Hola
Prueba a pasarle la función cuando recoges los párametros
Código asp:
Ver original<%
FUNCTION corregirComillas( cadena )
strNuevaCadena = Trim(cadena)
strNuevaCadena = REPLACE( cadena, "'", "''")
strNuevaCadena = REPLACE(strNuevaCadena, "<", "")
strNuevaCadena = REPLACE(strNuevaCadena, ">", "")
strNuevaCadena = REPLACE(strNuevaCadena, "%", "")
strNuevaCadena = REPLACE(strNuevaCadena, "*", "")
strNuevaCadena = REPLACE(strNuevaCadena, "INSERT INTO", "")
strNuevaCadena = REPLACE(strNuevaCadena, "DELETE FROM", "")
strNuevaCadena = REPLACE(strNuevaCadena, "IFRAME", "")
corregirComillas = strNuevaCadena
END FUNCTION
%>
<%
Dim nombre, clave
nombre=corregirComillas(Request.Form("nombre"))
clave=corregirComillas(Request.Form("clave"))
Ssql10="select txt_usuario, txt_clave, cod_estado_inv from m_investigadores where (txt_usuario='"&nombre&"' and txt_clave='"&clave&" and cod_estado_inv=1);"
Por otro lado el filtrado se podría mejorar
Código asp:
Ver originalstr = lcase(str)
str = replace(str," "," ")
str = replace(str,"=","")
str = replace(str,"'","")
str = replace(str,"""""","")
str = replace(str," or ","")
str = replace(str," and ","")
str = replace(str,"(","")
str = replace(str,")","")
str = replace(str,"<","[")
str = replace(str,">","]")
str = replace(str,"having ","")
str = replace(str,"group by","")
str = replace(str,"union select sum","")
str = replace(str,"union select min","")
str = replace(str,"--","")
str = replace(str,"select ","")
str = replace(str,"insert ","")
str = replace(str,"update ","")
str = replace(str,"delete ","")
str = replace(str,"drop ","")
str = replace(str,"-shutdown","")
Suerte