求最人性化的防止SQL注入函数 在线等
由于我们的网站放了防止SQL注入代码,现在只要一出现例如 “or select ”的字符就报错。这样给客户带来不友好的影响。
在下希望 高人能给个办法把这些关键词找出来后只替换,而不是找出来就Response.end
[解决办法]
sql参数
[解决办法]
SqlParameter
[解决办法]
带参数 连接数据库 执行SQL语句 或者存储过程
private DataTable ExecuteDataTable(string SqlStr, Hashtable SqlParameters,CommandType temType) { String getConnectionString = "Application Name=sss;Initial Catalog=DEVDB;Data Source=10.3.1.218;User ID=sa;password=sa;Pooling=True"; SqlConnection sqlConn = new SqlConnection(getConnectionString); SqlCommand sqlCmd = new SqlCommand(SqlStr); SqlDataAdapter sqlDA =new SqlDataAdapter(); DataTable dtSql = new DataTable(); try { sqlConn.Open(); sqlCmd.Connection = sqlConn; sqlCmd.CommandType = temType; if (SqlParameters != null) { IDictionaryEnumerator hsEnum = SqlParameters.GetEnumerator(); while (hsEnum.MoveNext()) { sqlCmd.Parameters.AddWithValue(hsEnum.Key.ToString(), hsEnum.Value); } } sqlDA.SelectCommand = sqlCmd; sqlDA.Fill(dtSql); return dtSql; } catch (Exception exExact) { string error = exExact.Message; throw new Exception(error, exExact); } finally { sqlConn.Close(); } } protected void Button2_Click(object sender, EventArgs e) { Hashtable htParam = new Hashtable(); htParam.Add("@Language", "Chi"); htParam.Add("@CurrencyCode", "RMB"); htParam.Add("@CurrencyUnit", "1.0"); htParam.Add("@Region", "42"); string sqlstr = "spr_Channellist"; DataTable mytable = ExecuteDataTable(sqlstr, htParam, CommandType.StoredProcedure); this.GridView1.DataSource = mytable; GridView1.DataBind(); } private String ExecuteDataValue(string SqlStr, Hashtable SqlParameters) { String getConnectionString = "Application Name=IPTV;Initial Catalog=IPTVDEVDB;Data Source=10.3.1.218;User ID=sa;password=sa;Pooling=True"; SqlConnection sqlConn = new SqlConnection(getConnectionString); SqlCommand sqlCmd = new SqlCommand(SqlStr); string strRtrn ; try { sqlConn.Open(); sqlCmd.Connection = sqlConn; sqlCmd.CommandType = CommandType.Text; if(SqlParameters != null) { IDictionaryEnumerator hsEnum = SqlParameters.GetEnumerator(); while(hsEnum.MoveNext()) { sqlCmd.Parameters.AddWithValue(hsEnum.Key.ToString(), hsEnum.Value); } } strRtrn = Convert.ToString(sqlCmd.ExecuteScalar()); return strRtrn; } catch(Exception exExact) { string error = exExact.Message; throw new Exception(error, exExact); } finally { sqlConn.Close(); } } protected void GridView1_PageIndexChanging(object sender, GridViewPageEventArgs e) { GridView1.PageIndex = e.NewPageIndex; OleDbConnection conn = new OleDbConnection("provider=microsoft.jet.oledb.4.0;data source=" + Server.MapPath("") + "\\CODEDB.mdb"); string sql = "select * from Code "; OleDbDataAdapter oda = new OleDbDataAdapter(sql, conn); DataSet ds = new DataSet(); oda.Fill(ds); this.GridView1.DataSource = ds.Tables[0]; GridView1.DataBind(); }
[解决办法]
那些过滤关键字的程序是垃圾。
参数化SQL 指定字符类型和长度 过滤掉单引号,就算你有有多大能耐也飞不出我手心。
[解决办法]
你也可以对输入加密,这样比如UrlEncode.....
[解决办法]
过滤单引号和指定参数类型和长度。以及空格,之类的特殊字符就OK了
[解决办法]
public bool InsertAdmin(string userName, string password, string remark, string mail, int departId, int power) { string sql = "insert into S_Admin(UserName,Password,Remark,Mail,DepartId,Power)values(:UserName,:Password,:Remark,:Mail,:DepartId,:Power)"; OracleConnection connection = new OracleConnection(); connection.ConnectionString = "";//此处设置链接字符串 OracleCommand command = new OracleCommand(sql, connection); command.Parameters.Add(":UserName", OracleType.NVarChar, 60).Value = userName; command.Parameters.Add(":Password", OracleType.NVarChar, 60).Value =password; command.Parameters.Add(":Remark", OracleType.NVarChar, 60).Value = remark; command.Parameters.Add(":Mail", OracleType.NVarChar, 60).Value =mail; command.Parameters.Add(":DepartId", OracleType.Int32, 4).Value =departId; command.Parameters.Add(":Power", OracleType.Int32, 4).Value = power; connection.Open(); int rowsAffected=command.ExecuteNonQuery(); connection.Close(); command.Dispose(); return rowsAffected > 0; }}
[解决办法]
在数据里传值到存储过程。实现数据操作也可在global里
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "exec¦insert¦select¦delete¦master¦update¦truncate¦declare";
string[] anySqlStr = SqlStr.Split('¦');
foreach (string ss in anySqlStr)
{
if(!Str.ToLower().Contains("updatepanel"))
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
实现数据替换
[解决办法]
连or出来都报错, 这程序员也真够BC的.
[解决办法]
http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html