'替换登陆名中的单引号和双引号
Dim UserID, UserPWD As String
UserID = txtUid.Text
UserPWD = txtPwd.Text
UserID = Replace(UserID, Chr(39), "'")
UserID = Replace(UserID, Chr(34), """)
UserPWD = Replace(UserPWD, Chr(39), "'")
UserPWD = Replace(UserPWD, Chr(34), """)
' NB联盟防注入函数 ReqNum / ReqStr
'---------------------------------------------------------------
Function ReqNum ( StrName )
ReqNum = Request ( StrName )
if Not isNumeric ( ReqNum ) then
Response.Write "参数必须为数字型!"
Response.End
End if
End Function
Function ReqStr ( StrName )
ReqStr = Replace ( Request(StrName), "'", "''" )
End Function
以上面三句SQL语句,说明一下调用方法:
1.SQL="Select * from Users where UserID=" & ReqNum("ID")
2.SQL="Select * from Users where UserID='" & ReqStr("ID") & "'"
3.SQL="Select * from Users where UserName like '%" & ReqStr("Name") & "%'"
重申一点:上面的方法无论对SQLServer库还是Access或是其它数据库,都是绝对适用、绝对安全,但注意一点,SQLServer的存储过程是个例外,该情况下要把单引号替换成四个单引号,以保安全。
来源:https://www.cnblogs.com/709481260qq/p/4993438.html