我被要求查看一些经典的ASP代码,这很好。但是遇到的问题是他正在使用名为Sql Inject Me(SIM)的FireFox插件测试SQL注入漏洞。 它注入了306个错误。他希望能够运行它而不会出现这些错误。
我开始......
function scrub() {
var oldLastname = document.getElementById("Jobtitle").value;
var newLastName = oldLastname.replace(";", " ").replace("="," ").replace(' " " ', " ").replace("'"," ");
}
将在“提交”按钮单击时触发。我不确定是否会清除错误
我读过FireFoxes插件正在做什么,那就是......
“该工具通过表单字段发送数据库转义字符串。然后查找输出到页面呈现的HTML中的数据库错误消息。”
在我走得更远然后发现有一种更简单的方法之前,有什么好主意可以解决这个问题?我确实发现这个链接有用,直到我意识到这是关于PHP而不是JavaScript或ASP。 Looked at this
答案 0 :(得分:0)
参数化查询产生rsInvoices RecordSet
<%
Dim rsInvoices
Dim rsInvoices_cmd
Dim rsInvoices_numRows
Set rsInvoices_cmd = Server.CreateObject ("ADODB.Command")
rsInvoices_cmd.ActiveConnection = MM_connection_STRING
rsInvoices_cmd.CommandText = "SELECT * FROM saleman.GetInvoices(?,?)"
rsInvoices_cmd.CommandType = 1
rsInvoices_cmd.Prepared = true
rsInvoices_cmd.Parameters.Append rsInvoices_cmd.CreateParameter("param1", 135, 1, -1, rsInvoices__MM_day) '' adDBTimeStamp
rsInvoices_cmd.Parameters.Append rsInvoices_cmd.CreateParameter("param2", 200, 1, 255, rsInvoices__MM_plan) '' adVarChar
Set rsInvoices = rsInvoices_cmd.Execute
%>
其中
<%
Dim rsInvoices__MM_day
rsInvoices__MM_day = "1.2.2014"
If (Request("DayOfReport") <> "") Then
rsInvoices__MM_day = Request("DayOfReport")
End If
%>
<%
Dim rsInvoices__MM_plan
rsInvoices__MM_plan = "plan"
If (Request("type") <> "") Then
rsInvoices__MM_plan = REPLACE(Request("type"),"'","''")
'' This excludes '-injection
'' U can write function to check for other types of SQL-Inj
'' take in mind that ' sign can be coded in some ways
End If
%>