加密QueryString数据 教程

加密QueryString数据 教程

Problem with Query String Method 7J4TechFeel
Often time we use query string collection to retrieve an unique record from a table. Notice the following 7J4TechFeel
piece of code -

Detail.asp?RecordID=200

Here we are passing a query string value called "RecordID" using the url. We then use the Query String 7J4TechFeel
collection "RecordID" to get the actual number -

<% 7J4TechFeel
Dim RecordID7J4TechFeel
RecordID = Request.QueryString("RecordID")7J4TechFeel
%>

The problem with the above method is that we are exposing "RecordID" to the public. Hence making easy to 7J4TechFeel
hackers to just change the RecordID Query string to retrieve other values of the table.

Solution to the above problem

In order to solve the above problem, we will use two ASP pages and the ASP random number function to 7J4TechFeel
scramble the passing query string value so that the real record number is not exposed to others.

On the first page we get a random number with the following code -

<% 7J4TechFeel
Randomize timer 7J4TechFeel
' Randomizing the timer function7J4TechFeel
rndNum = abs(int((rnd() * 3001))) 7J4TechFeel
' To generate a prime based, non-negative random number..7J4TechFeel
rndNum = rndNum + 537J4TechFeel
Session("rndNum") = rndNum7J4TechFeel
'We place the random number value in a session variable so that we can use it again in the next page %>

Now that we have our random number we will scramble our query string with it! Here is how -

<%7J4TechFeel
'Assuming you have a record set retrieved -7J4TechFeel
Display_Rs.movefirst7J4TechFeel
While not Display_Rs.Eof7J4TechFeel
Response.Write "<a href=detail.asp?RecordID="7J4TechFeel
Response.Write (Display_Rs("RecordID")*rndNum) 7J4TechFeel
' Notice we are multiplying the actual record number with the random number to scramble the query 'string7J4TechFeel
Response.Write Display_Rs("RecordID") & "</a>"7J4TechFeel
Display_Rs.Movenext7J4TechFeel
Wend7J4TechFeel
%>

In the next page we will un-scramble the query string! Here is how -

<%7J4TechFeel
Dim RecordID7J4TechFeel
RecordID = request.querystring("RecordID")/Session("rndNum")7J4TechFeel
' We are dividing the record ID query string value with the same formula to un-scramble and pass the 7J4TechFeel
actual record ID to the SQL statement7J4TechFeel
Session.abandon7J4TechFeel
' Releasing Session value for the next record7J4TechFeel
%>

That's it! Using the above method you can scramble a query string as much as you like. For example 7J4TechFeel
multiply the random number with a very complex formula to generate an even more difficult integer number. 7J4TechFeel
The key point here is you divide the number with the same formula yielding to the original value. This 7J4TechFeel
technique is not full proof but much more difficult to break in that passing a regular query string value.7J4TechFeel