SQL Server注入
网络开发新手,正在接管某人的代码。他们有一个防止sql注入的功能,对于SQL Server数据库
function safe(val, maxsize)
dim i,
terms = array(
"cast",
"select",
"varchar",
"declare",
"drop",
";",
"--",
"insert",
"delete",
"xp_"
)
val = left(val,maxsize)
val = trim(val)
for i = 0 to ubound(terms)
val = replace(val, terms(i), "e_" & val & "_e", vbTextCompare)
next
val = replace(val, "'", "''")
makesafe = val
end function
犹豫是否要触碰这个,但这是否缺少什么?似乎偶尔他们会被黑客攻击
New to web development and taking over someones code. They have a function to prevent sql injection, for SQL Server database
function safe(val, maxsize)
dim i,
terms = array(
"cast",
"select",
"varchar",
"declare",
"drop",
";",
"--",
"insert",
"delete",
"xp_"
)
val = left(val,maxsize)
val = trim(val)
for i = 0 to ubound(terms)
val = replace(val, terms(i), "e_" & val & "_e", vbTextCompare)
next
val = replace(val, "'", "''")
makesafe = val
end function
Hesitant to touch this, but is this missing anything? Seems occasionally they get hacked
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
以下文章应该有所帮助:
http://tugberkugurlu。 com/archive/sql-injection-vs-lethal-injection-protection-against-sql-injection
继续下去并不是一个好主意带有
string.Replace的路径following article should help :
http://tugberkugurlu.com/archive/sql-injection-vs-lethal-injection-protection-against-sql-injection
It is not good idea to go down this path with
string.Replace我会完全废弃该函数并开始使用参数化语句,就像亚伦在他的评论中提到的那样。如果您以前没有这样做过,有各种文章介绍如何操作这样做。在我链接到的文章中,请查看步骤 2。
I would completely scrap that function and start using a parameterized statement like Aaron mentioned in his comment. If you haven't done so before, there are various articles on how to do so. In the article I linked you to, look at step 2.
我不会依赖这样的函数来防止sql注入攻击。参数化查询是必须的。几乎可以肯定,使用您列出的方法时您会错过一些注入文本。
I would not rely on such a function to prevent sql injection attacks. Parameterized queries are a must. There are almost surely some injection texts you will miss using the approach of the method you listed.