请各位讲解讲解,看到过类似问题,如何解决呢,帮帮忙
æ¿æ¢åå¼å·ï¼å³æææåç¬åºç°çåå¼å·æ¹æ两个åå¼å·ï¼é²æ¢æ»å»è
ä¿®æ¹SQLå½ä»¤çå«ä¹ãåæ¥çåé¢çä¾åï¼"select * from Users where login = âââ or ââ1ââ=ââ1â AND password = âââ or ââ1ââ=ââ1â"æ¾ç¶ä¼å¾å°ä¸"select * from Users where login = ââ or â1â=â1â AND password = ââ or â1â=â1â"ä¸åçç»æã
ãã
å é¤ç¨æ·è¾å ¥å 容ä¸çææè¿å符ï¼é²æ¢æ»å»è æé åºç±»å¦"select * from Users where login = âmasâ ââ AND password =ââ"ä¹ç±»çæ¥è¯¢ï¼å 为è¿ç±»æ¥è¯¢çååé¨åå·²ç»è¢«æ³¨éæï¼ä¸åææï¼æ»å»è åªè¦ç¥éä¸ä¸ªåæ³çç¨æ·ç»å½å称ï¼æ ¹æ¬ä¸éè¦ç¥éç¨æ·çå¯ç å°±å¯ä»¥é¡ºå©è·å¾è®¿é®æéãusing System;
using System.Text.RegularExpressions;
class Test
{
static void Main()
{
Regex r = new Regex("admin|super|root");
string username = "I_am_admin";
if (r.IsMatch(username))
{
Console.WriteLine("ä¸åæ³çç¨æ·å");
}
}
}
è¿æ¯ä¸ä¸ªç®åçå°ä¾åï¼ä½ å¯ä»¥ä»¿ç §è¿æ ·å»å
ãã
å é¤ç¨æ·è¾å ¥å 容ä¸çææè¿å符ï¼é²æ¢æ»å»è æé åºç±»å¦"select * from Users where login = âmasâ ââ AND password =ââ"ä¹ç±»çæ¥è¯¢ï¼å 为è¿ç±»æ¥è¯¢çååé¨åå·²ç»è¢«æ³¨éæï¼ä¸åææï¼æ»å»è åªè¦ç¥éä¸ä¸ªåæ³çç¨æ·ç»å½å称ï¼æ ¹æ¬ä¸éè¦ç¥éç¨æ·çå¯ç å°±å¯ä»¥é¡ºå©è·å¾è®¿é®æéãusing System;
using System.Text.RegularExpressions;
class Test
{
static void Main()
{
Regex r = new Regex("admin|super|root");
string username = "I_am_admin";
if (r.IsMatch(username))
{
Console.WriteLine("ä¸åæ³çç¨æ·å");
}
}
}
è¿æ¯ä¸ä¸ªç®åçå°ä¾åï¼ä½ å¯ä»¥ä»¿ç §è¿æ ·å»å
温馨提示:答案为网友推荐,仅供参考
第1个回答 2013-08-07
最简单的方法你用ORM来做 就不存在SQL语句了比如.net 3.5以后的linq 就是不错的办法
第2个回答 2013-08-07
<%Dim QueryData,FormData,QueryName,Name
QueryData="'|''|;|,|*|%|and|exec|insert|select|update|delete|count|master|truncate|char|declare|where|set|declare|mid|chr|set|chr(37)|net"
FormData=""'对 get query 值 的过滤.
if request.QueryString<>"" then
adoData=split(QueryData,"|")
FOR EACH QueryName IN Request.QueryString
for i=0 to ubound(adoData)
If Instr(LCase(request.QueryString(QueryName)),adoData(i))<>0 Then
Response.Write "<Script Language=javascript>alert('请不要提交非法请求!');history.back(-1)</Script>"
Response.end
End If
NEXT
NEXT
End if
%>
QueryData="'|''|;|,|*|%|and|exec|insert|select|update|delete|count|master|truncate|char|declare|where|set|declare|mid|chr|set|chr(37)|net"
FormData=""'对 get query 值 的过滤.
if request.QueryString<>"" then
adoData=split(QueryData,"|")
FOR EACH QueryName IN Request.QueryString
for i=0 to ubound(adoData)
If Instr(LCase(request.QueryString(QueryName)),adoData(i))<>0 Then
Response.Write "<Script Language=javascript>alert('请不要提交非法请求!');history.back(-1)</Script>"
Response.end
End If
NEXT
NEXT
End if
%>
第3个回答 2013-08-07
<%
dim sql_injdata,SQL_inj,SQL_Get,SQL_Data
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|") If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(ucase(Request.QueryString(SQL_Get)),ucase(Sql_Inj(Sql_DATA)))>0 Then
Response.Write "<Script Language=javascript>alert('请不要在参数中包含非法字符尝试注入!');history.back(-1)</Script>"
Response.end
end if
next
Next
End If 'check end
%> 函数放在数据库连接字符串那里即可
dim sql_injdata,SQL_inj,SQL_Get,SQL_Data
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|") If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(ucase(Request.QueryString(SQL_Get)),ucase(Sql_Inj(Sql_DATA)))>0 Then
Response.Write "<Script Language=javascript>alert('请不要在参数中包含非法字符尝试注入!');history.back(-1)</Script>"
Response.end
end if
next
Next
End If 'check end
%> 函数放在数据库连接字符串那里即可
第4个回答 2013-08-07
用参数化,就是sqlparameter,还有就是用存储过程