开发者

SQL injection on Classic ASP pages with parameterized queries: text fields

I've parameterized my开发者_Go百科 queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection.


If you use parametrized queries, you're safe against SQL injection attacks.

But not for XSS attacks; some user could to insert HTML content (think about <script>, <object> tags) into your database and, at some page, another user get that potentially malicious code executed.


Not all sql stored procs are injection safe

http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