那些遇到过的问题

SQL注入这很好

Fra*_* G. 4 sql-injection asp-classic

我对此做了很多研究,但我仍然有一个问题需要理解它.但是我想确保我受到适当的保护.我在Classic ASP中编写了一个函数来帮助防止SQL注入或可能对数据库施加暴力.如果我需要添加或删除内容甚至更正问题以使其更安全,您能否给我自己的意见和建议?非常感谢你提前!!

我在插入MySQL数据库之前使用下面这个.

插入示例:

conn.execute("INSERT INTO " & employees & "(eid, first_name, last_name) VALUES('" & Clng(strEID) & "','" & SQLClean(strfirstname) & "','" & SQLClean(strlastname) & "');")
Run Code Online (Sandbox Code Playgroud)

功能:

Private Function SQLClean(ByVal strString)
    If strString <> "" Then
        strString = Trim(strString)

        'Remove malisous charcters from sql\
        strString = replace(strString,"-shutdown","", 1, -1, 1)
        strString = replace(strString,"\","\\", 1, -1, 1)
        strString = replace(strString,"=","\=", 1, -1, 1)
        strString = replace(strString,",","\,", 1, -1, 1)
        strString = replace(strString,"`","\`", 1, -1, 1)
        strString = replace(strString,"&","\&", 1, -1, 1)
        strString = replace(strString,"/","\/", 1, -1, 1)      
        strString = replace(strString,"[","\[", 1, -1, 1)
        strString = replace(strString,"]","\]", 1, -1, 1)
        strString = replace(strString,"{","\{", 1, -1, 1)
        strString = replace(strString,"}","\}", 1, -1, 1)
        strString = replace(strString,"(","\(", 1, -1, 1)
        strString = replace(strString,")","\)", 1, -1, 1)
        strString = replace(strString,";","\;", 1, -1, 1)
        strString = replace(strString,"+","\+", 1, -1, 1)
        strString = replace(strString,"<","\<", 1, -1, 1)
        strString = replace(strString,">","\>", 1, -1, 1)
        strString = replace(strString,"^","\^", 1, -1, 1)
        strString = replace(strString,"@","\@", 1, -1, 1)
        strString = replace(strString,"$","\$", 1, -1, 1)
        strString = replace(strString,"%","\%", 1, -1, 1)
        strString = replace(strString,"!","\!", 1, -1, 1)
        strString = replace(strString,"*","\*", 1, -1, 1)
        strString = replace(strString,"~","\~", 1, -1, 1)
        strString = replace(strString,"#","\#", 1, -1, 1)
        strString = replace(strString,"?","\?", 1, -1, 1)
        strString = replace(strString,"'","\'", 1, -1, 1)
        strString = replace(strString,"""","\""", 1, -1, 1)
        strString = replace(strString,"select","\select", 1, -1, 1)
        strString = replace(strString,"insert","\insert", 1, -1, 1)
        strString = replace(strString,"update","\update", 1, -1, 1)
        strString = replace(strString,"delete","\delete", 1, -1, 1)
        strString = replace(strString," or "," \or ", 1, -1, 1)
        strString = replace(strString," and "," \and ", 1, -1, 1)
        strString = replace(strString,"drop","\drop", 1, -1, 1)
        strString = replace(strString,"union","\union", 1, -1, 1)
        strString = replace(strString,"into","\into", 1, -1, 1)

        'Return cleaned value.
        SQLClean = Trim(strString)

    End If
End Function
Run Code Online (Sandbox Code Playgroud)

tad*_*man 15

不要在任何情况下尝试编写自己的SQL转义代码,除非它纯粹是一个学术练习.你会弄错的.如果有人在您的网站上使用SQL注入攻击工具,您将遭受严重后果.那些采取随意方法的人已经破坏了企业和职业.

我花了三分钟时间在StackOverflow上找到一个关于使用参数讨论Classic ASP和MySQL查询的示例.

请,请,使用官方的设施,不滚你自己的.

归档时间:

查看次数:

4455 次

最近记录:

11 年,8 月 前
我可以通过使用单引号转义单引号和周围用户输入来防止SQL注入吗? 131
更多相关链接
相关归档
经典ASP(VBScript)将HTML代码转换为纯文本 13
经典ASP - 使用Windows身份验证的SQL Server 2008连接字符串 10
如何通过用户输入破坏/利用此SQL查询代码? 8
HTML表单值在Classic ASP中添加逗号 7
经典ASP使用SMTP身份验证发送电子邮件 7
如何使用SQL注入更新表? 3
任何人都有基准/速度测试比较经典ASP与ASP.NET 2.0或3.5? 2
如何在vbscript中检查数组中的变量 2
经典的ASP类属性 1
无法使用ASP DeleteFile方法删除文件 1
难疑归档
var functionName = function(){} vs function functionName(){} 6645
如何从异步调用返回响应? 5208
如何决定何时使用Node.js? 2198
将字符串转换为datetime 2035
什么是C ??!??!操作员呢? 1911
为什么在允许某些Unicode字符的注释中执行Java代码? 1326
丢弃Git中的本地提交 1304
安全地将JSON字符串转换为对象 1298
如何在Python中使用线程? 1210
如何在JavaScript中将浮点数转换为整数? 1043