搜索问题.
在做商品搜索的时候,有多条件组合搜索(各个条件也可以单独搜索),如有:按内容,按时间,按价格,按关键字等等.
现在的做法是用字符串拼接的方法.部分代码如下.
cmdStr = "select Count(Product_ID) as co from Porcduct where Price between "+pricefrom+" and "+priceto;
string selStr = "select a.Product_ID,a.Product_Name,a.smallImages,b.name as className,a.Scorts,a.PriceNow,a.Price from Porcduct a,Procduct_Type b where a.Class=b.ID and Price between " + pricefrom + " and " + priceto;
if (content != "")
{
if (type == "")
{
cmdStr = cmdStr + " and (Product_Name like '%" + content + "%' or Keys like '%" + content + "%')";
selStr = selStr + " and (Product_Name like '%" + content + "%' or Keys like '%" + content + "%')";
}
if (type == "商品名称")
{
cmdStr = cmdStr + " and Product_Name like '%" + content + "%'";
selStr = selStr + " and Product_Name like '%" + content + "%'";
}
if (type == "关键字")
{
cmdStr = cmdStr + " and Keys like '%" + content + "%'";
selStr = selStr + " and Keys like '%" + content + "%'";
}
} if (proClass != "")
{
cmdStr = cmdStr + " and Class in (select id from Procduct_Type where ParentID=" + proClass + ")";
selStr = selStr + " and Class in (select id from Procduct_Type where ParentID=" + proClass + ")";
}但这个问题就出来了,拼接字符串不能防止SQL注入啊?高手们都是怎么做搜索的啊?教教小弟吧
在做商品搜索的时候,有多条件组合搜索(各个条件也可以单独搜索),如有:按内容,按时间,按价格,按关键字等等.
现在的做法是用字符串拼接的方法.部分代码如下.
cmdStr = "select Count(Product_ID) as co from Porcduct where Price between "+pricefrom+" and "+priceto;
string selStr = "select a.Product_ID,a.Product_Name,a.smallImages,b.name as className,a.Scorts,a.PriceNow,a.Price from Porcduct a,Procduct_Type b where a.Class=b.ID and Price between " + pricefrom + " and " + priceto;
if (content != "")
{
if (type == "")
{
cmdStr = cmdStr + " and (Product_Name like '%" + content + "%' or Keys like '%" + content + "%')";
selStr = selStr + " and (Product_Name like '%" + content + "%' or Keys like '%" + content + "%')";
}
if (type == "商品名称")
{
cmdStr = cmdStr + " and Product_Name like '%" + content + "%'";
selStr = selStr + " and Product_Name like '%" + content + "%'";
}
if (type == "关键字")
{
cmdStr = cmdStr + " and Keys like '%" + content + "%'";
selStr = selStr + " and Keys like '%" + content + "%'";
}
} if (proClass != "")
{
cmdStr = cmdStr + " and Class in (select id from Procduct_Type where ParentID=" + proClass + ")";
selStr = selStr + " and Class in (select id from Procduct_Type where ParentID=" + proClass + ")";
}但这个问题就出来了,拼接字符串不能防止SQL注入啊?高手们都是怎么做搜索的啊?教教小弟吧
解决方案 »
- 如何获取FormView模版中的girdview的勾选的值
- asp.net <input type="textbox"/>怎么给它赋值
- 一个DataGrid界面样式运用的简单问题
- 100求教是否可以在aspx网页文件中得到系统的硬件信息
- 为什么自动给我去掉逗号和括号,不知是何原因。请大家和版主帮忙看看!!!
- 菜鸟级问题:如果格式化一个double数,把29.8833333333333转化为29.9
- asp.net如何实现倒计时?都来有分
- 我用程序动态生成DataGrid数据绑定列,但是其ViewState无法保存
- 初学者问题之五:为什么我连接ado.net时出错,是不是还要安装?急!
- 单击获得GridView选中行值的问题
- 如何用用户控件实现点击就添加用户
- 如何读出这个XML文件的节点值
if (ChkBadWord(Request.QueryString.ToString()))
{
Response.Write("<script language='javascript'>alert('参数中存在非法数据');history.back();</script>");
Response.End();
}
匹配非法字符方法
/// <summary>
/// 检测字符串中是否有非法的字符,如果有,返回true
/// </summary>
/// <param name="badword">要检查的字符串</param>
/// <returns></returns>
public bool ChkBadWord(string badword)
{
string[] bw=strbadword();
bool isok = false;
foreach(string str in bw)
{
if (badword.IndexOf(str) > -1)
{
isok = true;
return isok;
}
}
return isok;
}
private string[] strbadword()
{
string[] bad = new string[5];
bad[0] = "'";
bad[1] = "\"";
bad[2] = ";";
bad[3] = "--";
bad[4] = ",";
return bad;
}
第一个:如上面所给出的,对输入的字符进行判断是否为非法字符;
第二个:存储过程;
第三个:sql参数查询;非法字符判断那个,你可以去搜下,就上面那几个估计少了点.
最好在加上异常处理,不让异常暴露给注入的人.