| Re: Blind SQL injection
Este es cargar_comunas.asp
************************************************** ***************
<!--#include file="../include/funciones.asp"-->
<!--#include file="../include/configuracion.asp"-->
<!--#include file="../include/conn.asp" -->
<%
Function filtra(String)
on Error resume next
String = Replace(String, CHR(13), "")
String = Replace(String, CHR(10), "")
String = Replace(String, "|", "")
String = Replace(String, "=", "")
String = Replace(String, "&", "")
String = Replace(String, ";", "")
String = Replace(String, "$", "")
String = Replace(String, "%", "")
String = Replace(String, "@", "")
String = Replace(String, "'", "")
String = Replace(String, "<", "")
String = Replace(String, ">", "")
String = Replace(String, "(", "")
String = Replace(String, ")", "")
String = Replace(String, "\", "")
String = Replace(String, ",", "")
String = Replace(String, """", "")
String = Replace(String, "\""", "")
String = Replace(String, "\'", "")
String = Replace(String, "+", "")
filtra = String
End Function
codRegion = filtra(CleanUserData(Request.QueryString("codRegio n")))
If not IsNumeric(codRegion) Then
codRegion=0
End if
strSql = "SELECT * FROM "&tabla&"_comunas "_
&"WHERE codRegion ="&codRegion _
&"ORDER BY comuna ASC "
Set rs = Server.CreateObject( "ADODB.Recordset" )
On Error Resume Next
rs.Open strSql, MM_conn_STRING, 1, 2
If Err.Number Then
despliegaError Err.Number, Err.Description
End If
%>
<SELECT class=texto id="cmb_comuna" name="cmb_comuna" style="font-family: Arial; font-size: 11; background-color: rgb(224,231,235); border: medium" >
<option value="0" selected>SELECCIONE</option>
<% Do While Not rs.EOF %>
<option value="<%=rs("codComuna") %>"><%=Escape(rs("comuna")) %></option>
<%
rs.movenext
Loop
if rs.status=1 then rs.close
set rs=nothing
%>
</SELECT> |