这样的防注函数,能杜绝注入吗?
另外,整站都没有用cookies
function noSql(str)
str = request(str)
str = lcase(Trim(str))
str = Replace(str, Chr(0), " ")
str = Replace(str, " ' ", " ")
str = Replace(str, "% ", " ")
str = Replace(str, "^ ", " ")
str = Replace(str, "; ", " ")
str = Replace(str, "* ", " ")
str = Replace(str, "& ", " ")
str = Replace(str, " < ", " ")
str = Replace(str, "> ", " ")
str = Replace(str, "| ", " ")
str = Replace(str, "and ", " ")
str = Replace(str, "chr ", " ")
str = Replace(str, "char ", " ")
noSql = str
end function
[解决办法]
整站用存储过程访问数据库最保险
[解决办法]
没那么夸张,其实你只需要在最底层使用参数化查询就行了。绝对安全。
