PJBlog博客系统后台c_members.asp页面User变量过滤不严导致SQL注入漏洞

在文件control/ cmembers.asp中： 1. FindUser = Request.QueryString"User" //第28行 2. If LenFindUser1 Then 3. FindUserFilter = "" 4. Else 5. FindUserFilter = " AND M.memName='" & FindUser & "'" 6. End If 7. …… 8. SQL = "SELECT M.,S.statname,S.stattitle FROM blogMember as M,blogstatus as S where...