如何将此查询转换为经典ASP中的参数化查询?

时间:2013-02-12 14:42:47

标签: sql sql-server-2008 asp-classic

我的网站遭受SQL注入攻击。我的Web开发人员拒绝承认说明他的转义脚本足够的假名查询。有人可以通过展示如何将经典asp中编写的以下查询转换为paramatized查询来帮助吗?

conn.Execute "insert into tblGROUPcomments ([thecomment], [date_of_entry], [groupid], [submittedby]) " _
            & "values ('" _
            & Server.HTMLEncode(cleanuptext(request.form("txtcomments"))) & _
            "','" & FormatMediumDate(date()) & _
            "','" & session("groupid") & _
            "','" & session("userid") & "')"
            session("errmessageT") = ""
            session("varcommentT") = ""
    response.redirect("../showallcommentsGROUPS.asp?gid=" & session("groupid")) & "#comments"

2 个答案:

答案 0 :(得分:1)

首先创建命令对象,如下所示

 Dim cmd
 Set cmd = Server.CreateObject("ADODB.Command")
 ' set command to your previously opened connection
 Set cmd .ActiveConnection = connContent
 SQL = " insert into tblGROUPcomments ([thecomment], [date_of_entry]) values (?, ?)"

 Set newParameter = cmd.CreateParameter("@thecomment", ad_nVarChar, ad_ParamInput, Server.HTMLEncode(cleanuptext(request.form("txtcomments"))), thecomment)
   cmd.Parameters.Append newParameter
 Set newParameter = cmdConn.CreateParameter("@date_of_entry", ad_Integer, ad_ParamInput, FormatMediumDate(date()), date_of_entry)
     cmdConn.Parameters.Append newParameter

 cmd.CommandText = SQL
 cmd.Execute

我在查询中只使用了2列(thecomment和data_of_entry)。只需修改newParameter中的列类型即可。可能存在语法问题,我猜你可以轻松解决。如果在完成参数化查询后得到任何错误,请联系。 希望你有一个起点。

答案 1 :(得分:0)

    maxCommentSize=1073741823
    comments=Server.HTMLEncode(cleanuptext(request.form("txtcomments")
    comments=left(comments,maxCommentSize)

    Set cmdAdd = Server.CreateObject ("ADODB.Command")
    cmdAdd.ActiveConnection = connection_string
    cmdAdd.CommandText = "INSERT INTO nsert into tblGROUPcomments ([thecomment], [date_of_entry], [groupid], [submittedby]) VALUES (?, ?, ?, ?)" 
    cmdAdd.Prepared = true
    cmdAdd.Parameters.Append cmdAdd.CreateParameter("param1", 203, 1, maxCommentSize, comments) 
    cmdAdd.Parameters.Append cmdAdd.CreateParameter("param2", 135, 1, -1, FormatMediumDate(date())) 
    cmdAdd.Parameters.Append cmdAdd.CreateParameter("param2", 5, 1, -1, session("groupid")) 
    cmdAdd.Parameters.Append cmdAdd.CreateParameter("param2", 5, 1, -1, session("userid")) 
    cmdAdd.Execute
    cmdAdd.ActiveConnection.Close

    session("errmessageT") = ""
    session("varcommentT") = ""
    response.redirect("../showallcommentsGROUPS.asp?gid=" & session("groupid")) & "#comments"
相关问题
最新问题