我怎样才能让在prevents sql注入传统的ASP一个prepared声明? [英] How can I make a prepared statement in classic asp that prevents sql injection?
问题描述
我有这其中工程:
sqlString = "SELECT * FROM employees WHERE lastname = '" & last_name & "'"
Set cmd = Server.CreateObject("ADODB.Command")
Set cmd.ActiveConnection = dbConn
cmd.CommandText = sqlString
cmd.Prepared = True
Set recs = cmd.Execute
我的问题是,上述的SqlString
的动态部分是prepared语句命令。我不认为我在上面已经被保护我。
The problem I have is that above the dynamic part of sqlString
is before the prepared statement command. I don't think what I have above is protecting me.
不要我有我做的prepared语句之前解决这一问题的SqlString?读这让我觉得:<一href=\"http://stackoverflow.com/questions/8263371/how-$p$ppared-statements-can-protect-from-sql-injection-attacks\">How prepared报表可以从SQL注入攻击保护:
Don't I have to fix this sqlString before I do the prepared statement? Reading this made me think that: How prepared statements can protect from SQL injection attacks?:
虽然prepared报表的情况下,我们不会改变我们的计划,它会保持原样
这是一点。
"While in case of prepared statements we don't alter our program, it remains intact That's the point.
我们首先发送程序的服务器
We are sending program to the server first
$db->prepare("SELECT * FROM users where id=?");
,其中数据是由一些所谓的占位符可变取代的
然后我们分别发送这些数据:
where the data is substituted by some variable called "placeholder" and then we're sending the data separately:
$db->execute($data);
所以,它不能改变我们的计划,做任何伤害。
很简单 - 是不是
so, it can't alter our program and do any harm. Quite simple - isn't it?"
但我不知道如何让我的查询正确的。我也不知道他从 prepare
如何到达 $数据
。希望寻求指导。谢谢你。
But I don't know how to make my query correct. I also don't know how he got from prepare
to $data
. Was hoping for guidance. Thanks.
推荐答案
为什么不使用ADO命令的参数?
Why not use ADO command parameters?
var oCmd = Server.CreateObject("ADODB.Command");
oCmd.CommandText = "SELECT * FROM employees WHERE lastname = ?";
oCmd.Parameters.Append(oCmd.CreateParameter(undefined,202, 1, 50,"last name"))//adVarWChar
这篇关于我怎样才能让在prevents sql注入传统的ASP一个prepared声明?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!