既然要自己寫，我後來查詢了一些 SQL Injection 比較有可能出現的錯誤規則 將他做成 function 以下是程式碼，還煩請大家幫忙檢查一下，那邊有需要修改的，感謝 Public Function UnInjection(ByVal chkWord As String) As String If IsNumeric(chkWord) Then Return chkWord chkWord = chkWord.ToString.Trim() chkWord = Replace(chkWord, "'", "''") chkWord = Replace(chkWord, "(", "**CHAR40**") chkWord = Replace(chkWord, ")", "'+CHAR(41)+'") chkWord = Replace(chkWord, "**CHAR40**", "'+CHAR(40)+'") chkWord = Replace(chkWord, " or ", " '+CHAR(111)+CHAR(114)+' ") chkWord = Replace(chkWord, " Or ", " '+CHAR(79)+CHAR(114)+' ") chkWord = Replace(chkWord, " OR ", " '+CHAR(79)+CHAR(82)+' ") chkWord = Replace(chkWord, " oR ", " '+CHAR(111)+CHAR(82)+' ") chkWord = Replace(chkWord, "--", "'+CHAR(45)+CHAR(45)+'") chkWord = Replace(chkWord, ";", "'+CHAR(59)+'") Return chkWord End Function -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 210.64.14.87