在添加内容时,输入单引号是要出错的。于是我把单引号转换成其它字符串,然后就达到不出错的目的了。但是对于注入来说,如果仅仅屏蔽了单引号还能不能用其它方法注入呢?
protected void Button1_Click(object sender, EventArgs e)
{
string strConn = ConfigurationManager.ConnectionStrings["seaConnectionString"].ConnectionString; SqlConnection con = new SqlConnection(strConn); string sql = "insert into news (NewsTitle,NewsContent) values ('" + n_check(this.TextBox1.Text) + "','" + n_check(this.TextBox2.Text) + "')"; SqlCommand cmd = new SqlCommand(sql, con); con.Open(); cmd.ExecuteNonQuery(); con.Close(); Response.Write("OK!");
} private string n_check(string llcbh) { llcbh = llcbh.Replace("'", "^llcbh^"); return llcbh; }