预防SQL注入真的那么复杂么?

7 七, 2006 in Develop by

在csdn社区又见这样的帖子

asp.net里如何防 ‘or’='or’ 在线等待~~

什么是SQL注入这里就不多讲了
网络上很多文章都对这个做了很深刻的讲解

个人认为防止SQL注入有以下三种方法
1、过滤敏感字符
2、在ASP.Net中使用SqlParameters
3、用存储过程

过滤敏感字符
这里的敏感字符是指单引
在原来的ASP程序中,待执行的SQL语句一般都是经过”拼凑”而形成的

只需把一个单引替换成二个单引
=======>‘ ‘
不需要像网上某些文章里说的
替换Delete/Drop/Alter……
诸如:

ParaValue = replace(ParaValue,"'","")
ParaValue = replace(ParaValue,"select ","")
ParaValue = replace(ParaValue,"insert ","")
ParaValue = replace(ParaValue,"delete ","")
ParaValue = replace(ParaValue,"count(","")
ParaValue = replace(ParaValue,"drop table ","")
ParaValue = replace(ParaValue,"update ","")
ParaValue = replace(ParaValue,"truncate ","")
ParaValue = replace(ParaValue,"asc(","")
ParaValue = replace(ParaValue,"mid(","")
ParaValue = replace(ParaValue,"char(","")
ParaValue = replace(ParaValue,"xp_cmdshell","")
ParaValue = replace(ParaValue,"exec master","")
ParaValue = replace(ParaValue,"net localgroup administrators","")
ParaValue = replace(ParaValue," and ","")
ParaValue = replace(ParaValue,"net user","")
ParaValue = replace(ParaValue," or ","")

借用csdn上一句话:替换这的纯属不懂装懂。有必要这么复杂么?这样做只能说明你根本不了解什么叫SQl注入。
只需替换单引即可

asp.net中使用Parameters即可,无需对数据做任何的操作
comm.Paremeters.Add("@userName",SqlDbType.varchar).Value=Textbox1.text;
comm.Paremeters.Add("@passWord",SqlDbType.varchar).Value=Textbox2.text;
comm.commandText="select * from AdminInfo where UserName=@userName and PassWord=@passWord";

存储过程
因为在存储过程中就可以设置变量的类型,所以也无需对数据做任何操作

再次拜托,不要把SQL注入说得天花乱坠,真的很不专业

2 Comments
tagged ,

2 Comments

  1. 回复
    e.t
    7 七月, 2006

    我的做法是替换为全角的单引,不知道如何?

  2. 回复
    Kerry Jiang
    14 十一月, 2008

    替换都不是必需的,
    Parameter来添加参数是唯一必须要做的,用不用存储过程倒无所谓.

    因为用parameter方式添加的参数是附加到sql后面的,而不是直接插入到sql语句里面,例如:

    select * from AdminInfo where UserName=@userName and PassWord=@passWord;
    @userName = ….,
    @passWord= ….

Leave a Reply

Using Gravatars in the comments - get your own and be recognized!

XHTML: These are some of the tags you can use: <a href=""> <b> <blockquote> <code> <em> <i> <strike> <strong>