如何防止 SQL 注入?
Posted
技术标签:
【中文标题】如何防止 SQL 注入?【英文标题】:How can I prevent SQL injection? 【发布时间】:2015-09-07 02:52:23 【问题描述】:我有以下代码,提示用户在表单中输入他的用户名和密码。使用数据库检查用户名和密码,如果正确,则用户已登录。但是,此代码可以很容易地被 SQL 注入,例如通过键入:
UserName = 'x' and UserPwd = 'x' or 'x'
谁能帮我修改代码以防止 SQL 注入。代码如下:
<%@LANGUAGE=Jscript%>
<%
// ----- GLOBALS DECLARATIONS ----------------------------------------------------------------------------
var CKEDir = "ckeditor/";
var DB = Server.MapPath("DB/CMS.MDB");
// ----- GENERAL PURPOSE FUNCTIONS -----------------------------------------------------------------------
// Uses regular expressions to change all single quotes in a string to the html
// entity ' and replaces all carriage return and newline characters to spaces.
// This ensures that the string can be incorporated in a SQL statement.
function cleanString(s)
s = s.replace(/'/g, "'"); // SO syntax fix '
s = s.replace(/[\r\n]/g,' ');
return s;
// ----- DATABASE FUNCTIONS ------------------------------------------------------------------------------
// Creates a connection to the database named in the parameter,
function getDBConnection()
var DBCon = Server.CreateObject("ADODB.Connection");
var DBasePath = DB;
var ConStr = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" + DBasePath + ";Persist Security Info=False";
DBCon.Open(ConStr,"","");
return DBCon;
// Increments counter for current page (as identified by global variable PageID) in
// table Counters, and returns a string indicating number of times page was accessed.
function getAccess()
var msg = '';
if (PageID)
var DBConn = getDBConnection();
var Td = new Date();
var SQL = "SELECT * FROM Counters WHERE PageID=" + PageID ;
var RS = DBConn.Execute(SQL);
// Page counter does not yet exist - create it.
if (RS.Eof)
var AccessCount=1;
var AccessSince = new Date();
SQL="INSERT into Counters ([PageID]) VALUES ("+PageID+")";
// Page counter exists, increment it.
else
var AccessCount=RS("Hits")+1;
var AccessSince=RS("Created").value;
SQL="UPDATE Counters SET [Hits]="+AccessCount+" WHERE [PageID]="+PageID;
RS = DBConn.Execute(SQL)
DBConn.Close();
msg = AccessCount + " visits since " + AccessSince;
return msg;
// ----- LOGGING IN AND OUT FUNCTIONS --------------------------------------------------------------------
// Returns true if user is logged in.
function isLoggedIn()
return Session("UserID");
// Checks given name and password in users database.
// No validation on the user input is performed, so this function is
// susceptible to SQL injection attacks.
function logInUser(name,pwd)
var DBConn = getDBConnection();
var SQL = "SELECT * FROM Users WHERE UserName = '" + name + "' and UserPwd = '" + pwd + "'";
var RS = DBConn.Execute(SQL);
var valid = !RS.Eof;
if (valid)
Session("UserID") = RS("UserID").value;
Session("UserName") = RS("UserName").value;
Session("UserFullName") = RS("UserFirstName").value + ' ' + RS("UserLastName").value;
DBConn.Close;
return valid;
// Logs out current user.
function logOutUser()
Session("UserID") = 0;
// Returns full name of currently logged in user if any.
function loggedInUser()
var msg = '';
if (Session("UserID")) msg = Session("UserFullName");
return msg;
// Returns true if current user can edit content.
// Currently allows any authenticated user to edit content.
function inEditMode()
return isLoggedIn();
%>
【问题讨论】:
通过绑定变量或存储过程使用查询 在此过程中,您还应该停止以纯文本形式存储用户密码。 你能给我举个例子吗? SQL Injection Password Credential Protection 【参考方案1】:使用参数化查询。它可以防止 SQL 注入。
Click here for more documentation
防止SQL字符串被恶意输入劫持。
祝你好运!
【讨论】:
以上是关于如何防止 SQL 注入?的主要内容,如果未能解决你的问题,请参考以下文章