[英]How can I prevent SQL injection?
I have the following code where the user is prompted to enter his username and password in a form.我有以下代码,其中提示用户在表单中输入他的用户名和密码。 The username and password are checked with the database and if correct the user is logged in. However this code can be easily SQL injected for example by typing:用数据库检查用户名和密码,如果正确则用户登录。但是,此代码可以很容易地通过 SQL 注入,例如通过键入:
UserName = 'x' and UserPwd = 'x' or 'x'
Can someone help me to modify the code to prevent SQL injection.有人可以帮我修改代码以防止 SQL 注入。 Here is the code:这是代码:
<%@LANGUAGE=Jscript%>
<%
// ----- GLOBALS DECLARATIONS ----------------------------------------------------------------------------
var CKEDir = "ckeditor/";
var DB = Server.MapPath("DB/CMS.MDB");
// ----- GENERAL PURPOSE FUNCTIONS -----------------------------------------------------------------------
// Uses regular expressions to change all single quotes in a string to the HTML
// entity ' and replaces all carriage return and newline characters to spaces.
// This ensures that the string can be incorporated in a SQL statement.
function cleanString(s) {
s = s.replace(/'/g, "'"); // SO syntax fix '
s = s.replace(/[\r\n]/g,' ');
return s;
}
// ----- DATABASE FUNCTIONS ------------------------------------------------------------------------------
// Creates a connection to the database named in the parameter,
function getDBConnection() {
var DBCon = Server.CreateObject("ADODB.Connection");
var DBasePath = DB;
var ConStr = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" + DBasePath + ";Persist Security Info=False";
DBCon.Open(ConStr,"","");
return DBCon;
}
// Increments counter for current page (as identified by global variable PageID) in
// table Counters, and returns a string indicating number of times page was accessed.
function getAccess() {
var msg = '';
if (PageID) {
var DBConn = getDBConnection();
var Td = new Date();
var SQL = "SELECT * FROM Counters WHERE PageID=" + PageID ;
var RS = DBConn.Execute(SQL);
// Page counter does not yet exist - create it.
if (RS.Eof)
{
var AccessCount=1;
var AccessSince = new Date();
SQL="INSERT into Counters ([PageID]) VALUES ("+PageID+")";
}
// Page counter exists, increment it.
else
{
var AccessCount=RS("Hits")+1;
var AccessSince=RS("Created").value;
SQL="UPDATE Counters SET [Hits]="+AccessCount+" WHERE [PageID]="+PageID;
}
RS = DBConn.Execute(SQL)
DBConn.Close();
msg = AccessCount + " visits since " + AccessSince;
}
return msg;
}
// ----- LOGGING IN AND OUT FUNCTIONS --------------------------------------------------------------------
// Returns true if user is logged in.
function isLoggedIn() {
return Session("UserID");
}
// Checks given name and password in users database.
// No validation on the user input is performed, so this function is
// susceptible to SQL injection attacks.
function logInUser(name,pwd) {
var DBConn = getDBConnection();
var SQL = "SELECT * FROM Users WHERE UserName = '" + name + "' and UserPwd = '" + pwd + "'";
var RS = DBConn.Execute(SQL);
var valid = !RS.Eof;
if (valid) {
Session("UserID") = RS("UserID").value;
Session("UserName") = RS("UserName").value;
Session("UserFullName") = RS("UserFirstName").value + ' ' + RS("UserLastName").value;
}
DBConn.Close;
return valid;
}
// Logs out current user.
function logOutUser() {
Session("UserID") = 0;
}
// Returns full name of currently logged in user if any.
function loggedInUser() {
var msg = '';
if (Session("UserID")) msg = Session("UserFullName");
return msg;
}
// Returns true if current user can edit content.
// Currently allows any authenticated user to edit content.
function inEditMode() {
return isLoggedIn();
}
%>
Use parameterized queries.使用参数化查询。 It prevents the SQL injections.它可以防止 SQL 注入。
Click here for more documentation 单击此处获取更多文档
It will prevent the SQL string being hijacked by malicious input.防止SQL字符串被恶意输入劫持。
Good luck!祝你好运!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.