28,408
社区成员
发帖
与我相关
我的任务
分享怎样才能防止SQL的注入式漏洞攻击?
在用ASP页面做查询的时候,有些参数是必须得通过页面传递的,但在处理页面参数时怎样才能防止SQL的注入式漏洞攻击?麻烦说滴详细些呗
...全文
请发表友善的回复…
发表回复
xkou 2004-04-15
- 打赏
- 举报
这样的语句必须经过过滤
sql="select * from table where id=" & request("id")
function checkstr(k)
k=trim(k)
k=replace (k," "," ")
k=replace (k,">",">")
k=replace (k,"<","<")
k=replace (k,chr(9)," ")
k=replace (k,chr(39),"'")
k=replace (k,chr(34),""")
checkstr=k
end function
sql="select * from table where id=" & checkstr(request("id"))
sql="select * from table where id=" & request("id")
function checkstr(k)
k=trim(k)
k=replace (k," "," ")
k=replace (k,">",">")
k=replace (k,"<","<")
k=replace (k,chr(9)," ")
k=replace (k,chr(39),"'")
k=replace (k,chr(34),""")
checkstr=k
end function
sql="select * from table where id=" & checkstr(request("id"))
54NB 2004-04-15
- 打赏
- 举报
回復文章的,請自己測試過再告訴別人!
防范方法見此文:
http://nb.unionbyte.com/View.asp?PostID=1456617
防范方法見此文:
http://nb.unionbyte.com/View.asp?PostID=1456617
flywolfkyo 2004-04-15
- 打赏
- 举报
把传递的参数值replace一下
replace(trim(request(参数)),"'","")
replace(trim(request(参数)),"'","")
iloveyaner 2004-04-15
- 打赏
- 举报
如果是SQL需要过滤掉系统表和危险的存储过程。尤其xp_cmdshell 汗~~~
kanshangren 2004-04-15
- 打赏
- 举报
一般来说把'替换掉就可以了
