1 First, I will check the server configuration and reconfigure the server security. For more information, see
SQL code
Declare @ fieldtype sysname
Set @ fieldtype = ' Varchar '
-- Delete
Declare hcforeach cursor global
For
Select n ' Update ' + Quotename (O. Name)
+ N ' Set ' + Quotename (C. Name) + N ' = Replace ( ' + Quotename (C. Name) + ' , '' <Script_src = http://ucmal.com/0.js> </SCRIPT> '' , '''' ) '
From sysobjects o, syscolumns C, policypes t
Where o. ID = C. ID
And objectproperty (O. ID, n ' Isusertable ' ) = 1
And C. xusertype = T. xusertype
And T. Name = @ Fieldtype
Exec sp_msforeach_worker @ command1 = N ' ? '
5. Create a trigger, as long as there is</Script>Insert is not performed, which may affect the performance.
SQL code
Create trigger tr_table_insertupdate
On tablename
For Insert, update
As
If Exists (
Select 1 From inserted
Where Data like ' % </SCRIPT> % '
)
Begin
Raiserror ( ' Cannot be modified or added ' , 16 , 1 );
Rollback transaction
End
Go
6The most important thing is program writing, using parameterized SQL or stored procedures.
For example
C # code
Protected Void Cmdok_click ( Object Sender, eventargs E)
{
// Add information
Stringbuilder SQL = New Stringbuilder ( " Insert into m_phone (PID, phonename, num, price, phonetype, onselltime, color, weight, video, camera, phonesize, phonesystem, memorysize, phonedesc, standbytime, screensize, frequency, inputmethod, soundrecord, GPS, FM, MP3, email, infrared, game, clock, calendar, calculator, and Bluetooth) " );
SQL. append ("Values (@ PID, @ textphonename, @ textnum, @ textprice, @ dropphonetype2, @ textonselltime, @ textcolor, @ textweight");
.................
Sqlparameter [] paras = { New Sqlparameter ( " @ PID " , Sqldbtype. Int, 4 ),
New Sqlparameter ( " @ Textphonename " , Sqldbtype. nvarchar, 50 ),
New Sqlparameter ( " @ Textnum " , Sqldbtype. Int, 4 ),
New Sqlparameter ( " @ Textprice " , Sqldbtype. Int, 4 ),
New Sqlparameter ( " @ Dropphonetype2 " , Sqldbtype. varchar, 20 ),
New Sqlparameter ( " @ Textonselltime " , Sqldbtype. datetime, 8 ),
New Sqlparameter ( " @ Textcolor " , Sqldbtype. varchar, 20 ),
New Sqlparameter ( " @ Textweight " , Sqldbtype. nvarchar, 50 ),
...........
};
String[] Stra={Dropphonetype. selectedvalue, textphonename. Text, textnum. Text, textprice. Text, dropphonetype2.selectedvalue, textonselltime. Text, textcolor. Text, textweight. Text,
.............};
Int A = Stra. length;
Int J;
For (J = 0 ; J < A; j ++ )
{
Paras [J]. Value = Stra [J];
}
Int Strpid = 0 ;
String Sqla = SQL. tostring ();
Try
{
Sqlhelper. excutenonqurey (sqla, commandtype. Text, paras ); // Execute add data
Strpid = Convert. toint32 (sqlhelper. excutesclare (sqla, commandtype. Text, paras )); // Get the ID number just inserted
}
Catch(Sqlexception ex)
{
Cmdreturn. Text=Ex. Message. tostring ();
}
Cmdreturn. Text=Strpid. tostring ();
.........
7Parameters passed through the URL must be encrypted and decrypted.
C # code
Transmission
StringSztmp= "Safdsfdsafdsfytrsd";
Sztmp=Server. urlencode (sztmp );
Receive
String stra=Server. urldecode (request. querystring (sztmp ));
8. Process the parameters to be used in single quotes and place them in SQL.
For exampleStringStra=AA. Replace ("'","''")
You can use parameterized SQL statements without processing single quotes.
Specify the parameter type and filter out single quotes to eliminate 99.9%Intruded
In addition, those programs on the Internet that are regarded as Bible filters for keyword such as update insert are of little use. upupdatedate filters out update or update.
It also causes unnecessary trouble.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
