如何防止SQL注入?

时间:2015-06-21 16:18:10

标签: sql sql-server database asp-classic sql-injection

我有以下代码,提示用户在表单中输入用户名和密码。使用数据库检查用户名和密码,如果用户登录正确,则可以通过输入以下内容轻松地注入SQL代码:

UserName = 'x' and UserPwd = 'x' or 'x'

有人可以帮我修改代码以防止SQL注入。这是代码:

 <%@LANGUAGE=Jscript%>

<%
   // ----- GLOBALS DECLARATIONS ----------------------------------------------------------------------------

   var CKEDir     = "ckeditor/";
   var DB         = Server.MapPath("DB/CMS.MDB");



   // ----- GENERAL PURPOSE FUNCTIONS -----------------------------------------------------------------------

   // Uses regular expressions to change all single quotes in a string to the HTML
   // entity &#39; and replaces all carriage return and newline characters to spaces.
   // This ensures that the string can be incorporated in a SQL statement.

   function cleanString(s) {
      s = s.replace(/'/g, "&#39;"); // SO syntax fix ' 
      s = s.replace(/[\r\n]/g,' ');
      return s;
   }



   // ----- DATABASE FUNCTIONS ------------------------------------------------------------------------------

   // Creates a connection to the database named in the parameter,

   function getDBConnection() {
      var DBCon = Server.CreateObject("ADODB.Connection");
      var DBasePath = DB;
      var ConStr = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" + DBasePath + ";Persist Security Info=False";
      DBCon.Open(ConStr,"","");
      return DBCon;
    }

    // Increments counter for current page (as identified by global variable PageID) in
    // table Counters, and returns a string indicating number of times page was accessed.

    function getAccess() {
       var msg = '';
       if (PageID) {
          var DBConn = getDBConnection();
          var Td     = new Date();
          var SQL    = "SELECT * FROM Counters WHERE PageID=" + PageID ;
          var RS     = DBConn.Execute(SQL);

          // Page counter does not yet exist - create it.
          if (RS.Eof)
          {
             var AccessCount=1;
             var AccessSince = new Date();
             SQL="INSERT into Counters ([PageID]) VALUES ("+PageID+")";
          }

          // Page counter exists, increment it.
          else
          {
             var AccessCount=RS("Hits")+1;
             var AccessSince=RS("Created").value;
             SQL="UPDATE Counters SET [Hits]="+AccessCount+" WHERE [PageID]="+PageID;
          }
          RS = DBConn.Execute(SQL)
          DBConn.Close();
          msg = AccessCount + " visits since " + AccessSince;
       }
     return msg;
   }




   // ----- LOGGING IN AND OUT FUNCTIONS --------------------------------------------------------------------


   // Returns true if user is logged in.

   function isLoggedIn() {
      return Session("UserID");
   }


   // Checks given name and password in users database.
   // No validation on the user input is performed, so this function is
   // susceptible to SQL injection attacks.

   function logInUser(name,pwd) {
     var DBConn = getDBConnection();
     var SQL    = "SELECT * FROM Users WHERE UserName = '" + name + "' and UserPwd = '" + pwd + "'";
     var RS     = DBConn.Execute(SQL);
     var valid  = !RS.Eof;
     if (valid) {
       Session("UserID")   = RS("UserID").value;
       Session("UserName") = RS("UserName").value;
       Session("UserFullName") = RS("UserFirstName").value + ' ' + RS("UserLastName").value;
     }
     DBConn.Close;
     return valid;
   }

   // Logs out current user.

   function logOutUser() {
     Session("UserID") = 0;
   }


   // Returns full name of currently logged in user if any.

   function loggedInUser() {
     var msg = '';
     if (Session("UserID")) msg = Session("UserFullName");
     return msg;
   }


   // Returns true if current user can edit content.
   // Currently allows any authenticated user to edit content.

   function inEditMode() {
     return isLoggedIn();
   }

%>

1 个答案:

答案 0 :(得分:0)

使用参数化查询。它可以防止SQL注入。

Click here for more documentation

它将阻止SQL字符串被恶意输入劫持。

祝你好运!