javascript - 如何修复 SQL Inject Me 测试结果

Question

我被要求查看一些经典的 ASP 代码，这很好。但遇到的问题是，他正在使用名为 Sql Inject Me (SIM) 的 FireFox 插件测试 SQL 注入(inject)漏洞。注入(inject)时出现 306 错误。他希望能够运行它并且不会出现这些错误。

我从..开始

function scrub() {
        var oldLastname = document.getElementById("Jobtitle").value;

        var newLastName = oldLastname.replace(";", " ").replace("="," ").replace(' " " ', " ").replace("'"," ");
    }

这将在单击“提交”按钮时触发。我不确定这是否会清除错误

我读到了 FireFoxes 插件正在做什么，那就是......

"The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page."

在我进一步研究并发现有更简单的方法之前，有什么好的想法可以解决这个问题？我确实发现这个链接很有用，直到我意识到它是关于 php 而不是 JavaScript 或 ASP。 Looked at this

Answer 1

参数化查询生成 rsInvoices 记录集

<%
Dim rsInvoices
Dim rsInvoices_cmd
Dim rsInvoices_numRows

Set rsInvoices_cmd = Server.CreateObject ("ADODB.Command")
rsInvoices_cmd.ActiveConnection = MM_connection_STRING
rsInvoices_cmd.CommandText = "SELECT * FROM saleman.GetInvoices(?,?)" 
rsInvoices_cmd.CommandType = 1
rsInvoices_cmd.Prepared = true
rsInvoices_cmd.Parameters.Append rsInvoices_cmd.CreateParameter("param1", 135, 1, -1, rsInvoices__MM_day) '' adDBTimeStamp
rsInvoices_cmd.Parameters.Append rsInvoices_cmd.CreateParameter("param2", 200, 1, 255, rsInvoices__MM_plan) '' adVarChar

Set rsInvoices = rsInvoices_cmd.Execute
%>

哪里

<%
Dim rsInvoices__MM_day
rsInvoices__MM_day = "1.2.2014"
If (Request("DayOfReport") <> "") Then 
  rsInvoices__MM_day = Request("DayOfReport")
End If
%>
<%
Dim rsInvoices__MM_plan
rsInvoices__MM_plan = "plan"
If (Request("type") <> "") Then 
  rsInvoices__MM_plan = REPLACE(Request("type"),"'","''")
  ''  This excludes '-injection
  ''  U can write function to check for other types of SQL-Inj
  ''  take in mind that ' sign can be coded in some ways 
End If
%>