如何修復SQL注入我的測試結果

Question

我被要求查看一些經典的ASP代碼，這很好。但是問題在於，他正在使用名爲Sql Inject Me（SIM）的FireFox插件測試SQL注入漏洞。 它獲得306注射錯誤。他希望能夠運行它，而不是得到這些錯誤。

我開始了與..

function scrub() { 
     var oldLastname = document.getElementById("Jobtitle").value; 

     var newLastName = oldLastname.replace(";", " ").replace("="," ").replace(' " " ', " ").replace("'"," "); 
    } 

這將提交按鈕點擊被解僱。我不知道是否會清除掉錯誤或不

我什麼FireFoxes插件是做閱讀，這是...

「該工具通過形式發送數據庫字符串逃生然後它會查找輸出到頁面呈現的HTML中的數據庫錯誤消息。「

在我走得更遠，然後發現有一個更簡單的方法之前，有什麼好主意的方法來處理這個問題？我確實發現這個鏈接有用，直到我意識到它是關於php而不是JavaScript或ASP。 Looked at this

Answer 1

參數化查詢產生rsInvoices的RecordSet

<% 
Dim rsInvoices 
Dim rsInvoices_cmd 
Dim rsInvoices_numRows 

Set rsInvoices_cmd = Server.CreateObject ("ADODB.Command") 
rsInvoices_cmd.ActiveConnection = MM_connection_STRING 
rsInvoices_cmd.CommandText = "SELECT * FROM saleman.GetInvoices(?,?)" 
rsInvoices_cmd.CommandType = 1 
rsInvoices_cmd.Prepared = true 
rsInvoices_cmd.Parameters.Append rsInvoices_cmd.CreateParameter("param1", 135, 1, -1, rsInvoices__MM_day) '' adDBTimeStamp 
rsInvoices_cmd.Parameters.Append rsInvoices_cmd.CreateParameter("param2", 200, 1, 255, rsInvoices__MM_plan) '' adVarChar 

Set rsInvoices = rsInvoices_cmd.Execute 
%> 

其中

<% 
Dim rsInvoices__MM_day 
rsInvoices__MM_day = "1.2.2014" 
If (Request("DayOfReport") <> "") Then 
    rsInvoices__MM_day = Request("DayOfReport") 
End If 
%> 
<% 
Dim rsInvoices__MM_plan 
rsInvoices__MM_plan = "plan" 
If (Request("type") <> "") Then 
    rsInvoices__MM_plan = REPLACE(Request("type"),"'","''") 
    '' This excludes '-injection 
    '' U can write function to check for other types of SQL-Inj 
    '' take in mind that ' sign can be coded in some ways 
End If 
%>