zoukankan      html  css  js  c++  java
  • 彻底解决ASP注入漏洞

    本人最近研究彻底解决asp注入漏洞的方法!希望大家多提建议 原理,就是象java一样使用preparestatement. 下面例子连接的是sql server数据库 代码如下: PrepareSql.asp <% ' 定义数据库操作常量 Const adStateClosed = 0 Const adOpenForwardOnly = 0, adOpenKeyset = 1, adOpenDynamic = 2, adOpenStatic = 3 Const adLockReadOnly = 1, adLockPessimistic = 2, adLockOptimistic = 3, adLockBatchOptimistic = 4 Const adCmdText = 1, adCmdTable = 2, adCmdStoredProc = 4, adExecuteNoRecords = 128 Const adBigInt = 20, adBoolean = 11, adChar = 129, adDate = 7, adInteger = 3, adSmallInt = 2, adTinyInt = 16, adVarChar = 200 const adParamInput = 1, adParamOutput = 2, adParamInputOutput = 3, adParamReturnValue = 4 %> <%Class PrepareSQL Private cmdPrep Private m_String Private m_Sql Private m_conn public function setconn(conn) set m_conn=conn end function Public Function prepare(sql) set cmdPrep=nothing SET cmdPrep=Server.CreateObject("ADODB.Command") set cmdPrep.ActiveConnection=m_conn cmdPrep.CommandText =sql End Function Public Function setInt(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adInteger, adParamInput,, theValue) End Function Public Function setDate(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 100, theValue) End Function Public Function setBoolean(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adBoolean, adParamInput, 1, theValue) End Function Public Function setString(theValue ) if(len(theValue)=0 )then cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 1, theValue) else cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, lenb(theValue), theValue) end if End Function Public Function execute() set execute=cmdPrep.Execute End Function End Class%> test.asp <!--#include file="../include/datastore.asp"--> <!--#include file="../include/PrepareSql.asp"--> <% Dim ps Dim cn set cn=server.CreateObject("adodb.connection") Dim strcn strCn="driver={SQL server};server=127.0.0.1;uid=sa;pwd=test;database=PUBS" cn.Open strCn set ps=new  PrepareSql ps.setconn cn ps.prepare "select * from user where id =?" ps.setint 1 dim rs set rs=ps.execute %>
  • 相关阅读:
    apache安全—用户访问控制
    hdu 3232 Crossing Rivers 过河(数学期望)
    HDU 5418 Victor and World (可重复走的TSP问题,状压dp)
    UVA 11020 Efficient Solutions (BST,Splay树)
    UVA 11922 Permutation Transformer (Splay树)
    HYSBZ 1208 宠物收养所 (Splay树)
    HYSBZ 1503 郁闷的出纳员 (Splay树)
    HDU 5416 CRB and Tree (技巧)
    HDU 5414 CRB and String (字符串,模拟)
    HDU 5410 CRB and His Birthday (01背包,完全背包,混合)
  • 原文地址:https://www.cnblogs.com/adodo1/p/4326915.html
Copyright © 2011-2022 走看看