[Help] Patch SQL injection here script thats vuln: ( var id= ) ... <% id=cekal(trim(request.querystring("id"))) tp=cekal(trim(request.querystring("tp"))) if tp<>"" then %> <% end if set conn=server.createobject("adodb.connection") conn.open dbcon set rst = server.createobject("ADODB.recordset") rst.open "select * from news where id=" & id,conn,1,2 ... set rst = server.createobject("ADODB.recordset") rst.open sqllain,conn,1,2 if not rst.eof then do idsbl=trim(rst("id")) subjudulsbl=trim(rst("subjudul")) judulsbl=trim(rst("judul")) tanggalsbl=trim(rst("tanggal")) jenissbl=trim(rst("jenis")) %> <tr> <td width="1" valign="top"><span class="style1">•</span></td> <td> <div class=news-date><%=rubahtglx(tanggalsbl)%></div> <% if subjudulsbl<>"" then %> <span class=news><%=subjudulsbl%></span> <br> <% end if %> <% if jenissbl="Pemilu 2009" then %> <b><a href="pemilu/read.htm?id=<%=idsbl%>" class=news target="_blank"><%=judulsbl%></a></b> <% elseif jenissbl="Olah Raga" then %> <b><a href="readjadwal.htm?id=<%=idsbl%>" class=news><%=judulsbl%></a></b> <% elseif jenissbl="Piala Dunia" then %> <b><a href="bola2010/read.htm?id=<%=idsbl%>" class=news target="_blank"><%=judulsbl%></a></b> <% elseif jenissbl="Fokus Piala Dunia" then %> <b><a href="bola2010/read.htm?id=<%=idsbl%>" class=news target="_blank"><%=judulsbl%></a></b> <% else %> <b><a href="readnews.htm?id=<%=idsbl%>" class=news><%=judulsbl%></a></b> <% end if %> <br> <br> </td> </tr> <% rst.movenext loop while not rst.eof end if rst.close set rst=nothing ... please help for patch this script.. thanks before added code taqs - id http://sla.ckers.org/forum/read.php?16,36490,36490#msg-36490 Wed, 22 May 2013 09:31:58 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?16,36490,36558#msg-36558 Re: [Help] Patch SQL injection http://sla.ckers.org/forum/read.php?16,36490,36558#msg-36558 First thanks for your respond
second this i share the link
http://pastebin.com/bquLFi8T]]> thejack SQL and Code Injection Thu, 23 Jun 2011 00:26:19 -0500 http://sla.ckers.org/forum/read.php?16,36490,36512#msg-36512 Re: [Help] Patch SQL injection http://sla.ckers.org/forum/read.php?16,36490,36512#msg-36512 peann SQL and Code Injection Sat, 18 Jun 2011 15:03:58 -0500 http://sla.ckers.org/forum/read.php?16,36490,36490#msg-36490 [Help] Patch SQL injection http://sla.ckers.org/forum/read.php?16,36490,36490#msg-36490 ... 
<%
id=cekal(trim(request.querystring("id")))

tp=cekal(trim(request.querystring("tp")))
if tp<>"" then
%>

<%
end if
set conn=server.createobject("adodb.connection")
conn.open dbcon
set rst = server.createobject("ADODB.recordset")
rst.open "select * from news where id=" & id,conn,1,2
...
set rst = server.createobject("ADODB.recordset")
rst.open sqllain,conn,1,2
if not rst.eof then
	do
	idsbl=trim(rst("id"))
	subjudulsbl=trim(rst("subjudul"))
	judulsbl=trim(rst("judul"))
	tanggalsbl=trim(rst("tanggal"))
	jenissbl=trim(rst("jenis"))
		%>
                                        <tr> 
                                          <td width="1" valign="top"><span class="style1">&#149;</span></td>
                                          <td> 
                                            <div class=news-date><%=rubahtglx(tanggalsbl)%></div>
                                            <%
						  if subjudulsbl<>"" then
						  %>
                                            <span class=news><%=subjudulsbl%></span> 
                                            <br>
                                            <% end if %>
											<% if jenissbl="Pemilu 2009" then %>
		<b><a href="pemilu/read.htm?id=<%=idsbl%>" class=news target="_blank"><%=judulsbl%></a></b>
		<% elseif jenissbl="Olah Raga" then %>
		<b><a href="readjadwal.htm?id=<%=idsbl%>" class=news><%=judulsbl%></a></b>
		<% elseif jenissbl="Piala Dunia" then %>
		<b><a href="bola2010/read.htm?id=<%=idsbl%>" class=news target="_blank"><%=judulsbl%></a></b>
		<% elseif jenissbl="Fokus Piala Dunia" then %>
		<b><a href="bola2010/read.htm?id=<%=idsbl%>" class=news target="_blank"><%=judulsbl%></a></b>
		<% else %>
        <b><a href="readnews.htm?id=<%=idsbl%>" class=news><%=judulsbl%></a></b>
<%  end if %>
	<br>
                                            <br>                                          </td>
                                        </tr>
                                        <%	
	rst.movenext
	loop while not rst.eof	
end if
rst.close
set rst=nothing
...

please help for patch this script..
thanks before

added code taqs - id]]> thejack SQL and Code Injection Thu, 16 Jun 2011 05:10:47 -0500