如何修复SQL Inject Me测试结果

时间:2015-02-11 02:22:23

标签: javascript asp-classic sql-injection

我被要求查看一些经典的ASP代码,这很好。但是遇到的问题是他正在使用名为Sql Inject Me(SIM)的FireFox插件测试SQL注入漏洞。 它注入了306个错误。他希望能够运行它而不会出现这些错误。

我开始......

function scrub() {
        var oldLastname = document.getElementById("Jobtitle").value;

        var newLastName = oldLastname.replace(";", " ").replace("="," ").replace(' " " ', " ").replace("'"," ");
    }

将在“提交”按钮单击时触发。我不确定是否会清除错误

我读过FireFoxes插件正在做什么,那就是......

  

“该工具通过表单字段发送数据库转义字符串。然后查找输出到页面呈现的HTML中的数据库错误消息。”

在我走得更远然后发现有一种更简单的方法之前,有什么好主意可以解决这个问题?我确实发现这个链接有用,直到我意识到这是关于PHP而不是JavaScript或ASP。 Looked at this

1 个答案:

答案 0 :(得分:0)

参数化查询产生rsInvoices RecordSet

<%
Dim rsInvoices
Dim rsInvoices_cmd
Dim rsInvoices_numRows

Set rsInvoices_cmd = Server.CreateObject ("ADODB.Command")
rsInvoices_cmd.ActiveConnection = MM_connection_STRING
rsInvoices_cmd.CommandText = "SELECT * FROM saleman.GetInvoices(?,?)" 
rsInvoices_cmd.CommandType = 1
rsInvoices_cmd.Prepared = true
rsInvoices_cmd.Parameters.Append rsInvoices_cmd.CreateParameter("param1", 135, 1, -1, rsInvoices__MM_day) '' adDBTimeStamp
rsInvoices_cmd.Parameters.Append rsInvoices_cmd.CreateParameter("param2", 200, 1, 255, rsInvoices__MM_plan) '' adVarChar

Set rsInvoices = rsInvoices_cmd.Execute
%>

其中

<%
Dim rsInvoices__MM_day
rsInvoices__MM_day = "1.2.2014"
If (Request("DayOfReport") <> "") Then 
  rsInvoices__MM_day = Request("DayOfReport")
End If
%>
<%
Dim rsInvoices__MM_plan
rsInvoices__MM_plan = "plan"
If (Request("type") <> "") Then 
  rsInvoices__MM_plan = REPLACE(Request("type"),"'","''")
  ''  This excludes '-injection
  ''  U can write function to check for other types of SQL-Inj
  ''  take in mind that ' sign can be coded in some ways 
End If
%>