SQL注入字符串 有哪些,该怎么解决
日期:2014-05-18 浏览次数:20657 次
SQL注入字符串 有哪些
编辑框内接受用户输入,判断输入字符串 有SQL注入风险,我面前只判断了一下这些,请大家补充..
1,转义字符
2,SQL关键字
3,Incorrect type handling
由于之前的别人写的代码多未处理SQL注入,所以我不可能每个地方去改SQL语句,以参数的方式避免SQL注入,所以只检查SQL输入语句是否有SQL注入风险
------解决方案--------------------
有避免sql注入的精华贴,你搜一下,去看看叶子的刻薄
------解决方案--------------------
1 Function SafeRequest(ParaName)
2 Dim ParaValue
3 ParaValue=Request(ParaName)
4 if IsNumeric(ParaValue) = True then
5 SafeRequest=ParaValue
6 exit Function
7 elseIf Instr(LCase(ParaValue),"select ") > 0 or Instr(LCase(ParaValue),"insert ") > 0 or Instr(LCase(ParaValue),"delete from") > 0 or Instr(LCase(ParaValue),"count(") > 0 or Instr(LCase(ParaValue),"drop table") > 0 or Instr(LCase(ParaValue),"update ") > 0 or Instr(LCase(ParaValue),"truncate ") > 0 or Instr(LCase(ParaValue),"asc(") > 0 or Instr(LCase(ParaValue),"mid(") > 0 or Instr(LCase(ParaValue),"char(") > 0 or Instr(LCase(ParaValue),"xp_cmdshell") > 0 or Instr(LCase(ParaValue),"exec master") > 0 or Instr(LCase(ParaValue),"net localgroup administrators") > 0 or Instr(LCase(ParaValue)," and ") > 0 or Instr(LCase(ParaValue),"net user") > 0 or Instr(LCase(ParaValue)," or ") > 0 then
8 Response.Write "<script language='javascript'>"
9 Response.Write "alert('非法的请求!');" '
发现SQL注入攻击提示信息
Response.Write "location.href='http://dev.yesky.com/';" '发现SQL注入攻击转跳网址
1 Response.Write "<script>"
2 Response.end
3 else
4 SafeRequest=ParaValue
5 End If
6 End function
使用SafeRequest函
上述的相关内容就是对新手入门:防范SQL注入攻击的新办法
------解决方案--------------------
http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html?84220
编辑框内接受用户输入,判断输入字符串 有SQL注入风险,我面前只判断了一下这些,请大家补充..
1,转义字符
2,SQL关键字
3,Incorrect type handling
由于之前的别人写的代码多未处理SQL注入,所以我不可能每个地方去改SQL语句,以参数的方式避免SQL注入,所以只检查SQL输入语句是否有SQL注入风险
------解决方案--------------------
有避免sql注入的精华贴,你搜一下,去看看叶子的刻薄
------解决方案--------------------
1 Function SafeRequest(ParaName)
2 Dim ParaValue
3 ParaValue=Request(ParaName)
4 if IsNumeric(ParaValue) = True then
5 SafeRequest=ParaValue
6 exit Function
7 elseIf Instr(LCase(ParaValue),"select ") > 0 or Instr(LCase(ParaValue),"insert ") > 0 or Instr(LCase(ParaValue),"delete from") > 0 or Instr(LCase(ParaValue),"count(") > 0 or Instr(LCase(ParaValue),"drop table") > 0 or Instr(LCase(ParaValue),"update ") > 0 or Instr(LCase(ParaValue),"truncate ") > 0 or Instr(LCase(ParaValue),"asc(") > 0 or Instr(LCase(ParaValue),"mid(") > 0 or Instr(LCase(ParaValue),"char(") > 0 or Instr(LCase(ParaValue),"xp_cmdshell") > 0 or Instr(LCase(ParaValue),"exec master") > 0 or Instr(LCase(ParaValue),"net localgroup administrators") > 0 or Instr(LCase(ParaValue)," and ") > 0 or Instr(LCase(ParaValue),"net user") > 0 or Instr(LCase(ParaValue)," or ") > 0 then
8 Response.Write "<script language='javascript'>"
9 Response.Write "alert('非法的请求!');" '
发现SQL注入攻击提示信息
Response.Write "location.href='http://dev.yesky.com/';" '发现SQL注入攻击转跳网址
1 Response.Write "<script>"
2 Response.end
3 else
4 SafeRequest=ParaValue
5 End If
6 End function
使用SafeRequest函
上述的相关内容就是对新手入门:防范SQL注入攻击的新办法
------解决方案--------------------
http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html?84220
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
