开发者

SQL injection on Classic ASP pages with parameterized queries: text fields

开发者 https://www.devze.com 2022-12-17 07:55 出处:网络
I\'ve parameterized my开发者_Go百科 queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection.If y

I've parameterized my开发者_Go百科 queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection.


If you use parametrized queries, you're safe against SQL injection attacks.

But not for XSS attacks; some user could to insert HTML content (think about <script>, <object> tags) into your database and, at some page, another user get that potentially malicious code executed.


Not all sql stored procs are injection safe

http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/

0

精彩评论

暂无评论...
验证码 换一张
取 消