我们继承了一个旧网站,其中包含近2000个不同的手工构建的SQL字符串,直接从httprequests中获取变量.该站点经常受到SQL注入攻击的攻击.显然,这个站点应该使用SQL参数进行编码,以避免这种安全噩梦,但是由于涉及的工作量有所改变,我们正在寻找另一种"清理"传入请求的方法.
主要清洁功能: -
Public Function myRequest(ByRef Request As HttpRequest, ByVal param As String) As String
Return CleanRequest(Request(param))
End Function
Public Function CleanRequest(ByVal requestString As String) As String
Dim badChars() As String = {"select", "drop", ";", "--", "insert", "delete", "xp_", "update"}
Dim newChars As String = requestString
For i = 0 To UBound(badChars)
newChars = Replace(newChars, badChars(i), "", 1, -1, vbTextCompare)
Next
CleanRequest = Replace(newChars, "'", "''")
End Function
这样称呼: -
Dim details As DataSet
detailsSQL = "select * from mytable …