需要有关表单数据到SQL注入的帮助 [英] Need Help with Form Data to SQL Injection

问题描述

你好



我以前从未做过这样的代码（我是网页设计师）。



我们在网站上有一个经销商请求表格，经销商可以在那里放置名称，联系信息，经销商帐户＃等。



目前 - 当填写并提交此表单时，所有发生的情况是我收到一封包含该信息的电子邮件，然后我手动将其输入到SQL数据库中。



我在线学习了一个教程，但每次点击提交时，我都会收到500内部服务器错误。这是当前的form_ac.asp（我明显删除了登录凭据）：

Hello

I have never done any code like this before (I am a web designer).

We have a ''dealer request'' form on out website, where ''dealers'' can put in there Name, Contact Info, Dealer Account #, etc.

Currently - when this form is filled out and submitted, all that happens is that I get an email with that information, and then I manually input it into the SQL database.

I followed a tutorial online, but each time I hit the ''submit'', I just get a 500 Internal Server error. Here is the current form_ac.asp (I removed the login credentials obviously):

<%
'' Declaring variables
Dim first, last, account, email, state, comments, data_source, con, sql_insert

'' A Function to check if some field entered by user is empty
Function ChkString(string)
	ChkString = Replace( Trim(string) , "''", "''''")
End Function

'' Receiving values from Form
first = ChkString(Request.Form("first"))
last = ChkString(Request.Form("last"))
dealer = ChkString(Request.Form("dealer"))
account = ChkString(Request.Form("account"))
email = ChkString(Request.Form("email"))
state = ChkString(Request.Form("state"))
phone_area = ChkString(Request.Form("phone_area"))
data_source = Server=SERVERNAME; Database=DB NAME;User Id=USERID;Password=PASSWORD; 
sql_insert = "insert into users (first, last, dealer, account, email, state, phone_area) values (''" & _
                first & "'',''" last & "'',''" & dealer & "'', ''" & account & "'', ''" & email & "'', ''" & state & "'', ''" & phone_area & "'')"


'' Creating Connection Object and opening the database
Set con = Server.CreateObject("ADODB.Connection")
con.Open data_source
con.Execute sql_insert

'' Done. Close the connection
con.Close
Set con = Nothing
%>

任何建议，建议或指导将不胜感激。

Any advice, suggestions or guidance would be greatly appreciated.

推荐答案

这是asp。不是asp.net。 asp已经淘汰了十年。如果可以的话，你应该避免使用它。当然，您的代码对SQL注入是开放的，需要修复。最简单的方法是使用存储过程。

This is asp. Not asp.net. asp has been obsolete for a decade. You should avoid using it, if you can. Of course, your code is open to SQL injection and needs to be fixed. The easiest way to do that, is to use a stored proc.

嘿基督徒，



感谢您的快速回复！好吧，我相信我会更好地采用另一种方法来完成这项工作。你有任何（更好的）建议吗？



谢谢，

-J

Hey Christian,

Thanks for the quick reply! Ok, I believe it would be better for me to pursue another method to complete this. Do you have any (better) recommendations to accomplish this?

Thanks,
-J

嗨那里，



最好的方法是使用命令参数，之后任何用户都会传递任何sql注入:)



见以下链接



http://msdn.microsoft.com/en-us/library/windows/desktop/ms675869(v = vs.85）.aspx [ ^ ]



如果您有任何疑问，请告诉我

Hi there,

the best way is use command parameters, any user would pass any sql injection after that :)

see below link

http://msdn.microsoft.com/en-us/library/windows/desktop/ms675869(v=vs.85).aspx[^]

let me know if you have any query

这篇关于需要有关表单数据到SQL注入的帮助的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！