½â¾öSQL Injection©¶´µÄÒ»¸öº¯Êý
½â¾öSQL Injection©¶´µÄÒ»¸öº¯Êý
http://blog.csdn.net/cncco/archive/2006/04/07/654254.aspx
º¯Êý
<%
Function CheckInput(str,strType)
'º¯Êý¹¦ÄÜ£º¹ýÂË×Ö·û²ÎÊýÖеĵ¥ÒýºÅ£¬¶ÔÓÚÊý×Ö²ÎÊý½øÐÐÅжϣ¬Èç¹û²»ÊÇÊýÖµÀàÐÍ£¬Ôò¸³Öµ0
'²ÎÊýÒâÒ壺 str ---- Òª¹ýÂ˵IJÎÊý
' strType ---- ²ÎÊýÀàÐÍ£¬·ÖΪ×Ö·ûÐͺÍÊý×ÖÐÍ£¬×Ö·ûÐÍΪ"s"£¬Êý×ÖÐÍΪ"i"
Dim strTmp
strTmp = ""
If strType ="s" Then
strTmp = Replace(Trim(str),"'","'")
ElseIf strType="i" Then
If isNumeric(str)=False Then str="0"
strTmp = str
Else
strTmp = str
End If
CheckInput = strTmp
End Function
%>
Õâ¸öº¯ÊýºÜ¼òµ¥£¬ Ö÷ÒªÊÇÕë¶Ô×Ö·û´®ºÍÊý×ÖÁ½ÖÖÀàÐ͵Ĵ«ÈëÊý¾Ý·Ö±ð½øÐÐÁË´¦Àí£¬¾ßÌåÓ÷¨£º
×Ö·ûÀàÐ͵Ä
strUsername = CheckInput(Request(“username“),“s“)
Êý×ÖÀàÐ͵Ä
ID = CheckInput(Request(“id“),“i“)
SQL InjectionµÄΣº¦ÊǺܴóµÄ£¬±ÈÈç¶ÔÓÚSQL Server£¬¿ÉÒÔ´´½¨¡¢É¾³ýÊý¾Ý¿â£¬Ö´ÐÐϵͳÃüÁîµÈµÈ£¬ Èçdrop table tbl_name, execute master.dbo.xp_cmdshell "command"ËùÒԺܶàÈËдµÄº¯Êý¾ÍÊÇÆ´ÃüµÄÈ¥¹ýÂËÕâЩ¿ÉÄÜÒýÆðΣº¦µÄ¹Ø¼ü´Ê£¬±ÈÈçdrop ,·ÖºÅ,and,exe,midµÈµÈ£¬ÂÞÁÐÁËÒ»´ó¶Ñ¡£
Æäʵ£¬¾¡¿ÉÒÔ²»±ØÄÇô·±Ëö£¬·ÇÒª°Ñ¼òµ¥µÄÊÂÇ鸴ÔÓ»¯¡£
¶ÔÓÚ¹ýÂË£¬ASPÖÐÖ»ÒªÕë¶Ô×Ö·ûÐͺÍÊý×ÖÐÍ·Ö±ð´¦Àí¾Í¿ÉÒÔÁË£¬
×Ö·ûÐ͵ģ¬°Ñµ¥ÒýºÅת»»³ÉÁ½¸öµ¥ÒýºÅ strTmp = Replace(Trim(str),"'","'")
Êý×ÖÐ͵ģ¬¾ÍÅжÏÊÇ·ñÄܹ»×ª»»³ÉÊý×ÖÐ굀 £¬Óà isNumericº¯Êý
ÏÖÔÚÍøÉÏ˵µÄÄܹ»Èƹýµ¥ÒýºÅµÄ¹¥»÷£¬ÆäʵÊÇÕë¶ÔÊý×ÖÀàÐ͵Ä,Èç¹û¶ÔÓÚ¹ýÂËÁ˵¥ÒýºÅµÄ×Ö·ûÐÍ£¬»¹Óа취Èƹý£¬ÄǾÍûµÃÍæÁË........
