Re: [.NET] 請問 VB.NET 怎麼預防 SQL INJECTION

看板Visual_Basic作者 (麥田)時間19年前 (2007/04/16 17:14), 編輯推噓0(001)
留言1則, 1人參與, 最新討論串3/3 (看更多)
既然要自己寫,我後來查詢了一些 SQL Injection 比較有可能出現的錯誤規則 將他做成 function 以下是程式碼,還煩請大家幫忙檢查一下,那邊有需要修改的,感謝 Public Function UnInjection(ByVal chkWord As String) As String If IsNumeric(chkWord) Then Return chkWord chkWord = chkWord.ToString.Trim() chkWord = Replace(chkWord, "'", "''") chkWord = Replace(chkWord, "(", "**CHAR40**") chkWord = Replace(chkWord, ")", "'+CHAR(41)+'") chkWord = Replace(chkWord, "**CHAR40**", "'+CHAR(40)+'") chkWord = Replace(chkWord, " or ", " '+CHAR(111)+CHAR(114)+' ") chkWord = Replace(chkWord, " Or ", " '+CHAR(79)+CHAR(114)+' ") chkWord = Replace(chkWord, " OR ", " '+CHAR(79)+CHAR(82)+' ") chkWord = Replace(chkWord, " oR ", " '+CHAR(111)+CHAR(82)+' ") chkWord = Replace(chkWord, "--", "'+CHAR(45)+CHAR(45)+'") chkWord = Replace(chkWord, ";", "'+CHAR(59)+'") Return chkWord End Function -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 210.64.14.87
04/29 13:10, , 1F
使用SQL傳參數的方式不就好了... @@
04/29 13:10, 1F
更多 mywheat 的文章
文章代碼(AID): #168pw3kU (Visual_Basic)
更多 mywheat 的文章
文章代碼(AID): #168pw3kU (Visual_Basic)