| 实SQL注入,说白了,就是看你根据提示出错的信息去巧妙的构造这个SQL语;
写程序时,不管是input还 select都不用默认的request的、还有对post上传也是同样可以的,要看具体情况了;
下面是写的一段防sql注入的,之过滤掉了常见sql注入字符,ad和nb的已经检测不到漏洞了:
for each element in request.QueryString
if instr(request.QueryString(element),"';")>0 or instr(request.QueryString(element),";")>0 or instr(request.QueryString(element),"and")>0 or instr(request.QueryString(element),"%")>0 or instr(request.QueryString(element),"/add")>0 or instr(request.QueryString(element),"net")>0 then
response.Write("")
response.End()
elseif instr(request.QueryString(element),"exec")>0 or instr(request.QueryString(element),"char")>0 or instr(request.QueryString(element),""")>0 or instr(request.QueryString(element),"truncate")>0 or instr(request.QueryString(element),"update")>0 or instr(request.QueryString(element),"Asc")>0 then
response.Write("")
response.End()
end if
next
把它放在了conn里面、想必肯定还是有漏洞的;望黑海能做到一劳永逸! |
