28,408
社区成员
发帖
与我相关
我的任务
分享我的这种写法是否能解决sql注入?
我感觉那些为sql注入专门写的函数,会使程序的执行效率降低很多,我觉得有些传过来的参数根本不需要判断!
所以我写代码是从没专门写过函数:
我喜欢接数字型时:a=cint(request("name"))
字符型时:a=replace(str,"'","")
不知道我这种写法到底能不能防范所有的sql注入?????请指教
所以我写代码是从没专门写过函数:
我喜欢接数字型时:a=cint(request("name"))
字符型时:a=replace(str,"'","")
不知道我这种写法到底能不能防范所有的sql注入?????请指教
...全文
请发表友善的回复…
发表回复
wlnh420 2005-06-02
- 打赏
- 举报
16进制注入????????是怎么回事?
快结贴了,请高手们讲解一下!
快结贴了,请高手们讲解一下!
cmslovehxh 2005-06-02
- 打赏
- 举报
还要防16进制注入
jackycxg 2005-06-01
- 打赏
- 举报
传递不同类型的值,进行分别分析吧、、、
zhubi 2005-06-01
- 打赏
- 举报
ding
zhubi 2005-06-01
- 打赏
- 举报
请问这样怎么不行replace(str,"'","")?
为什么换replace(str,"'",""")?
为什么换replace(str,"'",""")?
yonghengdizhen 2005-06-01
- 打赏
- 举报
对于字符串数据,只需要按上面的处理,把单引号替换成一对单引号处理就好了.
对于其它类型的数据,进行对应类型的数据合法性检测就可以了.
使用ado方式执行数据插入更新,则不需要这些附加检测.
上面就是防止sql注入的全部注意事项..
至于输出数据,如果目的不是输出html文本,使用server.htmlencode处理就好.而用不着在数据库存储的时候改变存储的原始数据.
对于其它类型的数据,进行对应类型的数据合法性检测就可以了.
使用ado方式执行数据插入更新,则不需要这些附加检测.
上面就是防止sql注入的全部注意事项..
至于输出数据,如果目的不是输出html文本,使用server.htmlencode处理就好.而用不着在数据库存储的时候改变存储的原始数据.
zhanghongwen 2005-06-01
- 打赏
- 举报
帮你顶!呵呵
zhubi 2005-06-01
- 打赏
- 举报
顶
位流 2005-06-01
- 打赏
- 举报
要是字符型,感觉不用替空格!
字符型需要'来造sql语句,只有空格没'无所谓!
那不一定,哈哈
字符型需要'来造sql语句,只有空格没'无所谓!
那不一定,哈哈
wlnh420 2005-06-01
- 打赏
- 举报
要是字符型,感觉不用替空格!
字符型需要'来造sql语句,只有空格没'无所谓!
字符型需要'来造sql语句,只有空格没'无所谓!
位流 2005-06-01
- 打赏
- 举报
只要替换掉' 和空格和 /就行了
'不用说为什么了
空格 : 没有空格你能造出sql语句?
/ :为了防止/**/代替空格
'不用说为什么了
空格 : 没有空格你能造出sql语句?
/ :为了防止/**/代替空格
小赵 2005-06-01
- 打赏
- 举报
帮你顶咯~1
嘿嘿
我也不是很明白这些玩意儿
嘿嘿
我也不是很明白这些玩意儿
wlnh420 2005-06-01
- 打赏
- 举报
--是SQLServer的注释
;是sql语句的分隔符
%00是字符串的结束标志
chr()得到想要的字符
我是这样想的:
这些是针对“数子”形的吧 如id=2;sql语句,所以cint()就可以了!
那字符型注入,是不是必须用到'号,而且替换了'为空或者别的就应该没有任何问题,因为字符型在sql语句中体现为 '字符',所以你注入必须加'号,来组成两条sql语句!
替换为replace(str,"'","")应该也没问题!!!
放一天结贴!
;是sql语句的分隔符
%00是字符串的结束标志
chr()得到想要的字符
我是这样想的:
这些是针对“数子”形的吧 如id=2;sql语句,所以cint()就可以了!
那字符型注入,是不是必须用到'号,而且替换了'为空或者别的就应该没有任何问题,因为字符型在sql语句中体现为 '字符',所以你注入必须加'号,来组成两条sql语句!
替换为replace(str,"'","")应该也没问题!!!
