在经典ASP中,有一种简单的方法可以清理所有表单提交的输入吗?这是我的消毒功能:
function dbsafe(data)
data = replace(data,";","")
data = replace(data,"'","")
data = replace(data,"—","")
data = replace(data,"/*","")
data = replace(data,"*/","")
data = replace(data,"*","")
data = replace(data,"/","")
data = replace(data,"xp_","")
end function
答案 0 :(得分:2)
我会考虑使用参数化查询。攻击者最终会想到你忘记删除的东西。
以下是参数化查询的链接:http://support.microsoft.com/kb/200190
答案 1 :(得分:0)
我发现IIS团队发布的这篇博客似乎运作良好:
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx