uni'on sel'ect @@version-'-
因為單引號被過濾器刪除了,攻擊者可以把單引號散布於它的已知的非法字符串裡來躲避檢查。
下面是一些驗證的代碼:
方法1-躲避單引號
function escape( input )
input = replace(input, "'", "''")
escape = input
end function
方法2-抵制已知的非法輸入
function validate_string( input )
know_bad = array( "select", "insert", "update", "delete", "drop", "--", "'")
validate_string = true
for i = lbound( know_bad ) to ubound( known_bad )
if( instr( 1, input, known_bad(i), vbtextcompare) <> 0 )
validate_string = false
exit function
end if
next
end function
方法3-只允許合法輸入
function validatepassWord( input )
good_passWord_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
validatepassWord = true
for i = 1 to len( input )
c = mid( input, i, 1 )
if ( instr( good_passWord_chars, c ) = 0 ) then
validatepassWord = false
exit function
end if
next
end function