代码:
OleDbConnection con = new OleDbConnection(@"provider=microsoft.jet.oledb.4.0;data source=D:\zx.mdb");
con.Open();
OleDbCommand com = new OleDbCommand("select * from zx.renshi where xingming='" + TextBox1.Text.Trim() + "' and mima='" + TextBox2.Text.Trim() + "'", con);
if (com.ExecuteScalar() == null)
Response.Write("error!");
else
Response.Write("ok!");
con.Close();
TextBox1输入s'--
TextBox2不输入
怎么会有语法错误(字符串的语法错误)??
但是如是sql2000数据库就没有问题,难道access数据库本身能防注入??请详解!(只是想搞懂语法)
OleDbConnection con = new OleDbConnection(@"provider=microsoft.jet.oledb.4.0;data source=D:\zx.mdb");
con.Open();
OleDbCommand com = new OleDbCommand("select * from zx.renshi where xingming='" + TextBox1.Text.Trim() + "' and mima='" + TextBox2.Text.Trim() + "'", con);
if (com.ExecuteScalar() == null)
Response.Write("error!");
else
Response.Write("ok!");
con.Close();
TextBox1输入s'--
TextBox2不输入
怎么会有语法错误(字符串的语法错误)??
但是如是sql2000数据库就没有问题,难道access数据库本身能防注入??请详解!(只是想搞懂语法)
http://www.cnblogs.com/morningwang/archive/2007/06/06/773198.aspx
我知道--是注释,我就是要注释后面的语句,不要密码登陆,而且用sql 2000时也成功了,只是access时显示“字符串的语法错误”,为什么??
'这个东西也是非法的,是什么意思??
/// <summary>
/// 校验参数是否存在SQL字符
/// </summary>
/// <param name="tm"></param>
private void goErr(string tm)
{
if (!SqlHelper.checkSql(tm))
this.Response.Redirect("/error.html");
}
/// <summary>
/// 当有数据时交时,触发事件
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected void Application_BeginRequest(Object sender, EventArgs e)
{
//遍历Post参数,隐藏域除外
foreach (string i in this.Request.Form)
{
if (i == "__VIEWSTATE") continue;
this.goErr(this.Request.Form[i].ToString());
}
//遍历Get参数。
foreach (string i in this.Request.QueryString)
{
this.goErr(this.Request.QueryString[i].ToString());
}
}APPCODE文件夹里写个类加一个方法 /// <summary>
/// 检查字符串是否包含特殊字符
/// </summary>
/// <param name="sql">要检查的字符串</param>
/// <returns>返回BOOL</returns>
public static bool checkSql(string sql)
{
bool chk = true;
string[] Lawlesses ={ "=", "'", ";", ",", "(", ")", "%", "-", "#","select" };
if (Lawlesses == null || Lawlesses.Length <= 0) return true;
string str_Regex = ".*[";
for (int i = 0; i < Lawlesses.Length - 1; i++)
str_Regex += Lawlesses[i] + "|";
str_Regex += Lawlesses[Lawlesses.Length - 1] + "].*";
if (Regex.Matches(sql, str_Regex).Count > 0) chk = false;
return chk;
}
如果不想用stored procedure, 可以用replace成两个单引号。