At present, some people have SQL programming vulnerabilities (estimated and called loopholes: P)
After querystring, add such a statement, such as:; delete forum_forum; - This type of statement, to perform DELETE operations for your database.
This is caused by not programming. I give you a small way, perhaps this way is too dish, please don't laugh. :)
Examle:
The handler is as follows:
Action1 = Trim (Request.QueryString ())
If LEFT (Action1, 7) <> "Action =" The 'Limited QueryString must be action =
Error (Err01) 'error handling
Else
Action = Request.QueryString ("Action") 'gets queryString value
END IF
SELECT CASE ACTION 'Treated QueryString
Case "Add"
.....
Case "delete"
......
Case Else 'If QueryString does not have this value, error handling
Error (ERR02)
End SELECT