±¾ÎÄÀ´×ÔCSDN²©¿Í£¬×ªÔØÇë±êÃ÷³ö´¦£ºhttp://blog.csdn.net/cncco/archive/2006/04/07/654254.aspx
Ïà¹ØÎĵµ£º
²Ù×÷²½ÖèÈçÏ£¬¹©²Î¿¼¡£
Êý¾Ý¿âתÐ͹¤×÷Éæ¼°µÄ¹¤×÷ÊÂÏî·ÖÎö£º±í£¬±íÊý¾Ý£¬Ë÷Òý£¬Íâ¼üÔ¼Êø£¬×Ö¶ÎĬÈÏÖµ¡£
´æ´¢¹ý³Ì¡¢º¯Êý¡¢´¥·¢Æ÷¡¢ÊÓͼµÈÓÉÓÚÓï·¨´æÔÚ²îÒ죬ֻÄÜ×ÔÐиÄд´¦Àí¡£
(Ò»)ÔÚMS SQL SERVER·þÎñÆ÷¶ËµÄ×¼±¸¹¤×÷¡£
1).´´½¨¹ØÓÚ±í¡¢ÊÓͼ¡¢Ö÷¼ü¡¢Ë÷Òý¡¢×Ö¶Î×ֵ䡢ĬÈÏÖµÔ¼ÊøµÄ¶ÔÏóÊÓͼ¡£ÒÔ·½±ãÏÂÒ»²½ ......
sql server »¹ÔÒ»¸öÊý¾Ýµ½¾ßÌåµÄʱ¼ä
Êý¾Ý¿âµÄ¸½¼Ó:
sp_attach_db mark ,'C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mark.mdf'
Êý¾Ý¿âµÄ·ÖÀë:
sp_deattach_db mark ,'C:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Data\mark.mdf'
Êý¾Ý¿âµÄÍêÈ«±¸·Ý:
backup database mark to disk ......
Áù¸ö·ÀÖ¹SQL×¢Èëʽ¹¥»÷µÄ½¨Òé
http://blog.csdn.net/jefflam/archive/2009/06/01/4233359.aspx
SQL×¢Èë¹¥»÷µÄΣº¦ÐԺܴó¡£ÔÚ½²½âÆä·ÀÖ¹°ì·¨Ö®Ç°£¬Êý¾Ý¿â¹ÜÀíÔ±ÓбØÒªÏÈÁ˽âÒ»ÏÂÆä¹¥»÷µÄÔÀí¡£ÕâÓÐÀûÓÚ¹ÜÀíÔ±²ÉÈ¡ÓÐÕë¶ÔÐԵķÀÖδëÊ©¡£
¡¡¡¡Ò»¡¢ SQL×¢Èë¹¥»÷µÄ¼òµ¥Ê¾Àý¡£
¡¡¡¡statement := "SELECT * from Users WHERE Va ......
VBʵÏÖSQL ServerÊý¾Ý¿â±¸·Ý/»Ö¸´
http://blog.csdn.net/cncco/archive/2006/05/15/729356.aspx
’**Ä£ ¿é Ãû£ºfBackupDatabase_a
’**Ãè Êö£º±¸·ÝÊý¾Ý¿â,·µ»Ø³ö´íÐÅÏ¢,Õý³£»Ö¸´,·µ»Ø""
’**µ÷ ÓãºfBackupDatabase_a "±¸·ÝÎļþÃû","Êý¾Ý¿âÃû"
’**²ÎÊý˵Ã÷£ ......
±£»¤SQL ServerÊý¾Ý¿âµÄÊ®´ó¾øÕÐ
http://blog.csdn.net/cncco/archive/2007/09/15/1785880.aspx
1. °²×°×îеķþÎñ°ü
ΪÁËÌá¸ß·þÎñÆ÷°²È«ÐÔ£¬×îÓÐЧµÄÒ»¸ö·½·¨¾ÍÊÇÉý¼¶µ½SQL Server 2000 Service Pack 3a (SP3a)¡£ÁíÍ⣬Äú»¹Ó¦¸Ã°²×°ËùÓÐÒÑ·¢²¼µÄ°²È«¸üС£
2. ʹÓÃMicrosoft»ùÏß°²È«ÐÔ·ÖÎöÆ÷£¨MBSA£©À´ÆÀ¹À·þÎñÆ÷µÄ°² ......
