ASP程序防止SQL注入的最好办法./

ASP程序防止SQL注入的最好办法

答案：
<%connstr = "Driver={SQL Server};server=;uid=sa;pwd=sa;database=hkpangnet;"Set conn = Server.Createobject("ADODB.Connection")conn.open connstrfunction CloseDatabaseConn.closeSet conn = NothingEnd Function%><%'过滤sql注入代码及HTML代码防护function nosql(str)if not isnull(str) thenstr=trim(str)str=replace(str,";","&#59;")'分号str=replace(str,"'","")'单引号str=replace(str,"""","&quot;")'双引号str=replace(str,"chr(9)","&nbsp;")'空格str=replace(str,"chr(10)","<br>")'回车str=replace(str,"chr(13)","<br>")'回车str=replace(str,"chr(32)","&nbsp;")'空格str=replace(str,"chr(34)","&quot;")'双引号str=replace(str,"chr(39)","&#39;")'单引号str=Replace(str, "script", "&#115cript")'scriptstr=Replace(str, "select", "")'selectstr=Replace(str, "delete", "")'deletestr=Replace(str, "update", "")'updatestr=Replace(str, "insert", "")'insertstr=replace(str,"<","")        '左<str=replace(str,">","")        '右>str=replace(str,"(","&#40;")        '左(str=replace(str,")","&#41;")        '右)str=replace(str,"--","&#45;&#45;")'SQL注释符nosql=strend ifend function%>把它存在ＣＯＮＮ。ＡＳＰ，就行了。基本上没有攻击的余地
在所有得到的语句的'和"符号前  加一个字符'

上一个：为什么装了IIS了ASP还预览不了？
下一个：Asp.net中如何防止用户多次登录?