问题
I'm using SQL Server 2005 with classic ASP and on a form repost (I post back to the same page), I replace each text field as follows:
course = trim(replace(request("course"),"'","''"))\
The problem with this is if I have to repost the form multiple times in case of validation errors, the tick marks I replace multiply.
Is there another way to safely vet the string fields without doing this kind of replace?
回答1:
you better use a parametrized query:
dim cmd : set cmd = server.createObject("ADODB.Command")
dim param
dim sql : sql = "INSERT INTO table(course) VALUES (?)"
cmd.ActiveConnection = yourDBconnection
cmd.CommandType = adCmdText
set param = cmd.CreateParameter("course", adVarChar, , 20, request("course"))
cmd.Parameters.Append param
cmd.CommandText = sql
cmd.Execute
so you are completely safe with sql injection
回答2:
Only replace the ' for use in the sql string. (which you should better do with parameterized queries..)
回答3:
The easiest way would be to only do the SQL escaping when you're actually inserting into the database:
course = trim(request("course"))
Make a SafeSQL function:
function SafeSQL(TempStr)
SafeSQL = Replace(TempStr,"'","''")
end function
Then, when you're inserting:
"INSERT INTO table(course) VALUES ('" & SafeSQL(course) & "')"
Disclaimer: I only have a working knowledge of ASP, I don't really know the best practices.
回答4:
you can do this
course = trim(replace(request("course"),"'","&apos ;"))
来源:https://stackoverflow.com/questions/5188216/sql-injection-capturing-on-classic-asp-reposting-form-puts-in-lots-of-ticks