4

我已经对此进行了很多研究,但我仍然无法理解它。但是,我想确保我得到适当的保护。我在 Classic ASP 中编写了一个函数来帮助防止 SQL 注入或对数据库的可能的暴力破解。如果我需要添加或删除内容甚至纠正问题以使其更安全,你们能给我自己的意见和建议吗?非常感谢您提前!!

在插入 MySQL 数据库之前,我在下面使用它。

插入示例:

conn.execute("INSERT INTO " & employees & "(eid, first_name, last_name) VALUES('" & Clng(strEID) & "','" & SQLClean(strfirstname) & "','" & SQLClean(strlastname) & "');")

功能:

Private Function SQLClean(ByVal strString)
    If strString <> "" Then
        strString = Trim(strString)

        'Remove malisous charcters from sql\
        strString = replace(strString,"-shutdown","", 1, -1, 1)
        strString = replace(strString,"\","\\", 1, -1, 1)
        strString = replace(strString,"=","\=", 1, -1, 1)
        strString = replace(strString,",","\,", 1, -1, 1)
        strString = replace(strString,"`","\`", 1, -1, 1)
        strString = replace(strString,"&","\&", 1, -1, 1)
        strString = replace(strString,"/","\/", 1, -1, 1)      
        strString = replace(strString,"[","\[", 1, -1, 1)
        strString = replace(strString,"]","\]", 1, -1, 1)
        strString = replace(strString,"{","\{", 1, -1, 1)
        strString = replace(strString,"}","\}", 1, -1, 1)
        strString = replace(strString,"(","\(", 1, -1, 1)
        strString = replace(strString,")","\)", 1, -1, 1)
        strString = replace(strString,";","\;", 1, -1, 1)
        strString = replace(strString,"+","\+", 1, -1, 1)
        strString = replace(strString,"<","\<", 1, -1, 1)
        strString = replace(strString,">","\>", 1, -1, 1)
        strString = replace(strString,"^","\^", 1, -1, 1)
        strString = replace(strString,"@","\@", 1, -1, 1)
        strString = replace(strString,"$","\$", 1, -1, 1)
        strString = replace(strString,"%","\%", 1, -1, 1)
        strString = replace(strString,"!","\!", 1, -1, 1)
        strString = replace(strString,"*","\*", 1, -1, 1)
        strString = replace(strString,"~","\~", 1, -1, 1)
        strString = replace(strString,"#","\#", 1, -1, 1)
        strString = replace(strString,"?","\?", 1, -1, 1)
        strString = replace(strString,"'","\'", 1, -1, 1)
        strString = replace(strString,"""","\""", 1, -1, 1)
        strString = replace(strString,"select","\select", 1, -1, 1)
        strString = replace(strString,"insert","\insert", 1, -1, 1)
        strString = replace(strString,"update","\update", 1, -1, 1)
        strString = replace(strString,"delete","\delete", 1, -1, 1)
        strString = replace(strString," or "," \or ", 1, -1, 1)
        strString = replace(strString," and "," \and ", 1, -1, 1)
        strString = replace(strString,"drop","\drop", 1, -1, 1)
        strString = replace(strString,"union","\union", 1, -1, 1)
        strString = replace(strString,"into","\into", 1, -1, 1)

        'Return cleaned value.
        SQLClean = Trim(strString)

    End If
End Function
4

2 回答 2

15

请在任何情况下都不要尝试编写自己的 SQL 转义代码,除非它纯粹是学术练习。你会弄错的。如果有人在您的站点上使用SQL 注入攻击工具,您将遭受严重后果。人们对此采取随意的态度,商业和职业已经被摧毁。

我花了整整三分钟在 StackOverflow 上找到一个关于使用参数的经典 ASP 和 MySQL 查询的示例。

Please, please, please use the official facilities and do not roll your own.

于 2012-09-05T06:59:44.440 回答
-1

这是一个很好的链接,可以阅读以防止 ASP Classic 脚本中的 SQL 注入攻击。

还值得注意的是,您应该始终验证您的变量,在将它们转储到 SQL 查询中之前检查它们的正确值。检查有效值通常比检查人们可以塞进变量的所有可能的坏事更容易。

于 2012-09-05T05:34:57.410 回答