sql - 如何通过函数运行所有表单提交的数据

Question

在经典的 ASP 中，有没有一种简单的方法来清理所有表单提交的输入？这是我的消毒功能：

function dbsafe(data)
data = replace(data,";","")
data = replace(data,"'","")
data = replace(data,"â€”","")
data = replace(data,"/*","")
data = replace(data,"*/","")
data = replace(data,"*","")
data = replace(data,"/","")
data = replace(data,"xp_","")
end function

score 2 · Accepted Answer

我会考虑使用参数化查询。攻击者最终会想到您忘记删除的内容。

这是参数化查询的链接：http: //support.microsoft.com/kb/200190

score 0 · Accepted Answer

我发现 IIS 团队的这篇博客文章似乎运行良好：

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

sql - 如何通过函数运行所有表单提交的数据

2 回答 2

Related

Reference