asp防止上传木马原理：

首先判断文件大小：

if file.filesize<10 then
  response.write("<script>alert('您没有选择上传文件')</script>")
  response.write("<script>history.go(-1)</script>")
  response.end()
end if

将文件上传到服务器后，判断用户文件中的危险操作字符：

set myfile = server.createobject("scripting.filesystemobject")
set mytext = myfile.opentextfile(filepath, 1) '读取文本文件
stextall = lcase(mytext.readall)
mytext.close
set myfile = nothing
sstr=".getfolder|.createfolder|.deletefolder|.createdirectory|.deletedirectory|.saveas
|wscript.shell|script.encode|server.|.createobject|execute|activexobject|language="
snostring = split(sstr,"|")
for i=0 to ubound(snostring)
  if instr(stextall,snostring(i)) then
    set filedel = server.createobject("scripting.filesystemobject")
    filedel.deletefile filepath
    set filedel = nothing
    response.write("<script>alert('您上传的文件有问题，上传失败');window.close();</script>")
    response.end()
  end if
next