VBScript 代码从包含 ' 的字符串中断 [英] VBScript Code breaking from String containing '

问题描述

我的一个用户在用户名中有一个 '我认为它破坏了登录代码在线上tempPassword=Request.Form("UserPassword")

one of my user has a ' inside the user name and i think that it is breaking the login code on the line tempPassword=Request.Form("UserPassword")

if (Request.Form("Action") = "Login") then
    tempUsername=Request.Form("UserName")
    tempPassword=Request.Form("UserPassword")

    if not (tempUserName = "") and not (tempPassword = "") then
        strSQL="SELECT ContactID,Email,Password from Directory WHERE Email='" & tempUsername & "' AND Password='" & tempPassword & "'"
        set rsQuery=cn.execute(strSQL)
        if not (rsQuery.EOF) then
            '-- Login correct, so set session variables
            Session("CBWorkUser") = "Yes"
            Session("CBWorkUserName") = rsQuery("Email")
            Session("CBWorkID") = rsQuery("ContactID")
        end if
        set rsQuery = nothing
    end if
end if

有什么解决方案可以解决这个问题?

what solutions is there to fix this?

推荐答案

不要使用字符串连接来构建 SQL 查询.曾经.您不仅会遇到这样的问题，还会使您容易受到SQL 注入的攻击.改用参数化查询(也称为准备好的语句):

Don't use string concatenation for building SQL queries. Ever. Not only will you encounter problems like this, it will also make you vulnerable to SQL injection. Use parameterized queries (AKA prepared statements) instead:

Set cmd  = CreateObject("ADODB.Command")
cmd.ActiveConnection = cn

Set p1 = cmd.CreateParameter("@email" , 200, 1, 255, tempUsername)
cmd.Parameters.Append p1
Set p2 = cmd.CreateParameter("@password" , 200, 1, 255, tempPassword)
cmd.Parameters.Append p2

cmd.CommandText = "SELECT ContactID,Email,Password FROM Directory " _
  & "WHERE Email=? AND Password=?"

Set rsQuery = cmd.Execute

这篇关于VBScript 代码从包含 ' 的字符串中断的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！