数据库系统,一个重要的问题是防止注入,下面是最简单有效的方法:
1、输入的数据(字符)单引号替换成双单引号;
如(ASP):
strSql = "Select * From [pH_Person_Searcher] Where Perid='"&Repace(Perid,"'","''")&"'"
2、参数化,使用存储过程等方式传入输入进行下一步操作;
如(ASP):
Set Rs = Server.CreateObject("ADODB.Recordset")
Set Cmd = Server.CreateObject("ADODB.Command")
Set Cmd.ActiveConnection = Conn
Cmd.CommandType = 4 'adCmdStoredProc
Cmd.CommandText = "Job_Search"
Cmd.Parameters.Append CmdParam
Set CmdParam = Cmd.CreateParameter("@nCurPage",3,&H0001,4)
CmdParam.value = PageNo
Cmd.Parameters.Append CmdParam
Set CmdParam = Cmd.CreateParameter("@nPerPage",3,&H0001,4)
CmdParam.value = Psize
Cmd.Parameters.Append CmdParam
Cmd.Parameters.Append CmdParam
Set CmdParam = Cmd.CreateParameter("@strCause",200,&H0001,400)
CmdParam.value = strSqlWhere
Cmd.Parameters.Append CmdParam
Set Rs = Cmd.Execute
……