这样的防注函数,能杜绝注入吗?该如何解决
日期:2014-05-17 浏览次数:20790 次
这样的防注函数,能杜绝注入吗?
另外,整站都没有用cookies
function noSql(str)
str = request(str)
str = lcase(Trim(str))
str = Replace(str, Chr(0), " ")
str = Replace(str, " ' ", " ")
str = Replace(str, "% ", " ")
str = Replace(str, "^ ", " ")
str = Replace(str, "; ", " ")
str = Replace(str, "* ", " ")
str = Replace(str, "& ", " ")
str = Replace(str, " < ", " ")
str = Replace(str, "> ", " ")
str = Replace(str, "| ", " ")
str = Replace(str, "and ", " ")
str = Replace(str, "chr ", " ")
str = Replace(str, "char ", " ")
noSql = str
end function
------解决方案--------------------
整站用存储过程访问数据库最保险
------解决方案--------------------
没那么夸张,其实你只需要在最底层使用参数化查询就行了。绝对安全。
另外,整站都没有用cookies
function noSql(str)
str = request(str)
str = lcase(Trim(str))
str = Replace(str, Chr(0), " ")
str = Replace(str, " ' ", " ")
str = Replace(str, "% ", " ")
str = Replace(str, "^ ", " ")
str = Replace(str, "; ", " ")
str = Replace(str, "* ", " ")
str = Replace(str, "& ", " ")
str = Replace(str, " < ", " ")
str = Replace(str, "> ", " ")
str = Replace(str, "| ", " ")
str = Replace(str, "and ", " ")
str = Replace(str, "chr ", " ")
str = Replace(str, "char ", " ")
noSql = str
end function
------解决方案--------------------
整站用存储过程访问数据库最保险
------解决方案--------------------
没那么夸张,其实你只需要在最底层使用参数化查询就行了。绝对安全。
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
