是这个代码拯救我从sqlinjection攻击 [英] is this code save me from sqlinjection attack
本文介绍了是这个代码拯救我从sqlinjection攻击的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
这段代码是否可以免除sqlinjection攻击? PLZ帮助我...
is this code save me from sqlinjection attack or not? plz help me...
<%
dim mcomments
dim musername
dim museradd
dim museremail
dim musertel
dim data, conn
Function SqlEncode(str)
SqlEncode = Replace(str, "'", "''")
End Function
mcomments =SqlEncode(request.form("comments"))
musername =SqlEncode(request.form("username"))
museradd = SqlEncode(request.form("useradd"))
museremail = SqlEncode(request.form("useremail"))
musertel = SqlEncode(request.form("usertel"))
muserdt = now
%>
<%
set conn=server.createobject("adodb.connection")
mytb = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & server.mappath("tdr.mdb")
conn.Open mytb
Dim mysql
mysql = "insert into feedback(comments,username,useradd,useremail,usertel,userdt) " &_
"values('" & mcomments & "','" &_
musername & "','" &_
museradd & "','" &_
museremail & "','" &_
musertel & "','" &_
muserdt & "')"
conn.execute(mysql)
conn.close
set conn=nothing %>
感谢和问候
thanks and regards
推荐答案
我昨天告诉过你,不止一次: 不要使用CONCATENATION来创建SQL命令。使用所有SQL文档中描述的参数,这是保护自己的唯一方法。
除非你掌握这个简单的事实,否则你将系统保持开放状态SQL注入,它可以带来所有混乱。
I told you yesterday, more than once: "DO NOT USE CONCATENATION TO CREATE SQL COMMANDS". Use parameters as described in all the SQL documentation, it is the only way to protect yourself.
Until and unless you grasp this simple fact you are leaving your system open to SQL injection, with all the chaos that it can bring.
没有。它不会使您免于SQL注入。
请阅读以下有关保护SQL注入的信息: SQL注入缓解:使用参数化查询 [ ^ ]
No. It will not save you from SQL Injection.
Read about protecting from SQL Injection here: SQL Injection Mitigation: Using Parameterized Queries[^]
这篇关于是这个代码拯救我从sqlinjection攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
