怎么样才能让ASP避免被SQL注入啊?
来源:asp之家 时间:2008-08-08 12:27:00
某人使用如下过滤代码,发现经常被黑:
n=request.form("username")
p=request.form("userchr")
if instr(n,"'")<>0 then response.end
if instr(n,"=")<>0 then response.end
if instr(n,"%")<>0 then response.end
if n<>"" and p<>"" then
set rs1 = Server.CreateObject("ADODB.Recordset")
sql="select * from Character where AccountID='"&n&"' and Name='"&p&"' and pklevel<>3"
rs1.open sql,conn,1,3
下面是网友的一些建议:
只对username进行了过滤,不够严密饿.:)
没有对userchr进行过滤,导致SQL注入..
用这句就可以把数据库改了:
XX';update character set clevel=200 where accountID='YOUID';--
我总结了被黑的经验:
1.禁止远程提交:
server_v1=Cstr(Request.ServerVariables("HTTP_REFERER"))
server_v2=Cstr(Request.ServerVariables("SERVER_NAME"))
if mid(server_v1,8,len(server_v2))<>server_v2 then
response.write "<br><br><center><table border=1 cellpadding=20 bordercolor=black bgcolor=#EEEEEE width=450>"
response.write "<tr><td style='font:9pt Verdana'>"
response.write "你提交的路径有误,禁止从站点外部提交数据!"
response.write "</td></tr></table></center>"
response.end
end if
常用的非法字串提交,尤其有有查询的页面,或写入数据库,尽量不要GET方式提交
过滤大部分敏感字符函数:
sub checkdata(datavalue)
if instr(datavalue,";")<>0 or instr(datavalue,">")<>0 or instr(datavalue,"<")<>0 or instr(datavalue,")")<>0 or instr(datavalue,"(")<>0 or instr(datavalue,"'")<>0 or instr(datavalue,"/")<>0 or instr(datavalue,"\")<>0 or instr(datavalue,",")<>0 or instr(datavalue," ")<>0 or instr(datavalue," ")<>0 or instr(datavalue,chr(13))<>0 or instr(datavalue,"&")<>0 or instr(datavalue,"%")<>0 or instr(datavalue,"=")<>0 then
response.write "<script language=javascript>alert('对不起!您所输入的数据包含非法字符');history.back()</script>"
response.end
end if
end sub
过滤一部分:
sub mincheckdata(datavalue)
if instr(datavalue,";")<>0 or instr(datavalue,"(")<>0 or instr(datavalue,"'")<>0 or instr(datavalue,"=")<>0 or instr(datavalue,"%")<>0 or instr(datavalue,"&")<>0 then
response.write "<script language=javascript>alert('对不起!您所输入的数据包含非法字符');history.back()</script>"
response.end
end if
end sub
标签:注入,sql,安全
![](/images/zang.png)
![](/images/jiucuo.png)
猜你喜欢
Window 7/XP 安装Apache 2.4与PHP 5.4 的过程详解
2023-11-24 09:28:09
详谈python3 numpy-loadtxt的编码问题
2021-08-28 06:42:09
聊一聊JS中的prototype
2024-05-02 16:20:18
python增加图像对比度的方法
2022-11-06 09:35:37
Python:slice与indices的用法
2021-09-10 22:31:09
运行python脚本更改Windows背景
2022-06-11 05:36:54
![](https://img.aspxhome.com/file/2023/3/91923_0s.png)
python爬虫之自动登录与验证码识别
2022-05-18 07:22:53
Asp中如何设计跨越域的Cookie
2008-10-24 09:46:00
互联网一家之言(一):叫用户为你买单
2009-06-09 11:32:00
![](https://img.aspxhome.com/file/UploadPic/20096/9/qqe688aae59bbee69caae591bde5908d1-49s.jpg)
Python新手们容易犯的几个错误总结
2021-06-22 12:19:54
![](https://img.aspxhome.com/file/2023/8/70118_0s.jpg)
Python快速优雅的批量修改Word文档样式
2022-09-23 19:28:22
![](https://img.aspxhome.com/file/2023/5/128535_0s.png)
Request的中断和ErrorHandler实例解析
2021-11-25 18:42:04
python分析inkscape路径数据方案简单介绍
2021-05-13 14:51:09
![](https://img.aspxhome.com/file/2023/6/127326_0s.png)
python 移除字符串尾部的数字方法
2023-03-18 19:38:21
OpenCV图像轮廓的绘制方法
2022-10-17 22:05:54
![](https://img.aspxhome.com/file/2023/8/95158_0s.jpg)
Python3.x+pyqtgraph实现数据可视化教程
2023-09-25 23:24:47
![](https://img.aspxhome.com/file/2023/5/69515_0s.jpg)
在Python中使用itertools模块中的组合函数的教程
2023-11-06 16:31:36
解决python ogr shp字段写入中文乱码的问题
2023-07-05 00:40:17
详解如何将本地项目上传到Github的方法步骤(图文)
2023-12-07 23:21:31
![](https://img.aspxhome.com/file/2023/7/132337_0s.png)
python批量导入数据进Elasticsearch的实例
2022-06-29 16:08:02