0
我試圖更新單個客戶的詳細信息,並且在更新新用戶輸入時遇到問題。我可以看到正在傳遞的更改,但不更新sql。下面是代碼 -通過經典的asp和vbscript更新sql server
'Update'
updateC = request.QueryString("action")
if updateC = "update" then
Id = request.QueryString("Id")
Name = request.QueryString("Name")
Address = request.QueryString("Address")
Suburb = request.QueryString("Suburb")
Postcode = request.QueryString("Postcode")
Age = request.QueryString("Age")
Email = request.QueryString("Email")
end if
%>
<form method="get" action="CreateCustomer.asp">
Name: <input type="text" value="<%=Name %>" name="Name"><br/>
Address: <input type="text" value="<%=Address %>" name="Address"><br/>
Suburb: <input type="Suburb" value="<%=Suburb %>" name="Suburb"><br/>
Postcode: <input type="text" value="<%=Postcode %>" name="Postcode"><br/>
Age: <input type="text" value="<%=Age %>" name="Age"><br/>
Email: <input type="text" value="<%=Email %>" name="Email"><br/><br/>
<% if updateC = "update" then%>
<input type="hidden" value="update" name="updateButton">
<input type="submit" value="Update Customer">
<% else %>
<input type="hidden" value="insert" name="insert">
<input type="submit" value="New Customer">
<% end if %>
</form>
<%
'Assign Variables'
insertCheck = request.QueryString("insert")
updCheck = request.QueryString("updateButton")
if insertCheck = "insert" or updCheck = "update" then
ID = request.QueryString("Id")
Name = request.QueryString("Name")
Address = request.QueryString("Address")
Suburb = request.QueryString("Suburb")
Postcode = request.QueryString("Postcode")
Age = request.QueryString("Age")
Email = request.QueryString("Email")
end if
'update customer'
updButton = request.QueryString("updateButton")
if updButton = "update" and name<>"" then
updateCustomer()
end if
'Update customer sub procedure'
sub updateCustomer()
Dim uSQL, objCon
Set objCon = CreateObject("ADODB.Connection")
objCon.Open "Provider=SQLOLEDB.1;Password=xxxx;Persist Security Info=True;User ID=xxxx;Initial Catalog=Customer;Data Source=PC"
uSQL = "UPDATE Customer SET Name = " & "'" & Name & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Address = " & "'" & Address & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Suburb = " & "'" & Suburb & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Postcode = " & "'" & Postcode & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Age = " & "'" & Age & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Email = " & "'" & Email & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
objCon.Close
end sub
上面的代碼是從createcustomer.asp和下面的代碼是從table.asp
<td><Center><a href="CreateCustomer.asp?action=update&Id=<%= objRS("Id") %>&Name=<%= objRS("Name") %>&Address=<%= objRS("Address") %>&suburb=<%= objRS("Suburb") %>&postcode=<%= objRS("Postcode") %>&age=<%= objRS("Age") %>&email=<%= objRS("Email") %>">
<input type="submit" value="Update"></a></Center></td>
SQL注入的人? – 2011-05-26 05:33:55
您至少應該通過轉義原始querystring值中的'-character來破壞您的輸入以破解可能的注入腳本! – mzwaal 2011-05-26 06:05:58