[讨论]C/S系统也应该有防止SQL注入处理吗?
我在网上发现有很多关于ASP的SQL注入的文章,我想c/s结构也相同有这样的问题吧。不知道大家是如何处理的?一般注入点有哪些?登记用户处?设置检索条件时?
今天你用VB6写的函数,然后对可能的注入点进行过滤一下,不知道这样行了没有,新手希望得到指教。
'*************************************************************************
'**函 数 名:SQLCheck
'**输 入:strInput(String) -
'**输 出:(String) -
'**功能描述:Sql注入检查
'**全局变量:
'**调用模块:
'**作 者:**
'**日 期:2005-10-31 08:36:01
'**修 改 人:
'**日 期:
'**版 本:V1.0.81
'*************************************************************************
Public Function SQLCheck(ByVal strInput As String) As String
On Error GoTo ErrorHandler '打开错误陷阱
'------------------------------------------------
Dim strTemp As String
strTemp = strInput
'把字符串的字母全部转为小写
strInput = LCase(strInput)
'把可疑词替换*
strInput = Replace(strInput, "select", "*", 1, -1, 1)
strInput = Replace(strInput, "'", "*", 1, -1, 1)
strInput = Replace(strInput, "exec", "*", 1, -1, 1)
strInput = Replace(strInput, "object", "*", 1, -1, 1)
strInput = Replace(strInput, "select", "*", 1, -1, 1)
strInput = Replace(strInput, "join", "*", 1, -1, 1)
strInput = Replace(strInput, "union", "*", 1, -1, 1)
strInput = Replace(strInput, "where", "*", 1, -1, 1)
strInput = Replace(strInput, "insert", "*", 1, -1, 1)
strInput = Replace(strInput, "update", "*", 1, -1, 1)
strInput = Replace(strInput, "del", "*", 1, -1, 1)
strInput = Replace(strInput, "drop", "*", 1, -1, 1)
strInput = Replace(strInput, "create", "*", 1, -1, 1)
strInput = Replace(strInput, "rename", "*", 1, -1, 1)
strInput = Replace(strInput, "alter", "*", 1, -1, 1)
strInput = Replace(strInput, "revoke", "*", 1, -1, 1)
strInput = Replace(strInput, "grant", "*", 1, -1, 1)
If strInput = LCase(strTemp) Then
SQLCheck = strTemp
Else
SQLCheck = strInput
End If
'------------------------------------------------
Exit Function
'----------------
ErrorHandler:
SQLCheck = ""
End Function