1

我的网站遭受 SQL 注入攻击。我的 Web 开发人员拒绝承认参数化查询,说他的转义脚本就足够了。有人可以通过展示如何将以下用经典 asp 编写的查询转换为参数化查询来提供帮助吗?

conn.Execute "insert into tblGROUPcomments ([thecomment], [date_of_entry], [groupid], [submittedby]) " _
            & "values ('" _
            & Server.HTMLEncode(cleanuptext(request.form("txtcomments"))) & _
            "','" & FormatMediumDate(date()) & _
            "','" & session("groupid") & _
            "','" & session("userid") & "')"
            session("errmessageT") = ""
            session("varcommentT") = ""
    response.redirect("../showallcommentsGROUPS.asp?gid=" & session("groupid")) & "#comments"
4

2 回答 2

1

首先创建如下命令对象

 Dim cmd
 Set cmd = Server.CreateObject("ADODB.Command")
 ' set command to your previously opened connection
 Set cmd .ActiveConnection = connContent
 SQL = " insert into tblGROUPcomments ([thecomment], [date_of_entry]) values (?, ?)"

 Set newParameter = cmd.CreateParameter("@thecomment", ad_nVarChar, ad_ParamInput, Server.HTMLEncode(cleanuptext(request.form("txtcomments"))), thecomment)
   cmd.Parameters.Append newParameter
 Set newParameter = cmdConn.CreateParameter("@date_of_entry", ad_Integer, ad_ParamInput, FormatMediumDate(date()), date_of_entry)
     cmdConn.Parameters.Append newParameter

 cmd.CommandText = SQL
 cmd.Execute

我在查询中只使用了 2 列(thecomment 和 data_of_entry)。只需修改 newParameter 中的列类型。可能存在语法问题,我想您可以轻松解决。如果在您完成参数化查询后出现任何错误,请联系。希望你能找到起点。

于 2013-02-12T15:14:31.007 回答
0 
    maxCommentSize=1073741823
    comments=Server.HTMLEncode(cleanuptext(request.form("txtcomments")
    comments=left(comments,maxCommentSize)

    Set cmdAdd = Server.CreateObject ("ADODB.Command")
    cmdAdd.ActiveConnection = connection_string
    cmdAdd.CommandText = "INSERT INTO nsert into tblGROUPcomments ([thecomment], [date_of_entry], [groupid], [submittedby]) VALUES (?, ?, ?, ?)" 
    cmdAdd.Prepared = true
    cmdAdd.Parameters.Append cmdAdd.CreateParameter("param1", 203, 1, maxCommentSize, comments) 
    cmdAdd.Parameters.Append cmdAdd.CreateParameter("param2", 135, 1, -1, FormatMediumDate(date())) 
    cmdAdd.Parameters.Append cmdAdd.CreateParameter("param2", 5, 1, -1, session("groupid")) 
    cmdAdd.Parameters.Append cmdAdd.CreateParameter("param2", 5, 1, -1, session("userid")) 
    cmdAdd.Execute
    cmdAdd.ActiveConnection.Close

    session("errmessageT") = ""
    session("varcommentT") = ""
    response.redirect("../showallcommentsGROUPS.asp?gid=" & session("groupid")) & "#comments"
于 2013-02-17T04:43:23.823 回答