作者mywheat (麦田)
看板Visual_Basic
标题Re: [.NET] 请问 VB.NET 怎麽预防 SQL INJECTION
时间Mon Apr 16 17:14:42 2007
既然要自己写,我後来查询了一些 SQL Injection 比较有可能出现的错误规则
将他做成 function
以下是程式码,还烦请大家帮忙检查一下,那边有需要修改的,感谢
Public Function UnInjection(ByVal chkWord As String) As String
If IsNumeric(chkWord) Then Return chkWord
chkWord = chkWord.ToString.Trim()
chkWord = Replace(chkWord, "'", "''")
chkWord = Replace(chkWord, "(", "**CHAR40**")
chkWord = Replace(chkWord, ")", "'+CHAR(41)+'")
chkWord = Replace(chkWord, "**CHAR40**", "'+CHAR(40)+'")
chkWord = Replace(chkWord, " or ", " '+CHAR(111)+CHAR(114)+' ")
chkWord = Replace(chkWord, " Or ", " '+CHAR(79)+CHAR(114)+' ")
chkWord = Replace(chkWord, " OR ", " '+CHAR(79)+CHAR(82)+' ")
chkWord = Replace(chkWord, " oR ", " '+CHAR(111)+CHAR(82)+' ")
chkWord = Replace(chkWord, "--", "'+CHAR(45)+CHAR(45)+'")
chkWord = Replace(chkWord, ";", "'+CHAR(59)+'")
Return chkWord
End Function
--
※ 发信站: 批踢踢实业坊(ptt.cc)
◆ From: 210.64.14.87
1F:→ shqpaxson:使用SQL传参数的方式不就好了... @@ 04/29 13:10