如何在经典 asp 中创建一个准备好的语句来防止 sql 注入? [英] How can I make a prepared statement in classic asp that prevents sql injection?

问题描述

我有这个可行的:

sqlString = "SELECT * FROM employees WHERE lastname = '" & last_name & "'"
Set cmd = Server.CreateObject("ADODB.Command")
Set cmd.ActiveConnection = dbConn
cmd.CommandText = sqlString
cmd.Prepared = True
Set recs = cmd.Execute

我遇到的问题是 sqlString 的动态部分在准备好的语句命令之前.我不认为我上面的东西是在保护我.

The problem I have is that above the dynamic part of sqlString is before the prepared statement command. I don't think what I have above is protecting me.

在执行准备好的语句之前，我不必修复这个 sqlString 吗?读到这里让我想到:准备好的语句如何防止 SQL注入攻击?:

Don't I have to fix this sqlString before I do the prepared statement? Reading this made me think that: How can prepared statements protect from SQL injection attacks?:

虽然在准备好的语句的情况下我们不会改变我们的程序，但它保持不变这就是重点.

"While in case of prepared statements we don't alter our program, it remains intact That's the point.

我们首先将程序发送到服务器

We are sending program to the server first

 $db->prepare("SELECT * FROM users where id=?");

数据被称为占位符"的变量替换然后我们分别发送数据:

where the data is substituted by some variable called "placeholder" and then we're sending the data separately:

 $db->execute($data);

所以，它不会改变我们的程序并造成任何伤害.很简单——不是吗?"

so, it can't alter our program and do any harm. Quite simple - isn't it?"

但我不知道如何使我的查询正确.我也不知道他是怎么从prepare 到$data 的.希望得到指导.谢谢.

But I don't know how to make my query correct. I also don't know how he got from prepare to $data. Was hoping for guidance. Thanks.

推荐答案

为什么不用ADO命令参数?

Why not use ADO command parameters?

var oCmd = Server.CreateObject("ADODB.Command");
oCmd.CommandText = "SELECT * FROM employees WHERE lastname = ?";
oCmd.Parameters.Append(oCmd.CreateParameter(undefined,202, 1, 50,"last name"))//adVarWChar

这篇关于如何在经典 asp 中创建一个准备好的语句来防止 sql 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！