发表新帖
发表新帖

VBScript Code breaking from String containing '

后端 未结
关注
1 894
梦毁少年i
梦毁少年i 2020-12-04 03:53

one of my user has a \' inside the user name and i think that it is breaking the login code on the line tempPassword=Request.Form(\"UserPassword\")

if (Req
相关标签:
1条回答
  • 甜味超标
    2020-12-04 04:31

    Don't use string concatenation for building SQL queries. Ever. Not only will you encounter problems like this, it will also make you vulnerable to SQL injection. Use parameterized queries (AKA prepared statements) instead:

    Set cmd  = CreateObject("ADODB.Command")
cmd.ActiveConnection = cn

Set p1 = cmd.CreateParameter("@email" , 200, 1, 255, tempUsername)
cmd.Parameters.Append p1
Set p2 = cmd.CreateParameter("@password" , 200, 1, 255, tempPassword)
cmd.Parameters.Append p2

cmd.CommandText = "SELECT ContactID,Email,Password FROM Directory " _
  & "WHERE Email=? AND Password=?"

Set rsQuery = cmd.Execute
    0 讨论(0)
 看不清?
提交回复
热议问题