存储过程防止sql注入的方法:
对特殊字符进行过滤,例如:
-- Function: fn_escapecmdshellstring
-- Description: Returns an escaped version of a given string
-- with carets ('^') added in front of all the special
-- command shell symbols.
-- Parameter: @command_string nvarchar(4000)
--
CREATE FUNCTION dbo.fn_escapecmdshellstring (
@command_string nvarchar(4000)) RETURNS nvarchar(4000) AS
BEGIN
DECLARE @escaped_command_string nvarchar(4000),
@curr_char nvarchar(1),
@curr_char_index int
SELECT @escaped_command_string = N'',
@curr_char = N'',
@curr_char_index = 1
WHILE @curr_char_index <= LEN (@command_string)
BEGIN
SELECT @curr_char = SUBSTRING (@command_string, @curr_char_index, 1)
IF @curr_char IN ('%', '<', '>', '|', '&', '(', ')', '^', '"')
BEGIN
SELECT @escaped_command_string = @escaped_command_string + N'^'
END
SELECT @escaped_command_string = @escaped_command_string + @curr_char
SELECT @curr_char_index = @curr_char_index + 1
END
RETURN @escaped_command_string
END
