针对 SQL 注入的经典 ASP 保护 [英] classic ASP protection against SQL injection
问题描述
我继承了大量当前缺少 SQL 注入保护的经典 ASP 代码,我正在努力解决它.我已经详细检查了这里提供的解决方案:经典 ASP SQL 注入保护在数据库方面,我有一个 Microsoft SQL server 2000 SP4
I've inherited a large amount of Classic ASP code that is currently missing SQL injection protection, and I'm working on it. I've examined in detail the solutions offered here: Classic ASP SQL Injection Protection On the database side, I have a Microsoft SQL server 2000 SP4
不幸的是,存储过程不是一种选择.
Unfortunately stored procedures are not an option.
学习了php的mysql_real_escape_string(http://www.w3schools.com/php/func_mysql_real_escape_string.asp ) ,我已经在 ASP 中复制了它的功能.
After studying php's mysql_real_escape_string ( http://www.w3schools.com/php/func_mysql_real_escape_string.asp ) , I've replicated its functionality in ASP.
我的问题是:
1) Microsoft SQL Server 2000 是否有任何其他特殊字符需要转义,而 MySQL 中不存在( x00 、 、 、 、 ' 、 " 、 x1a )
1) Does Microsoft SQL server 2000 have any other special characters that need to be escaped that are not present in MySQL ( x00 , , , , ' , " , x1a )
2)来自 我可以通过转义单引号和用单引号包围用户输入来防止 SQL 注入吗? 我读到对'引用参数'过程发起攻击的一种方法是使用字符串截断.根据对 MSDN 来说,在 SQL Server 2000 SP4(和 SQL Server 2005 SP1)中,太长的字符串会被悄悄地截断."
2) From an answer in Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? I read "One way to launch an attack on the 'quote the argument' procedure is with string truncation. According to MSDN, in SQL Server 2000 SP4 (and SQL Server 2005 SP1), a too long string will be quietly truncated."
如何将其用于攻击(我真的无法想象这样的场景)以及防御它的正确方法是什么?
How can this be used for an attack (I really can't imagine such a scenario) and what would be the right way of protecting against it?
3) 还有其他我应该注意的问题吗?还有其他注入 SQL 的方法吗?
3) Are there any other issues I should be aware of? Any other way of injecting SQL?
注意:30 分钟的 Internet 搜索表明没有经典 ASP 库来防止 SQL 注入.是这样吗,还是我真的在基本的搜索任务上失败了?
Note: A 30-min internet search said that there are no libraries for classic ASP to protect against SQL injection. Is this so, or did I really fail at a basic task of searching?
推荐答案
最好的选择是使用参数化查询.关于这是如何完成的,您必须查看:
The best option is to use parameterized queries. On how that is done, you must check out:
在 PHP 中,PDO(和 prepared statements) 允许开发人员使用参数化查询来避免sql注入.
In PHP also, the PDO (and prepared statements) allows developers to use parameterized queries to avoid sql injection.
是的,您可以在 WHERE
子句中指定参数,为此您可以使用 ADODB.Command
对象,如下例所示:
Yes you can specify parameters in WHERE
clause and for that you can use ADODB.Command
object like below example:
' other connection code
set objCommand = Server.CreateObject("ADODB.Command")
...
strSql = "SELECT name, info FROM [companies] WHERE name = ?" _
& "AND info = ?;"
...
objCommand.Parameters(0).value = strName
objCommand.Parameters(1).value = strInfo
...
有关更多信息,请参阅我在上面发布的文章链接,或者如果您愿意,您可能想对该主题进行更多研究.
For more information, see the article link that I have posted above or you may want to research a little more on the topic if you want.
这篇关于针对 SQL 注入的经典 ASP 保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!