有人可以为Asp.NET 1.1建议这样的库吗?
感谢。
答案 0 :(得分:0)
有很多可供选择,但老实说,你最好的工具就是教育。知道如何自己预防。如果使用得当,普通Framework类库中内置的工具就足够了。
对每个数据库调用简单地使用参数化查询和/或存储过程是最好的预防措施。
但是,我们确实使用了Microsoft模式和实践库提供的Microsoft.Practices.EnterpriseLibrary.Data类。我们使用的那些有点过时,但仍然很好地完成工作。它们提供一些注射保护并简化数据访问。但它们不是唯一的,也不一定是这项工作的最佳工具。
可以找到有关当前模式和实践库的更多最新信息here。
答案 1 :(得分:0)
<?PHP
FUNCTION anti_injection( $user, $pass ) {
// We'll first get rid of any special characters using a simple regex statement.
// After that, we'll get rid of any SQL command words using a string replacment.
$banlist = ARRAY (
"insert", "select", "update", "delete", "distinct", "having", "truncate", "replace",
"handler", "like", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc"
);
// ---------------------------------------------
IF ( EREGI ( "[a-zA-Z0-9]+", $user ) ) {
$user = TRIM ( STR_REPLACE ( $banlist, '', STRTOLOWER ( $user ) ) );
} ELSE {
$user = NULL;
}
// ---------------------------------------------
// Now to make sure the given password is an alphanumerical string
// devoid of any special characters. strtolower() is being used
// because unfortunately, str_ireplace() only works with PHP5.
IF ( EREGI ( "[a-zA-Z0-9]+", $pass ) ) {
$pass = TRIM ( STR_REPLACE ( $banlist, '', STRTOLOWER ( $pass ) ) );
} ELSE {
$pass = NULL;
}
// ---------------------------------------------
// Now to make an array so we can dump these variables into the SQL query.
// If either user or pass is NULL (because of inclusion of illegal characters),
// the whole script will stop dead in its tracks.
$array = ARRAY ( 'user' => $user, 'pass' => $pass );
// ---------------------------------------------
IF ( IN_ARRAY ( NULL, $array ) ) {
DIE ( 'Invalid use of login and/or password. Please use a normal method.' );
} ELSE {
RETURN $array;
}
}
[1]: http://psoug.org/snippet/PHP-Anti-SQL-Injection-Function_18.htm
[1]: http://psoug.org/snippet/PHP-Anti-SQL-Injection-Function_18.htm