.getString("department1"));
   emp.setDepartment2(rs.getString("department2"));
   emp.setDepartment3(rs.getString("department3"));
   list.add(emp);
  }

  
  }
  
   catch (Exception e) {
         System.out.println("Error Connecting to catalog DB: " + e.toString());
       }
   finally {
    DBHelper.close(rs,pst,conn);
   }
   request.setAttribute("empList",list);
   return "/intra/query/emailbook.jsp";
  
 }
   public static void main(String[] args)
   {
     ListEmpAction empaction = new ListEmpAction();
     System.out.print("End"); 
   }
  
}