时间:2022-12-06 01:25
存储过程防止sql注入的方法:
对特殊字符进行过滤,例如:
--Function:fn_escapecmdshellstring
--Description:Returnsanescapedversionofagivenstring
--withcarets('^')addedinfrontofallthespecial
--commandshellsymbols.
--Parameter:@command_stringnvarchar(4000)
--
CREATEFUNCTIONdbo.fn_escapecmdshellstring(
@command_stringnvarchar(4000))RETURNSnvarchar(4000)AS
BEGIN
DECLARE@escaped_command_stringnvarchar(4000),
@curr_charnvarchar(1),
@curr_char_indexint
SELECT@escaped_command_string=N'',
@curr_char=N'',
@curr_char_index=1
WHILE@curr_char_index<=LEN(@command_string)
BEGIN
SELECT@curr_char=SUBSTRING(@command_string,@curr_char_index,1)
IF@curr_charIN('%','<','>','|','&','(',')','^','"')
BEGIN
SELECT@escaped_command_string=@escaped_command_string+N'^'
END
SELECT@escaped_command_string=@escaped_command_string+@curr_char
SELECT@curr_char_index=@curr_char_index+1
END
RETURN@escaped_command_string
END
