¼¼Çɺ;÷ÇÏ£º·À·¶SQL×¢Èë¹¥»÷
¡¾ÔÎĵØÖ·¡¿Tip/Trick: Guard Against SQL Injection Attacks
¡¾ÔÎÄ·¢±íÈÕÆÚ¡¿ Saturday, September 30, 2006 9:11 AM
SQL×¢Èë¹¥»÷ÊǷdz£ÁîÈËÌÖÑáµÄ°²È«Â©¶´£¬ÊÇËùÓеÄweb¿ª·¢ÈËÔ±£¬²»¹ÜÊÇʲôƽ̨£¬¼¼Êõ£¬»¹ÊÇÊý¾Ý²ã£¬ÐèҪȷÐÅËûÃÇÀí½âºÍ·ÀÖ¹µÄ¶«Î÷¡£²»ÐÒµÄÊÇ£¬¿ª·¢ÈËÔ±ÍùÍù²»¼¯Öл¨µãʱ¼äÔÚÕâÉÏÃ棬ÒÔÖÁËûÃǵÄÓ¦Ó㬸üÔã¸âµÄÊÇ£¬ËûÃǵĿͻ§¼«ÆäÈÝÒ×Êܵ½¹¥»÷¡£
Michael Sutton ×î½ü·¢±íÁËһƪ·Ç³£·¢ÈËÉîÊ¡µÄÌû×Ó£¬½²ÊöÔÚ¹«¹²ÍøÉÏÕâÎÊÌâÊǶàôµØÆձ顣ËûÓÃGoogleµÄSearch API½¨ÁËÒ»¸öC#µÄ¿Í»§¶Ë³ÌÐò£¬Ñ°ÕÒÄÇЩÒ×ÊÜSQL ×¢Èë¹¥»÷µÄÍøÕ¾¡£Æä²½ÖèºÜ¼òµ¥£º
Ñ°ÕÒÄÇЩ´ø²éѯ×Ö·û´®µÄÍøÕ¾(ÀýÈ磬²éѯÄÇЩÔÚURLÀï´øÓÐ "id=" µÄURL)
¸øÕâЩȷ¶¨Îª¶¯Ì¬µÄÍøÕ¾·¢ËÍÒ»¸öÇëÇ󣬸ıäÆäÖеÄid=Óï¾ä£¬´øÒ»¸ö¶îÍâµÄµ¥ÒýºÅ£¬À´ÊÔͼȡÏûÆäÖеÄSQLÓï¾ä(ÀýÈ磬Èç id=6' )
·ÖÎö·µ»ØµÄ»Ø¸´£¬ÔÚÆäÖвéÕÒÏó“SQL” ºÍ“query”ÕâÑùµÄ´Ê£¬ÕâÍùÍù±íʾӦÓ÷µ»ØÁËÏêϸµÄ´íÎóÏûÏ¢(Õâ±¾ÉíÒ²ÊǺÜÔã¸âµÄ)
¼ì²é´íÎóÏûÏ¢ÊÇ·ñ±íʾ·¢Ë͵½SQL·þÎñÆ÷µÄ²ÎÊýûÓб»ÕýÈ·¼ÓÂë(encoded)£¬Èç¹ûÈç´Ë£¬ÄÇô±íʾ¿É¶Ô¸ÃÍøÕ¾½øÐÐSQL×¢Èë¹¥»÷
¶Ôͨ¹ýGoogleËÑÑ°ÕÒµ½µÄ1000¸öÍøÕ¾µÄËæ»úÈ¡Ñù²âÊÔ£¬Ëû¼ì²âµ½ÆäÖеÄ11.3%ÓÐÒ×ÊÜSQL×¢Èë¹¥»÷µÄ¿ÉÄÜ¡£Õâ·Ç³££¬·Ç³£µØ¿ÉÅ¡£ÕâÒâζןڿͿÉÒÔÔ¶³ÌÀûÓÃÄÇЩӦÓÃÀïµÄÊý¾Ý£¬»ñÈ¡ÈκÎûÓÐhashed»ò¼ÓÃܵÄÃÜÂë»òÐÅÓÿ¨Êý¾Ý£¬ÉõÖÁÓÐÒÔ¹ÜÀíÔ±Éí·ÝµÇ½½øÕâЩӦÓõĿÉÄÜ¡£Õâ²»½ö¶Ô¿ª·¢ÍøÕ¾µÄ¿ª·¢ÈËÔ±À´ËµºÜÔã¸â£¬¶øÇÒ¶ÔʹÓÃÍøÕ¾µÄÏû·ÑÕß»òÓû§À´Ëµ¸üÔã¸â£¬ÒòΪËûÃǸøÍøÕ¾ÌṩÁËÊý¾Ý£¬Ïë×ÅÍøÕ¾ÊÇ°²È«µÄÄØ¡£
ÄÇôSQL×¢Èë¹¥»÷µ½µ×ÊÇʲôÍæÒ⣿
Óм¸ÖÖÇéÐÎʹµÃSQL×¢Èë¹¥»÷³ÉΪ¿ÉÄÜ¡£×î³£¼ûµÄÔÒòÊÇ£¬Ä㶯̬µØ¹¹ÔìÁËSQLÓï¾ä£¬È´Ã»ÓÐʹÓÃÕýÈ·µØ¼ÓÁËÂë(encoded)µÄ²ÎÊý¡£Æ©È磬¿¼ÂÇÕâ¸öSQL²éѯµÄ±àÂ룬ÆäÄ¿µÄÊǸù¾ÝÓɲéѯ×Ö·û´®ÌṩµÄÉç»á±£ÏÕºÅÂë(social security number)À´²éѯ×÷Õß(Authors)£º
Dim SSN as String
Dim SqlQuery as String
SSN = Request.QueryString("SSN")
SqlQuery = "SELECT au_lname, au_fname from authors WHERE au_id = '" + SSN + "'"
