发表新帖
发表新帖

How can I make a prepared statement in classic asp that prevents sql injection?

后端 未结
关注
3 809
旧巷少年郎
旧巷少年郎 2020-12-10 21:25

I have this which works:

sqlString = \"SELECT * FROM employees WHERE lastname = \'\" & last_name & \"\'\"
Set cmd = Server.CreateObject(\"ADODB.Comma
相关标签:
3条回答
  • 故里飘歌
    2020-12-10 21:30

    Here's a good blog on how to prevent sql injection using classic asp.

    http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

    0 讨论(0)
  • 无人共我
    2020-12-10 21:34

    Why not use ADO command parameters?

    var oCmd = Server.CreateObject("ADODB.Command");
oCmd.CommandText = "SELECT * FROM employees WHERE lastname = ?";
oCmd.Parameters.Append(oCmd.CreateParameter(undefined,202, 1, 50,"last name"))//adVarWChar
    0 讨论(0)
  • 失恋的感觉
    2020-12-10 21:52

    The easiest is using stored procedures in SQL and using Commands that way.. Otherwise, you have to escape out certain characters being gathered from the Request object, like single quotes and double hyphens, etc.

    0 讨论(0)
 看不清?
提交回复
热议问题