我怎样才能让在prevents sql注入传统的ASP一个prepared声明？ [英] How can I make a prepared statement in classic asp that prevents sql injection?

问题描述

我有这其中工程：

sqlString = "SELECT * FROM employees WHERE lastname = '" & last_name & "'"
Set cmd = Server.CreateObject("ADODB.Command")
Set cmd.ActiveConnection = dbConn
cmd.CommandText = sqlString
cmd.Prepared = True
Set recs = cmd.Execute

我的问题是，上述的SqlString 的动态部分是prepared语句命令。我不认为我在上面已经被保护我。

The problem I have is that above the dynamic part of sqlString is before the prepared statement command. I don't think what I have above is protecting me.

不要我有我做的prepared语句之前解决这一问题的SqlString？读这让我觉得：<一href=\"http://stackoverflow.com/questions/8263371/how-$p$ppared-statements-can-protect-from-sql-injection-attacks\">How prepared报表可以从SQL注入攻击保护：

Don't I have to fix this sqlString before I do the prepared statement? Reading this made me think that: How prepared statements can protect from SQL injection attacks?:

虽然prepared报表的情况下，我们不会改变我们的计划，它会保持原样
   这是一点。

"While in case of prepared statements we don't alter our program, it remains intact That's the point.

我们首先发送程序的服务器

We are sending program to the server first

 $db->prepare("SELECT * FROM users where id=?");

，其中数据是由一些所谓的占位符可变取代的
   然后我们分别发送这些数据：

where the data is substituted by some variable called "placeholder" and then we're sending the data separately:

 $db->execute($data);

所以，它不能改变我们的计划，做任何伤害。
   很简单 - 是不是

so, it can't alter our program and do any harm. Quite simple - isn't it?"

但我不知道如何让我的查询正确的。我也不知道他从 prepare 如何到达 $数据。希望寻求指导。谢谢你。

But I don't know how to make my query correct. I also don't know how he got from prepare to $data. Was hoping for guidance. Thanks.

推荐答案

为什么不使用ADO命令的参数？

Why not use ADO command parameters?

var oCmd = Server.CreateObject("ADODB.Command");
oCmd.CommandText = "SELECT * FROM employees WHERE lastname = ?";
oCmd.Parameters.Append(oCmd.CreateParameter(undefined,202, 1, 50,"last name"))//adVarWChar

这篇关于我怎样才能让在prevents sql注入传统的ASP一个prepared声明？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！