ASP网页编程之怎样避免SQL注进

减少客户内IT专业人才缺乏带来的影响。ASP的客户员工利用浏览器进入相关的应用软件，简单易用，无需专业技术支持。次要是防asp的几个中央：
1、地点栏参数注进，就是用request.querystring获得值的这个
2、表单参数注进，就是用request.form获得值的这个
3、cookies
实在能够当作一个理儿，就是能输出值，能交互的让用户输出的中央都得做一下防。

做一个函数，截取这些中央提交的值，与一个数组（内里放着要过滤或反省的敏感字符）做一下对照
再献上我的一个过滤函数
以下是援用片断：
FunctionChkStr(Str)
ifIsnull(Str)then
ChkStr=""
exitFunction
Endif
Str=Replace(Str,Chr(0),"",1,-1,1)
Str=Replace(Str,"""",""",1,-1,1)
Str=Replace(Str,"<","<",1,-1,1)
Str=Replace(Str,">",">",1,-1,1)
Str=Replace(Str,"script","script",1,-1,0)
Str=Replace(Str,"SCRIPT","SCRIPT",1,-1,0)
Str=Replace(Str,"Script","Script",1,-1,0)
Str=Replace(Str,"script","Script",1,-1,1)
Str=Replace(Str,"object","object",1,-1,0)
Str=Replace(Str,"OBJECT","OBJECT",1,-1,0)
Str=Replace(Str,"Object","Object",1,-1,0)
Str=Replace(Str,"object","Object",1,-1,1)
Str=Replace(Str,"applet","applet",1,-1,0)
Str=Replace(Str,"APPLET","APPLET",1,-1,0)
Str=Replace(Str,"Applet","Applet",1,-1,0)
Str=Replace(Str,"applet","Applet",1,-1,1)
Str=Replace(Str,"[","[")
Str=Replace(Str,"]","]")
Str=Replace(Str,"=","=",1,-1,1)
Str=Replace(Str,"’","",1,-1,1)
Str=Replace(Str,"select","select",1,-1,1)
Str=Replace(Str,"execute","execute",1,-1,1)
Str=Replace(Str,"exec","exec",1,-1,1)
Str=Replace(Str,"join","join",1,-1,1)
Str=Replace(Str,"union","union",1,-1,1)
Str=Replace(Str,"where","where",1,-1,1)
Str=Replace(Str,"insert","insert",1,-1,1)
Str=Replace(Str,"delete","delete",1,-1,1)
Str=Replace(Str,"update","update",1,-1,1)
Str=Replace(Str,"like","like",1,-1,1)
Str=Replace(Str,"drop","drop",1,-1,1)
Str=Replace(Str,"create","create",1,-1,1)
Str=Replace(Str,"rename","rename",1,-1,1)
Str=Replace(Str,"count","count",1,-1,1)
Str=Replace(Str,"chr","chr",1,-1,1)
Str=Replace(Str,"mid","mid",1,-1,1)
Str=Replace(Str,"truncate","truncate",1,-1,1)
Str=Replace(Str,"nchar","nchar",1,-1,1)
Str=Replace(Str,"char","char",1,-1,1)
Str=Replace(Str,"alter","alter",1,-1,1)
Str=Replace(Str,"cast","cast",1,-1,1)
Str=Replace(Str,"exists","exists",1,-1,1)
Str=Replace(Str,VbCrlf,"",1,-1,1)
Str=Replace(Str,"","",1,-1,1)
ChkStr=Str
EndFunction
利用：
更新数据时，rs(“字段”)=ChkStr(trim(Request.Form("表单参数")))
当然了,现在国内CRM厂商的产品与其说是CRM,但从至少从我的角度分析上来看,充其量只是一个大型的进销存而已了,了解尚浅,不够胆详评,这里只提技术问题

ASP.Net和ASP的最大区别在于编程思维的转换，而不仅仅在于功能的增强。ASP使用VBS/JS这样的脚本语言混合html来编程，而那些脚本语言属于弱类型、面向结构的编程语言，而非面向对象，这就明显产生以下几个问题：

Response:从字面上讲是“响应”，因此这个是服务端向客户端发送东西的，例如Response.Write

Request:从字面上讲就是“请求”，因此这个是处理客户端提交的东东的,例如Resuest.Form，Request.QueryString,或者干脆Request("变量名")

学习ASP其实应该上升到如何学习程序设计这种境界，其实学习程序设计又是接受一种编程思想。比如ASP如何学习，你也许在以前的学习中碰到过。以下我仔细给你说几点:

虽然ASP也有很多网络教程。但是这些都不系统。都是半路出家，只是从一个例子告诉你怎么用。不会深入讨论，更不会将没有出现在例子里的方法都一一列举出来。

学习是为了用的，是为了让你的程序产生价值，把握住这个原则会比较轻松点。除此之外，课外时间一定要多参加一些社会实践活动，来锻炼自己的能力。

虽然ASP也有很多网络教程。但是这些都不系统。都是半路出家，只是从一个例子告诉你怎么用。不会深入讨论，更不会将没有出现在例子里的方法都一一列举出来。

完全不知道到底自己学的是什么。最后，除了教程里面说的几个例子，还是什么都不会。