0
I have a website in a database (records the page code inside the table), example:
<html>
...
This above code I saved in a field within the table, and to display, I do normally and everything comes right, but I am in need of the following:
within the code has for example h1 date() h1
(I took < e > because here you understand as title
summary:
when I do <%=%>
is the same thing as Response.write, so how do I put this variable inside the code that is already in the database?
I’ve tried everything when it’s right and everything I put is printed on the screen exactly as I put it, in the example above, it’s written on the page exactly that, date() inside the H1.
detailed..
I created a database within another domain I have and in it I created a table with longtext field and within it I created the following:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title> Login</title>
<body class="gray-bg">
<div><h1 class="logo-name"></h1></div>
<%=date()%> (aqui é onde já testei de tudo (risos)
</body>
</html>
... (página não esta completa, mas só foi para entender)
and within the domain I want the page I created the following:
SQLLerDados = "select * FROM sisindex"
Set RSLerDados=Server.CreateObject("ADODB.Recordset")
RSLerDados.Open SQLLerDados, objConnPagina
if RSLerDados.eof then
response.End()
else
codigoPagina = RSLerDados("codigoPagina")
response.write codigoPagina
end if
Set RSLerDados = Nothing
response.End()
That is, it goes in my database and picks up the page to be displayed, only this page is in ASP and has commands and functions in it and Respse.write is understood as text independent of how I put the ASP variables, understand? or you don’t think I explained it right. Thank you
I didn’t quite understand your use case, but there is a way to execute arbitrary code. She’s usually recommended, and with caveats, just for processing templates. The problem is that if you have a code in your BD that says format the server - and use this method is to open the port to inject code into your bd -, the simple access to a web page will format your server... or worse.
– bfavaretto
How do I get the door open to inject code into my comic? Could you tell me how someone would do that? so I can prevent... I already have SQL Injection treatment.... but would it be just that?
– Ronaldo Bueno
I don’t know the details of your application to give examples, but if you’re going to use this, use it very carefully, make sure you’re being passed on to the function. If your own users can save data in the bd that will later be interpreted as Asp, they themselves are a threat.
– bfavaretto
users save data, but in their BD (another domain), this domain that has the code comic, will be used only to display the content of the page... I swear I was confused with the code, I do not know if it is because I am since 5 am in this kkk, but could you give me a light on that link?
– Ronaldo Bueno