日期:2014-05-18  浏览次数:20552 次

SQL注入字符串 有哪些
编辑框内接受用户输入,判断输入字符串 有SQL注入风险,我面前只判断了一下这些,请大家补充..
1,转义字符
2,SQL关键字
3,Incorrect type handling




  由于之前的别人写的代码多未处理SQL注入,所以我不可能每个地方去改SQL语句,以参数的方式避免SQL注入,所以只检查SQL输入语句是否有SQL注入风险

------解决方案--------------------
有避免sql注入的精华贴,你搜一下,去看看叶子的刻薄
------解决方案--------------------
1 Function SafeRequest(ParaName) 
2 Dim ParaValue
3 ParaValue=Request(ParaName) 
4 if IsNumeric(ParaValue) = True then
5 SafeRequest=ParaValue
6 exit Function
7 elseIf Instr(LCase(ParaValue),"select ") > 0 or Instr(LCase(ParaValue),"insert ") > 0 or Instr(LCase(ParaValue),"delete from") > 0 or Instr(LCase(ParaValue),"count(") > 0 or Instr(LCase(ParaValue),"drop table") > 0 or Instr(LCase(ParaValue),"update ") > 0 or Instr(LCase(ParaValue),"truncate ") > 0 or Instr(LCase(ParaValue),"asc(") > 0 or Instr(LCase(ParaValue),"mid(") > 0 or Instr(LCase(ParaValue),"char(") > 0 or Instr(LCase(ParaValue),"xp_cmdshell") > 0 or Instr(LCase(ParaValue),"exec master") > 0 or Instr(LCase(ParaValue),"net localgroup administrators") > 0 or Instr(LCase(ParaValue)," and ") > 0 or Instr(LCase(ParaValue),"net user") > 0 or Instr(LCase(ParaValue)," or ") > 0 then
8 Response.Write "<script language='javascript'>" 
9 Response.Write "alert('非法的请求!');" ' 

发现SQL注入攻击提示信息

Response.Write "location.href='http://dev.yesky.com/';" '发现SQL注入攻击转跳网址


1 Response.Write "<script>"
2 Response.end
3 else
4 SafeRequest=ParaValue 
5 End If
6 End function

使用SafeRequest函

上述的相关内容就是对新手入门:防范SQL注入攻击的新办法

------解决方案--------------------
http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html?84220