如果存储过程是拼的SQL,那么要防止注入,怎么办? 是不是只能在执行存储过程之前替换掉敏感字符了? 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 我自己一直是这么写的,希望对你有启发#region 过滤字符 /// <summary> /// 具体情况来定要过滤的字符 /// </summary> /// <param name="param">要过滤的字符</param> public static string CheckSaftParam(string param) { param = param.Replace("net user", ""); param = param.Replace("xp_cmdshell", ""); param = param.Replace("/add", ""); param = param.Replace("exec%20master.dbo.xp_cmdshell", ""); param = param.Replace("net localgroup administrators", ""); param = param.Replace("select", ""); param = param.Replace("'", "''"); param = param.Replace("insert", ""); param = param.Replace("delete", ""); param = param.Replace("drop", ""); param = param.Replace("truncate", ""); param = param.Replace("from", ""); param = param.Replace("%", ""); param = param.Replace("%20", ""); return param; } #endregion 很多啊 比如关键字"detele","update","insert"之类的 过滤了关键字以后,还可以建立一个DDL得触发器,这样的话对表或数据库的危险的操作都可以不让执行 出错?怎么才能出错呢,就是人家比如在浏览器上注入的时候报错呢不是单指说我在文本框中输入',select,drop不报错就ok了 str = str.Replace(";","").Replace("*","").Replace("'","").Replace("&","").Replace(" ","").Replace("%20","").Replace("--","").Replace("==","").Replace("<","").Replace(">","").Replace("%","").Replace("nchar","").Replace("select","").Replace("update","").Replace("insert","").Replace("create","").Replace("drop","").Replace("delete",""); WebPart定时的局部刷新 怎么去掉日期的时分秒?! web页面的打印,除了主要内容还要设置标题副标题,还有几个签名等如何时间 请教,正则匹配超链接的问题 一个搞不明白的问题??? 来调查一下过了年有多少人想要跳巢? asp.net自定义控件命名的问题 请大侠帮忙解决这条语句的执行效率问题? 一个字符串转换 怎么用ASP.NET实现当用关键字查询后.搜索结果里的关键字高亮显示呢`? 关于DateGridView控件自定义开发的问题 asp.net 中如何实现左右型框架
我自己一直是这么写的,希望对你有启发
#region 过滤字符
/// <summary>
/// 具体情况来定要过滤的字符
/// </summary>
/// <param name="param">要过滤的字符</param>
public static string CheckSaftParam(string param)
{ param = param.Replace("net user", "");
param = param.Replace("xp_cmdshell", "");
param = param.Replace("/add", "");
param = param.Replace("exec%20master.dbo.xp_cmdshell", "");
param = param.Replace("net localgroup administrators", "");
param = param.Replace("select", "");
param = param.Replace("'", "''");
param = param.Replace("insert", "");
param = param.Replace("delete", "");
param = param.Replace("drop", "");
param = param.Replace("truncate", "");
param = param.Replace("from", "");
param = param.Replace("%", "");
param = param.Replace("%20", ""); return param;
}
#endregion
很多啊 比如关键字"detele","update","insert"
之类的
不是单指说我在文本框中输入',select,drop不报错就ok了
str = str.Replace(";","").Replace("*","").Replace("'","").Replace("&","").Replace(" ","").Replace("%20","").Replace("--","").Replace("==","").Replace("<","").Replace(">","").Replace("%","").Replace("nchar","").Replace("select","").Replace("update","").Replace("insert","").Replace("create","").Replace("drop","").Replace("delete","");