Èç¹ûÄãÓÐÏóÉÏÃæÕâ¸öƬ¶ÏÒ»ÑùµÄSQL±àÂ룬ÄÇôÄãµÄÕû¸öÊý¾Ý¿âºÍÓ¦ÓÿÉÒÔÔ¶³ÌµØ±»ºÚµô¡£Ôõô»áÄØ£¿ÔÚÆÕͨÇéÐÎÏ£¬Óû§»áʹÓÃÒ»¸öÉç»á±£ÏÕºÅÂëÀ´·ÃÎÊÕâ¸öÍøÕ¾£¬±àÂëÊÇÏó
Ïà¹ØÎĵµ£º
from: http://blog.163.com/ck275601774/blog/static/1230468012009631113559291/
--ÈÕÆÚת»»²ÎÊý
select CONVERT(varchar,getdate(),120)
--2009-03-15 15:10:02
select replace(replace(replace(CONVERT(varchar, getdate(), 120 ),'-',''),' ',''),':','')
--20090315151201
select CONVERT(varchar(12) , getdate ......
1.˵Ã÷£º¸´ÖƱí(Ö»¸´Öƽṹ,Ô´±íÃû£ºa бíÃû£ºb)
SQL: select * into b from a where 11
2.˵Ã÷£º¿½±´±í(¿½±´Êý¾Ý,Ô´±íÃû£ºa Ä¿±ê±íÃû£ºb)
SQL: insert into b(a, b, c) select d,e,f from a;
3.˵Ã÷£ºÏÔʾÎÄÕ¡¢Ìá½»È˺Í×îºó»Ø¸´Ê±¼ä
SQL: select a.title,a.username,b.adddate from table a,(select max(adddat ......
if exists(select 1 from sysobjects where name='char_index')
drop function char_index
create function char_index(@string varchar(8000),@char varchar(10),@index smallint)
--@string:´ý²éÕÒ×Ö·û´®£¬@index:²éÕÒλÖÃ
returns smallint
as
begin
declare
@i tinyint,--µ±Ç°ÕÒµ½µÚ@i¸ö
......
¼ò½é
ÔÚÕâƪÎÄÕÂÖУ¬ÎÒÁоÙһЩsqlÓï¾äÀ´½éÉÜÊý¾Ý¿â£¬Êý¾Ý±í£¬ÊÓͼµÈµÈ¡£µ±ÎÒÃÇÔÚʹÓòéѯ²éѯ²Ù×÷ʱÕâЩsqlÓï¾ä¶¼ÊǷdz£ÓÐÓõġ£ËäÈ»ÔÚsql server¶ÔÏóä¯ÀÀÆ÷ÖÐÎÒÃÇÒ²¿ÉÒÔ»ñµÃÕâЩÓï¾ä£¬µ«ÊÇÈç¹ûÎÒÃÇдÕâЩÓï¾äʱÎÒÃÇ¿ÉÒÔ½«Ëü×Ô¶¨Òå¡£Õâ¾ÍÒâζ×ÅÎÒÃÇ¿ÉÒÔ¸øÓè×Ô¼ºµÄÐèÇóÀ´¹ýÂ˽á¹û¡£
sqlÓï¾äÁбí
ÈçºÎÁоÙsql serverµ±Ç°Á ......
¶ÔÓÚsqlÖеĺ¯Êý¿ÉνÊǶàµÄ²»Ê¤Ã¶¾Ù£¬±¾ÎÄ´Ó³£Óú¯ÊýµÄ½Ç¶È¶ÔÆ亯Êý½øÐÐ×ܽ᣺1¡¢ÈÕÆÚºÍʱ¼äº¯Êý2¡¢×Ö·û´®º¯Êý3¡¢ÏµÍ³º¯ÊýÁ÷³Ì¿ØÖÆÓï¾ä
1¡¢ ÈÕÆÚºÍʱ¼äº¯Êý
¶ÔÓÚÈÕÆÚº¯ÊýÎÒÃÇ¿ÉÒÔ·ÖΪ2СÀà½øÐзÖÎö´¦Àí£¬
A¡¢ ÈÕÆÚµÄÕûÌå´¦Àíº¯Êý£¬¾ßÌåµÄº¬ÒåºÍÓï·¨ÈçÏÂËùʾ£º
DATEADD(datepart,number,date)
µÚÒ»¸ö²ÎÊý˵Ã÷ÒªÌí ......
