私はこれについてかなりの調査を行いましたが、まだ理解に問題があります。ただし、適切に保護されていることを確認したい。SQL インジェクションや DB へのブルート フォースの可能性を防ぐために、Classic ASP で関数を作成しました。より安全にするために、何かを追加したり、削除したり、問題を修正したりする必要がある場合は、ご意見やご提案をいただけますか? 事前にどうもありがとうございました!!
以下は、MySQL データベースに挿入する直前に使用します。
挿入例:
conn.execute("INSERT INTO " & employees & "(eid, first_name, last_name) VALUES('" & Clng(strEID) & "','" & SQLClean(strfirstname) & "','" & SQLClean(strlastname) & "');")
関数:
Private Function SQLClean(ByVal strString)
If strString <> "" Then
strString = Trim(strString)
'Remove malisous charcters from sql\
strString = replace(strString,"-shutdown","", 1, -1, 1)
strString = replace(strString,"\","\\", 1, -1, 1)
strString = replace(strString,"=","\=", 1, -1, 1)
strString = replace(strString,",","\,", 1, -1, 1)
strString = replace(strString,"`","\`", 1, -1, 1)
strString = replace(strString,"&","\&", 1, -1, 1)
strString = replace(strString,"/","\/", 1, -1, 1)
strString = replace(strString,"[","\[", 1, -1, 1)
strString = replace(strString,"]","\]", 1, -1, 1)
strString = replace(strString,"{","\{", 1, -1, 1)
strString = replace(strString,"}","\}", 1, -1, 1)
strString = replace(strString,"(","\(", 1, -1, 1)
strString = replace(strString,")","\)", 1, -1, 1)
strString = replace(strString,";","\;", 1, -1, 1)
strString = replace(strString,"+","\+", 1, -1, 1)
strString = replace(strString,"<","\<", 1, -1, 1)
strString = replace(strString,">","\>", 1, -1, 1)
strString = replace(strString,"^","\^", 1, -1, 1)
strString = replace(strString,"@","\@", 1, -1, 1)
strString = replace(strString,"$","\$", 1, -1, 1)
strString = replace(strString,"%","\%", 1, -1, 1)
strString = replace(strString,"!","\!", 1, -1, 1)
strString = replace(strString,"*","\*", 1, -1, 1)
strString = replace(strString,"~","\~", 1, -1, 1)
strString = replace(strString,"#","\#", 1, -1, 1)
strString = replace(strString,"?","\?", 1, -1, 1)
strString = replace(strString,"'","\'", 1, -1, 1)
strString = replace(strString,"""","\""", 1, -1, 1)
strString = replace(strString,"select","\select", 1, -1, 1)
strString = replace(strString,"insert","\insert", 1, -1, 1)
strString = replace(strString,"update","\update", 1, -1, 1)
strString = replace(strString,"delete","\delete", 1, -1, 1)
strString = replace(strString," or "," \or ", 1, -1, 1)
strString = replace(strString," and "," \and ", 1, -1, 1)
strString = replace(strString,"drop","\drop", 1, -1, 1)
strString = replace(strString,"union","\union", 1, -1, 1)
strString = replace(strString,"into","\into", 1, -1, 1)
'Return cleaned value.
SQLClean = Trim(strString)
End If
End Function