读书人
栏目

求最人性化的防止SQL注入函数

发布时间: 2012-03-01 10:25:47 作者: rapoo

求最人性化的防止SQL注入函数 在线等
由于我们的网站放了防止SQL注入代码,现在只要一出现例如 “or select ”的字符就报错。这样给客户带来不友好的影响。

在下希望 高人能给个办法把这些关键词找出来后只替换,而不是找出来就Response.end

[解决办法]
sql参数
[解决办法]
SqlParameter
[解决办法]
带参数 连接数据库 执行SQL语句 或者存储过程

C# code
    private DataTable ExecuteDataTable(string SqlStr, Hashtable SqlParameters,CommandType temType)    {        String getConnectionString = "Application Name=sss;Initial Catalog=DEVDB;Data Source=10.3.1.218;User ID=sa;password=sa;Pooling=True";        SqlConnection sqlConn = new SqlConnection(getConnectionString);        SqlCommand sqlCmd = new SqlCommand(SqlStr);        SqlDataAdapter sqlDA =new SqlDataAdapter();        DataTable dtSql = new DataTable();              try        {            sqlConn.Open();            sqlCmd.Connection = sqlConn;            sqlCmd.CommandType = temType;            if (SqlParameters != null)            {                IDictionaryEnumerator hsEnum = SqlParameters.GetEnumerator();                while (hsEnum.MoveNext())                {                    sqlCmd.Parameters.AddWithValue(hsEnum.Key.ToString(), hsEnum.Value);                }            }            sqlDA.SelectCommand = sqlCmd;            sqlDA.Fill(dtSql);            return dtSql;        }        catch (Exception exExact)        {            string error = exExact.Message;            throw new Exception(error, exExact);        }        finally        {            sqlConn.Close();        }    }    protected void Button2_Click(object sender, EventArgs e)    {        Hashtable htParam = new Hashtable();               htParam.Add("@Language", "Chi");        htParam.Add("@CurrencyCode", "RMB");      htParam.Add("@CurrencyUnit", "1.0");      htParam.Add("@Region", "42");        string sqlstr = "spr_Channellist";        DataTable mytable = ExecuteDataTable(sqlstr, htParam, CommandType.StoredProcedure);        this.GridView1.DataSource = mytable;        GridView1.DataBind();    }    private String ExecuteDataValue(string SqlStr, Hashtable SqlParameters)    {        String getConnectionString = "Application Name=IPTV;Initial Catalog=IPTVDEVDB;Data Source=10.3.1.218;User ID=sa;password=sa;Pooling=True";        SqlConnection sqlConn = new SqlConnection(getConnectionString);        SqlCommand sqlCmd = new  SqlCommand(SqlStr);        string strRtrn ;        try        {            sqlConn.Open();                     sqlCmd.Connection = sqlConn;            sqlCmd.CommandType = CommandType.Text;            if(SqlParameters != null)             {                IDictionaryEnumerator hsEnum = SqlParameters.GetEnumerator();                while(hsEnum.MoveNext())                {                    sqlCmd.Parameters.AddWithValue(hsEnum.Key.ToString(), hsEnum.Value);                }            }             strRtrn = Convert.ToString(sqlCmd.ExecuteScalar());             return strRtrn;        }        catch(Exception exExact)        {            string error = exExact.Message;            throw new Exception(error, exExact);        }        finally        {            sqlConn.Close();        }    }    protected void GridView1_PageIndexChanging(object sender, GridViewPageEventArgs e)    {        GridView1.PageIndex = e.NewPageIndex;        OleDbConnection conn = new OleDbConnection("provider=microsoft.jet.oledb.4.0;data source=" + Server.MapPath("") + "\\CODEDB.mdb");        string sql = "select * from Code ";        OleDbDataAdapter oda = new OleDbDataAdapter(sql, conn);        DataSet ds = new DataSet();        oda.Fill(ds);        this.GridView1.DataSource = ds.Tables[0];        GridView1.DataBind();    } 
 
[解决办法]
那些过滤关键字的程序是垃圾。

参数化SQL 指定字符类型和长度 过滤掉单引号,就算你有有多大能耐也飞不出我手心。



[解决办法]
你也可以对输入加密,这样比如UrlEncode.....
[解决办法]
过滤单引号和指定参数类型和长度。以及空格,之类的特殊字符就OK了
[解决办法]
C# code
public bool InsertAdmin(string userName, string password, string remark, string mail, int departId, int power)    {        string sql = "insert into S_Admin(UserName,Password,Remark,Mail,DepartId,Power)values(:UserName,:Password,:Remark,:Mail,:DepartId,:Power)";        OracleConnection connection = new OracleConnection();        connection.ConnectionString = "";//此处设置链接字符串        OracleCommand command = new OracleCommand(sql, connection);        command.Parameters.Add(":UserName", OracleType.NVarChar, 60).Value = userName;        command.Parameters.Add(":Password", OracleType.NVarChar, 60).Value =password;        command.Parameters.Add(":Remark", OracleType.NVarChar, 60).Value = remark;        command.Parameters.Add(":Mail", OracleType.NVarChar, 60).Value =mail;        command.Parameters.Add(":DepartId", OracleType.Int32, 4).Value =departId;        command.Parameters.Add(":Power", OracleType.Int32, 4).Value = power;        connection.Open();        int rowsAffected=command.ExecuteNonQuery();        connection.Close();        command.Dispose();        return rowsAffected > 0;    }}
[解决办法]
在数据里传值到存储过程。实现数据操作也可在global里
 private bool ProcessSqlStr(string Str)
   {
       bool ReturnValue = true;
       try
       {
           if (Str.Trim() != "")
           {
               string SqlStr = "exec¦insert¦select¦delete¦master¦update¦truncate¦declare";
               string[] anySqlStr = SqlStr.Split('¦');
               foreach (string ss in anySqlStr)
               {
                  if(!Str.ToLower().Contains("updatepanel"))
                  {
                   if (Str.ToLower().IndexOf(ss) >= 0)
                   {
                       ReturnValue = false;
                       break;
                   }
                  }
               }
           }
       }
       catch
       {
           ReturnValue = false;
       }
       return ReturnValue;
   }
实现数据替换
[解决办法]
连or出来都报错, 这程序员也真够BC的.
[解决办法]
http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html
读书人网 >asp.net

热点推荐

触屏版 | 电脑版

读书人网 m.reader8.net