Function Filter_SQL(str)
str = Replace(str,"'","")
str = Replace(str,";","")
str = Replace(str,"&","")
str = Replace(str,"%20","")
str = Replace(str," ","")
Filter_SQL = str
End Function
思路为:将';&这三个极具威胁的字符清除掉,这样就安全了一大半了
再将空格(即%20、“ ”)去掉,这样想用(select xxx from xxx where xxx)=xx的方式也不行了。
这样就安全99%了
str = Replace(str,"'","")
str = Replace(str,";","")
str = Replace(str,"&","")
str = Replace(str,"%20","")
str = Replace(str," ","")
Filter_SQL = str
End Function
思路为:将';&这三个极具威胁的字符清除掉,这样就安全了一大半了
再将空格(即%20、“ ”)去掉,这样想用(select xxx from xxx where xxx)=xx的方式也不行了。
这样就安全99%了