我已经对此进行了很多研究,但我仍然无法理解它。但是,我想确保我得到适当的保护。我在 Classic ASP 中编写了一个函数来帮助防止 SQL 注入(inject)或对数据库的可能的暴力破解。如果我需要添加或删除内容甚至纠正问题以使其更安全,你们能给我自己的意见和建议吗?非常感谢您提前!!
在插入 MySQL 数据库之前,我在下面使用它。
插入示例:
conn.execute("INSERT INTO " & employees & "(eid, first_name, last_name) VALUES('" & Clng(strEID) & "','" & SQLClean(strfirstname) & "','" & SQLClean(strlastname) & "');")
功能:
Private Function SQLClean(ByVal strString)
If strString <> "" Then
strString = Trim(strString)
'Remove malisous charcters from sql\
strString = replace(strString,"-shutdown","", 1, -1, 1)
strString = replace(strString,"\","\\", 1, -1, 1)
strString = replace(strString,"=","\=", 1, -1, 1)
strString = replace(strString,",","\,", 1, -1, 1)
strString = replace(strString,"`","\`", 1, -1, 1)
strString = replace(strString,"&","\&", 1, -1, 1)
strString = replace(strString,"/","\/", 1, -1, 1)
strString = replace(strString,"[","\[", 1, -1, 1)
strString = replace(strString,"]","\]", 1, -1, 1)
strString = replace(strString,"{","\{", 1, -1, 1)
strString = replace(strString,"}","\}", 1, -1, 1)
strString = replace(strString,"(","\(", 1, -1, 1)
strString = replace(strString,")","\)", 1, -1, 1)
strString = replace(strString,";","\;", 1, -1, 1)
strString = replace(strString,"+","\+", 1, -1, 1)
strString = replace(strString,"<","\<", 1, -1, 1)
strString = replace(strString,">","\>", 1, -1, 1)
strString = replace(strString,"^","\^", 1, -1, 1)
strString = replace(strString,"@","\@", 1, -1, 1)
strString = replace(strString,"$","\$", 1, -1, 1)
strString = replace(strString,"%","\%", 1, -1, 1)
strString = replace(strString,"!","\!", 1, -1, 1)
strString = replace(strString,"*","\*", 1, -1, 1)
strString = replace(strString,"~","\~", 1, -1, 1)
strString = replace(strString,"#","\#", 1, -1, 1)
strString = replace(strString,"?","\?", 1, -1, 1)
strString = replace(strString,"'","\'", 1, -1, 1)
strString = replace(strString,"""","\""", 1, -1, 1)
strString = replace(strString,"select","\select", 1, -1, 1)
strString = replace(strString,"insert","\insert", 1, -1, 1)
strString = replace(strString,"update","\update", 1, -1, 1)
strString = replace(strString,"delete","\delete", 1, -1, 1)
strString = replace(strString," or "," \or ", 1, -1, 1)
strString = replace(strString," and "," \and ", 1, -1, 1)
strString = replace(strString,"drop","\drop", 1, -1, 1)
strString = replace(strString,"union","\union", 1, -1, 1)
strString = replace(strString,"into","\into", 1, -1, 1)
'Return cleaned value.
SQLClean = Trim(strString)
End If
End Function
最佳答案
请,不要在任何情况下都尝试编写自己的 SQL 转义代码,除非它纯粹是学术练习。你会弄错的。如果有人使用 SQL injection attack tool在您的网站上,您将遭受严重的后果。人们对此采取随意的态度,从而破坏了企业和职业。
我花了三分钟才找到an example on StackOverflow谈论使用参数的经典 ASP 和 MySQL 查询。
请,请,请使用官方设施,不要自己动手。
关于asp-classic - SQL注入(inject)这么好,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12274955/