我对此做了很多研究,但我仍然有一个问题需要理解。但是我想确保我受到适当的保护。我在Classic ASP中编写了一个函数来帮助防止SQL注入或可能对数据库施加暴力。如果我需要添加或删除内容甚至更正问题以使其更安全,您能否给我自己的意见和建议?非常感谢你提前!!
我在插入MySQL数据库之前使用下面这个。
示例插入:
conn.execute("INSERT INTO " & employees & "(eid, first_name, last_name) VALUES('" & Clng(strEID) & "','" & SQLClean(strfirstname) & "','" & SQLClean(strlastname) & "');")
功能:
Private Function SQLClean(ByVal strString)
If strString <> "" Then
strString = Trim(strString)
'Remove malisous charcters from sql\
strString = replace(strString,"-shutdown","", 1, -1, 1)
strString = replace(strString,"\","\\", 1, -1, 1)
strString = replace(strString,"=","\=", 1, -1, 1)
strString = replace(strString,",","\,", 1, -1, 1)
strString = replace(strString,"`","\`", 1, -1, 1)
strString = replace(strString,"&","\&", 1, -1, 1)
strString = replace(strString,"/","\/", 1, -1, 1)
strString = replace(strString,"[","\[", 1, -1, 1)
strString = replace(strString,"]","\]", 1, -1, 1)
strString = replace(strString,"{","\{", 1, -1, 1)
strString = replace(strString,"}","\}", 1, -1, 1)
strString = replace(strString,"(","\(", 1, -1, 1)
strString = replace(strString,")","\)", 1, -1, 1)
strString = replace(strString,";","\;", 1, -1, 1)
strString = replace(strString,"+","\+", 1, -1, 1)
strString = replace(strString,"<","\<", 1, -1, 1)
strString = replace(strString,">","\>", 1, -1, 1)
strString = replace(strString,"^","\^", 1, -1, 1)
strString = replace(strString,"@","\@", 1, -1, 1)
strString = replace(strString,"$","\$", 1, -1, 1)
strString = replace(strString,"%","\%", 1, -1, 1)
strString = replace(strString,"!","\!", 1, -1, 1)
strString = replace(strString,"*","\*", 1, -1, 1)
strString = replace(strString,"~","\~", 1, -1, 1)
strString = replace(strString,"#","\#", 1, -1, 1)
strString = replace(strString,"?","\?", 1, -1, 1)
strString = replace(strString,"'","\'", 1, -1, 1)
strString = replace(strString,"""","\""", 1, -1, 1)
strString = replace(strString,"select","\select", 1, -1, 1)
strString = replace(strString,"insert","\insert", 1, -1, 1)
strString = replace(strString,"update","\update", 1, -1, 1)
strString = replace(strString,"delete","\delete", 1, -1, 1)
strString = replace(strString," or "," \or ", 1, -1, 1)
strString = replace(strString," and "," \and ", 1, -1, 1)
strString = replace(strString,"drop","\drop", 1, -1, 1)
strString = replace(strString,"union","\union", 1, -1, 1)
strString = replace(strString,"into","\into", 1, -1, 1)
'Return cleaned value.
SQLClean = Trim(strString)
End If
End Function
答案 0 :(得分:15)
请不要在任何情况下尝试编写自己的SQL转义代码,除非它纯粹是学术练习。你会弄错的。如果有人在您的网站上使用SQL injection attack tool,您将遭受严重后果。那些采取随意方法的人已经破坏了企业和职业。
我花了三分钟时间找到an example on StackOverflow使用参数讨论经典ASP和MySQL查询。
请,请使用官方设施,不要自己动手。
答案 1 :(得分:-1)
Here's a good link to read up on for preventing SQL Injection Attacks in ASP Classic scripts.
值得注意的是,在将它们转储到SQL查询之前,应始终验证变量,检查正确的值。检查有效值通常比检查人们可以填入变量的所有可能的坏事更容易。