預防SQL注入漏洞函數.
僅僅代表我的觀點.不怕見笑.有問題請大家指教!我想如果你是牛人,那這個已經不是值得你看的內容,只是覺得對與很多剛入門的ASP程式員來說還是有點實際意義,所以不怕被大家笑話,寫了貼在這裡!
----<%
Function checkStr(str)
if isnull(str) then
checkStr = ""
exit function
end if
checkStr=replace(str," ","")
checkStr=replace(str,"'","'")
checkStr=replace(str,";","'")
checkStr=replace(str,"--","'")
checkStr=replace(str,"(","'")
checkStr=replace(str,"[","'")
checkStr=replace(str,"$","'")
end function
%>
相關函數
Left(string, length)
返回指定數目的從字串的左邊算起的字元
Asc(string)
返回與字串的第一個字母對應的 ANSI 字元代碼。
Mid(string, start[, length])
從字串中返回指定數目的字元。
***********************************
我自己的做法是把字串限定在8個字元內,呵!(千萬條資料啊,沒誰有這樣大的記錄吧?99,999,999呵!不夠用,才怪了!除非你的資料從來不更新刪出,那也沒辦法,問題是sql到了這樣的時會是怎麼樣的速度)
---<%
if len(request.querystring("ddd"))> 8 then
response.write(黑我啊,不要了。少來)
response.end '最好有這句
'''初步是判斷是否是數字=======IsNumeric 函數
if IsNumeric(request.querystring("ddd")) then
Execute("select * from [table]")
....
else
response.write(黑我啊,不要了。少來)
response.end '最好有這句
%>
當然了,加上上面的函數,在你的SQL過程裡,效果就非常完美了!
呵!!!在變態點做個函數。
---<%
Function checkStr(str)
if isnull(str) then
checkStr = ""
exit function
end if
checkStr=replace(str," ","")
checkStr=replace(str,"'","'")
checkStr=replace(str,";","'")
checkStr=replace(str,"--","'")
checkStr=replace(str,"(","'")
checkStr=replace(str,"[","'")
checkStr=replace(str,"$","'")
checkStr=replace(str,"asc'," ")
checkStr=replace(str,"mid"," ")
checkStr=replace(str,"delete"," ")
checkStr=replace(str,"drop"," ")
'''呵!!我這裡沒屏蔽select,count,哈!想起來我就笑,太變態了,那其不是我什麼都不用了不是更更安全啊!!!呵!!~^)^~
end function
%>
足夠了,這個函數載入到sql選取記錄集的地方。
如:rsql="select * from table where xxx="&checkstr(request.querystring("xxyy"))&""
或者來就判斷字串
說的有點林亂,但是就是這些了,對於普通的“駭客”已經足夠他毫些時間了。但是對於老到的真正意義的駭客,這些都不是萬能的東西,人家連伺服器都黑,你能怎麼樣啊?嘿!!
看了些資料,結合自己的經驗,寫在這裡。算是自己複習一下,看到的朋友也可以一起交流!QQ:22979784(加的請說明這篇文章的地址,怕擾啊!多多見諒了!)
另外對於sql注入漏洞,好象只是ASP裡多些!其它的我還不是太清楚,所以還是需要提醒所有搞ASP的朋友,請多看看,微軟的最新【windows 指令碼技術】這個東西。
http://download.microsoft.com/download/winscript56/Install/5.6/W982KMe/CN/scd56chs.exe
這裡下,就可以了!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
