分享：SQL Server注入检测函数

   今天在论坛里看有SQL注入问题相关的贴子，分享一个简单的，基于T-SQL实现的注入检测函数。

01CREATEFUNCTION [dbo].[fn_CheckSQLInjection]

02(

03@Col nvarchar(4000)

04)

05RETURNSBIT --如果存在可能的注入字符返回true,反之返回false

06AS

07BEGIN

08DECLARE<a href="http://home.51cto.com/index.php?s=/space/1149108"target="_blank">@result</a>bit;

09IF

10UPPER(@Col)LIKEUPPER(N'%0x%')

11ORUPPER(@Col)LIKEUPPER(N'%;%')

12ORUPPER(@Col)LIKEUPPER(N'%''%')

13ORUPPER(@Col)LIKEUPPER(N'%--%')

14ORUPPER(@Col)LIKEUPPER(N'%/*%*/%')

15ORUPPER(@Col)LIKEUPPER(N'%EXEC%')

16ORUPPER(@Col)LIKEUPPER(N'%xp_%')

17ORUPPER(@Col)LIKEUPPER(N'%sp_%')

18ORUPPER(@Col)LIKEUPPER(N'%SELECT%')

19ORUPPER(@Col)LIKEUPPER(N'%INSERT%')

20ORUPPER(@Col)LIKEUPPER(N'%UPDATE%')

21ORUPPER(@Col)LIKEUPPER(N'%DELETE%')

22ORUPPER(@Col)LIKEUPPER(N'%TRUNCATE%')

23ORUPPER(@Col)LIKEUPPER(N'%CREATE%')

24ORUPPER(@Col)LIKEUPPER(N'%ALTER%')

25ORUPPER(@Col)LIKEUPPER(N'%DROP%')

26SET@result=1

27ELSE

28SET@result=0

29return<a href="http://home.51cto.com/index.php?s=/space/1149108"target="_blank">@result</a>

30END

31GO