½â¾öSQL Injection©¶´µÄÒ»¸öº¯Êý

½â¾öSQL Injection©¶´µÄÒ»¸öº¯Êý
http://blog.csdn.net/cncco/archive/2006/04/07/654254.aspx
º¯Êý
<%
Function CheckInput(str,strType)
   'º¯Êý¹¦ÄÜ£º¹ýÂË×Ö·û²ÎÊýÖеĵ¥ÒýºÅ£¬¶ÔÓÚÊý×Ö²ÎÊý½øÐÐÅжϣ¬Èç¹û²»ÊÇÊýÖµÀàÐÍ£¬Ôò¸³Öµ0
   '²ÎÊýÒâÒ壺  str        ---- Òª¹ýÂ˵IJÎÊý
   '                 strType ---- ²ÎÊýÀàÐÍ£¬·ÖΪ×Ö·ûÐͺÍÊý×ÖÐÍ£¬×Ö·ûÐÍΪ"s"£¬Êý×ÖÐÍΪ"i"
 Dim strTmp
 strTmp     = ""
 If strType ="s" Then
  strTmp = Replace(Trim(str),"'","'")
 ElseIf strType="i" Then
  If isNumeric(str)=False Then str="0"
  strTmp = str
 Else
  strTmp = str
 End If
 CheckInput = strTmp
End Function
%>
Õâ¸öº¯ÊýºÜ¼òµ¥£¬ Ö÷ÒªÊÇÕë¶Ô×Ö·û´®ºÍÊý×ÖÁ½ÖÖÀàÐ͵Ĵ«ÈëÊý¾Ý·Ö±ð½øÐÐÁË´¦Àí£¬¾ßÌåÓ÷¨£º
×Ö·ûÀàÐ͵Ä
strUsername = CheckInput(Request(“username“),“s“)
Êý×ÖÀàÐ͵Ä
ID = CheckInput(Request(“id“),“i“)
SQL InjectionµÄΣº¦ÊǺܴóµÄ£¬±ÈÈç¶ÔÓÚSQL Server£¬¿ÉÒÔ´´½¨¡¢É¾³ýÊý¾Ý¿â£¬Ö´ÐÐϵͳÃüÁîµÈµÈ£¬ Èçdrop table tbl_name, execute master.dbo.xp_cmdshell "command"ËùÒԺܶàÈËдµÄº¯Êý¾ÍÊÇÆ´ÃüµÄÈ¥¹ýÂËÕâЩ¿ÉÄÜÒýÆðΣº¦µÄ¹Ø¼ü´Ê£¬±ÈÈçdrop ,·ÖºÅ,and,exe,midµÈµÈ£¬ÂÞÁÐÁËÒ»´ó¶Ñ¡£
Æäʵ£¬¾¡¿ÉÒÔ²»±ØÄÇô·±Ëö£¬·ÇÒª°Ñ¼òµ¥µÄÊÂÇ鸴ÔÓ»¯¡£
¶ÔÓÚ¹ýÂË£¬ASPÖÐÖ»ÒªÕë¶Ô×Ö·ûÐͺÍÊý×ÖÐÍ·Ö±ð´¦Àí¾Í¿ÉÒÔÁË£¬
×Ö·ûÐ͵ģ¬°Ñµ¥ÒýºÅת»»³ÉÁ½¸öµ¥ÒýºÅ  strTmp = Replace(Trim(str),"'","'")
Êý×ÖÐ͵ģ¬¾ÍÅжÏÊÇ·ñÄܹ»×ª»»³ÉÊý×ÖÐ굀 £¬Óà isNumericº¯Êý
ÏÖÔÚÍøÉÏ˵µÄÄܹ»Èƹýµ¥ÒýºÅµÄ¹¥»÷£¬ÆäʵÊÇÕë¶ÔÊý×ÖÀàÐ͵Ä,Èç¹û¶ÔÓÚ¹ýÂËÁ˵¥ÒýºÅµÄ×Ö·ûÐÍ£¬»¹Óа취Èƹý£¬ÄǾÍûµÃÍæÁË........
±¾ÎÄÀ´×ÔCSDN²©¿Í£¬×ªÔØÇë±êÃ÷³ö´¦£ºhttp://blog.csdn.net/cncco/archive/2006/04/07/654254.aspx