放一天结贴!
indexroot 2005-06-01
- 打赏
- 举报
注入时:
--是SQLServer的注释
;是sql语句的分隔符
%00是字符串的结束标志
chr()得到想要的字符
最好
只允许GET/POST来字母数字
并
过滤create,select,insert,update,delete,shutdown,drop
--是SQLServer的注释
;是sql语句的分隔符
%00是字符串的结束标志
chr()得到想要的字符
最好
只允许GET/POST来字母数字
并
过滤create,select,insert,update,delete,shutdown,drop
wwx5240 2005-06-01
- 打赏
- 举报
因为前段时间给个朋友做一个英文网,对方一定要在某些地方输入单引号(英文的确经常有像I'm,Don't之类的输入),于是想出了一种写法(算是独创,虽然很简单),感觉还不错,写法如下:
在对任何输入执行:
replace(inputStr,"'","*|*")
在对任何写出执行:
replace(inputStr,"*|*","'")
在对任何输入执行:
replace(inputStr,"'","*|*")
在对任何写出执行:
replace(inputStr,"*|*","'")
zwf88 2005-06-01
- 打赏
- 举报
说来搞笑,没人回贴。你帮我回复一下我好结帖。
phuson 2005-06-01
- 打赏
- 举报
对于过滤掉sql关键字的方法,我有一个问题不明白:就是比如我要在CSDN上查询关于select用法的帖子,查询字符串就为“select的用法”,把select过滤掉之后还怎么查啊?
danis_cn 2005-06-01
- 打赏
- 举报
防止注入要放的彻底一些!
Function checkcheck(UserName)
UserName=Replace(Lcase(UserName),"or","")
UserName=Replace(Lcase(Username),"=","")
UserName=Replace(Lcase(Username),"'","")
UserName=Replace(Lcase(Username),"+","")
UserName=Replace(Lcase(Username),";","")
UserName=Replace(Lcase(Username),"select","")
UserName=Replace(Lcase(Username),"delete","")
UserName=Replace(Lcase(Username),"update","")
UserName=Replace(Lcase(Username),"insert","")
UserName=Replace(Lcase(Username),"@","")
UserName=Replace(Lcase(Username),"#","")
UserName=Replace(Lcase(Username),"$","")
UserName=Replace(Lcase(Username),"^","")
UserName=Replace(Lcase(Username),"*","")
UserName=Replace(Lcase(Username),"<","")
UserName=Replace(Lcase(Username),">","")
UserName=Replace(Lcase(Username),"?","")
UserName=Replace(Lcase(Username),"--","")
UserName=Replace(Lcase(Username),"and","")
UserName=Replace(Lcase(Username),",","")
UserName=Replace(Lcase(Username),"\","")
UserName=Replace(Lcase(Username),"/","")
UserName=Replace(Lcase(Username),".","")
UserName=Replace(Lcase(Username)," ","")
UserName=Trim(UserName)
checkcheck=UserName
End Function
Function checkcheck(UserName)
UserName=Replace(Lcase(UserName),"or","")
UserName=Replace(Lcase(Username),"=","")
UserName=Replace(Lcase(Username),"'","")
UserName=Replace(Lcase(Username),"+","")
UserName=Replace(Lcase(Username),";","")
UserName=Replace(Lcase(Username),"select","")
UserName=Replace(Lcase(Username),"delete","")
UserName=Replace(Lcase(Username),"update","")
UserName=Replace(Lcase(Username),"insert","")
UserName=Replace(Lcase(Username),"@","")
UserName=Replace(Lcase(Username),"#","")
UserName=Replace(Lcase(Username),"$","")
UserName=Replace(Lcase(Username),"^","")
UserName=Replace(Lcase(Username),"*","")
UserName=Replace(Lcase(Username),"<","")
UserName=Replace(Lcase(Username),">","")
UserName=Replace(Lcase(Username),"?","")
UserName=Replace(Lcase(Username),"--","")
UserName=Replace(Lcase(Username),"and","")
UserName=Replace(Lcase(Username),",","")
UserName=Replace(Lcase(Username),"\","")
UserName=Replace(Lcase(Username),"/","")
UserName=Replace(Lcase(Username),".","")
UserName=Replace(Lcase(Username)," ","")
UserName=Trim(UserName)
checkcheck=UserName
End Function
wlnh420 2005-06-01
- 打赏
- 举报
只想知道为什么,顶!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1111111111111111111111111111111111111
wlnh420 2005-05-31
- 打赏
- 举报
谢谢,我想知道为什么没用?
可以举一个能注入的sql语句例子吗?
可以举一个能注入的sql语句例子吗?
加载更多回复(13)
