作者mywheat (麥田)
看板Visual_Basic
標題Re: [.NET] 請問 VB.NET 怎麼預防 SQL INJECTION
時間Mon Apr 16 17:14:42 2007
既然要自己寫,我後來查詢了一些 SQL Injection 比較有可能出現的錯誤規則
將他做成 function
以下是程式碼,還煩請大家幫忙檢查一下,那邊有需要修改的,感謝
Public Function UnInjection(ByVal chkWord As String) As String
If IsNumeric(chkWord) Then Return chkWord
chkWord = chkWord.ToString.Trim()
chkWord = Replace(chkWord, "'", "''")
chkWord = Replace(chkWord, "(", "**CHAR40**")
chkWord = Replace(chkWord, ")", "'+CHAR(41)+'")
chkWord = Replace(chkWord, "**CHAR40**", "'+CHAR(40)+'")
chkWord = Replace(chkWord, " or ", " '+CHAR(111)+CHAR(114)+' ")
chkWord = Replace(chkWord, " Or ", " '+CHAR(79)+CHAR(114)+' ")
chkWord = Replace(chkWord, " OR ", " '+CHAR(79)+CHAR(82)+' ")
chkWord = Replace(chkWord, " oR ", " '+CHAR(111)+CHAR(82)+' ")
chkWord = Replace(chkWord, "--", "'+CHAR(45)+CHAR(45)+'")
chkWord = Replace(chkWord, ";", "'+CHAR(59)+'")
Return chkWord
End Function
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 210.64.14.87
1F:→ shqpaxson:使用SQL傳參數的方式不就好了... @@ 04/29 13:10