VBScript Code breaking from String containing ' -
one of user has ' inside user name , think breaking login code on line temppassword=request.form("userpassword")
if (request.form("action") = "login") tempusername=request.form("username") temppassword=request.form("userpassword") if not (tempusername = "") , not (temppassword = "") strsql="select contactid,email,password directory email='" & tempusername & "' , password='" & temppassword & "'" set rsquery=cn.execute(strsql) if not (rsquery.eof) '-- login correct, set session variables session("cbworkuser") = "yes" session("cbworkusername") = rsquery("email") session("cbworkid") = rsquery("contactid") end if set rsquery = nothing end if end if what solutions there fix this?
don't use string concatenation building sql queries. ever. not encounter problems this, make vulnerable sql injection. use parameterized queries (aka prepared statements) instead:
set cmd = createobject("adodb.command") cmd.activeconnection = cn set p1 = cmd.createparameter("@email" , 200, 1, 255, tempusername) cmd.parameters.append p1 set p2 = cmd.createparameter("@password" , 200, 1, 255, temppassword) cmd.parameters.append p2 cmd.commandtext = "select contactid,email,password directory " _ & "where email=? , password=?" set rsquery = cmd.execute
Comments
Post a Comment