彻底解决asp注入漏洞

时间:2008-10-07 12:06:10  来源:第二电脑网上收集  作者:

  第二电脑网导读:码如下:PrepareSql.asp<%' 定义数据库操作常量 Const adStateClosed = 0 Const adOpenForwardOnly = 0, adOpenKeyset = 1, adOpenDynamic = 2, adOpenStatic = 3 Const adLockReadOnly = 1, adLockPessimistic = 2, adLockOptimistic = 3, adLockBatchOptimistic = 4 Const adCmdText = 1, adCmdTable = 2, adCmdStor...
  正文:

blog:http://blog.csdn.net/weizhonghua1978/archive/2006/07/21/951890.ASP/ target=_blank class=infotextkey>aspx

本人最近研究彻底解决asp注入漏洞的方法!希望大家多提建议
原理,就是象java一样使用preparestatement.
下面例子连接的是sql server数据库
代码如下:
PrepareSql.asp
<%
' 定义数据库操作常量
 Const adStateClosed = 0
 Const adOpenForwardOnly = 0, adOpenKeyset = 1, adOpenDynamic = 2, adOpenStatic = 3
 Const adLockReadOnly = 1, adLockPessimistic = 2, adLockOptimistic = 3, adLockBatchOptimistic = 4
 Const adCmdText = 1, adCmdTable = 2, adCmdStoredProc = 4, adExecuteNoRecords = 128
 Const adBigInt = 20, adBoolean = 11, adChar = 129, adDate = 7, adInteger = 3, adSmallInt = 2, adTinyInt = 16, adVarChar = 200
 const adParamInput = 1, adParamOutput = 2, adParamInputOutput = 3, adParamReturnValue = 4
%>
<%Class PrepareSQL
 Private cmdPrep
 Private m_String
 Private m_Sql
 Private m_conn
 public function setconn(conn)
  set m_conn=conn
 end function
 Public Function prepare(sql)
  set cmdPrep=nothing
     SET cmdPrep=Server.CreateObject("ADODB.Command")
  set cmdPrep.ActiveConnection=m_conn
  cmdPrep.CommandText =sql
 End Function
 Public Function setInt(theValue ) 
  cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adInteger, adParamInput,, theValue) 
 End Function
 Public Function setDate(theValue ) 
    cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 100, theValue) 
 End Function
 Public Function setBoolean(theValue ) 
  cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adBoolean, adParamInput, 1, theValue)  
 End Function 
 Public Function setString(theValue ) 
  if(len(theValue)=0 )then
  
  cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 1, theValue)
  else
  cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, lenb(theValue), theValue)
  end if
 End Function
 Public Function execute()
  set execute=cmdPrep.Execute
 End Function
End Class%>


test.asp
<!--#include file="../include/datastore.asp"-->
<!--#include file="../include/PrepareSql.asp"-->
<%
Dim photoshop/ target=_blank class=infotextkey>ps
Dim cn
set cn=server.CreateObject("adodb.connection")
Dim strcn
strCn="driver={SQL server};server=127.0.0.1;uid=sa;pwd=test;database=PUBS"
cn.Open strCn
set ps=new  PrepareSql 
ps.setconn cn
ps.prepare "select * from user where id =?"
ps.setint 1
dim rs
set rs=ps.execute
%> 

"彻底解决asp注入漏洞"由第二电脑网原创提供,转载请注明:http://www.002pc.com/master/College/Programming/ASP/2008-10-07/3008.html


关键字:

关于《彻底解决asp注入漏洞》文章的评论

站内搜索: 高级搜索

热门搜索: Windows style 系统 tr IP QQ CPU 安装 function 注册 if td