日期:2014-05-17  浏览次数:20850 次

这样的防注函数,能杜绝注入吗?
另外,整站都没有用cookies
function   noSql(str)

str   =   request(str)
str   =   lcase(Trim(str))
str   =   Replace(str,   Chr(0),   " ")
str   =   Replace(str,   " ' ",   " ")
str   =   Replace(str,   "% ",   " ")
str   =   Replace(str,   "^ ",   " ")
str   =   Replace(str,   "; ",   " ")
str   =   Replace(str,   "* ",   " ")
str   =   Replace(str,   "& ",   " ")
str   =   Replace(str,   " < ",   " ")
str   =   Replace(str,   "> ",   " ")
str   =   Replace(str,   "| ",   " ")
str   =   Replace(str,   "and ",   " ")
str   =   Replace(str,   "chr ",   " ")
str   =   Replace(str,   "char ",   " ")

noSql   =   str
end   function


------解决方案--------------------
整站用存储过程访问数据库最保险
------解决方案--------------------
没那么夸张,其实你只需要在最底层使用参数化查询就行了。绝对安全。