防止页面在跳转的时候被SQL注入
首先写一个SQL注入过滤的类:
public class SqlFilter
{
#region SQL注入式攻击代码分析
/// <summary>
/// 处理用户提交的请求
/// </summary>
public void StartProcessRequest()
{
string getkeys = "";
string sqlErrorPage = "~/no.html";//转向的错误提示页面
try
{
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage,false);
System.Web.HttpContext.Current.ApplicationInstance.CompleteRequest();
//System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage,false);
System.Web.HttpContext.Current.ApplicationInstance.CompleteRequest();
//System.Web.HttpContext.Current.Response.End();
相关文档:
The following tables describe certain SQL
limits. Adhering to the most restrictive case can help the programmer
design application programs that are easily portable.
Table 7. Identifier Length Limits
Description
Limit in Bytes
Longest authorization
name (can only be single-byte characters) ......
create table tabReProc
(
name varchar(30),
age integer,
primary key(name,age)
)
insert into tabReProc values('x7700',20)
insert into tabR ......
转自
http://topic.csdn.net/t/20050110/09/3711952.html
access中时间要用#,不是双引号
select * from kc where rq < #2000-01-01# and rq>#2002-01-01#
不要用between,它的效率泰低
使用# 而不是 ......
游标:指向处理SQL语句的环境区域的指针或句柄
-----|-1 静态游标
|---1.1 隐式游标
| 处理:INSERT,DELETE,UPDATE及返回一行的SELECT语句
| ......
