<%
For Each item In Request.ServerVariables("QUERY_STRING")
Execute( "my_" & item & " = """ & replace( Request.QueryString(item), "'", "''") & """" )
Next
' Note: Instead of parsing the string using Request.QuerString, get the whole query string usin g Request.Servervariables("QUERY_STRING") because the a request in the following format will not be parsed:
' <form method="post" action="post.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
' </form>
Response.Write my_aaa & "<br>"
Response.Write my_bbb & "<br>"
For Each item In Request.Form()
Execute( "my_" & item & " = """ & replace( Request.Form(item), "'", "''") & """" )
Next
%>
Sunday, January 4, 2009
Replace single quote in All Get and POST Variables to prevent SQL injection
Replace single quote in All Get and POST Variables to prevent SQL injection
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment