彻底解决asp注入漏洞的方法

 

本人最近研究彻底解决asp注入漏洞的方法!希望大家多提建议
原理,就是象java一样使用preparestatement.
下面例子连接的是sql server数据库
代码如下:
PrepareSql.asp
<%
' 定义数据库操作常量
 Const adStateClosed = 0
 Const adOpenForwardOnly = 0, adOpenKeyset = 1, adOpenDynamic = 2, adOpenStatic = 3
 Const adLockReadOnly = 1, adLockPessimistic = 2, adLockOptimistic = 3, adLockBatchOptimistic = 4
 Const adCmdText = 1, adCmdTable = 2, adCmdStoredProc = 4, adExecuteNoRecords = 128
 Const adBigInt = 20, adBoolean = 11, adChar = 129, adDate = 7, adInteger = 3, adSmallInt = 2, adTinyInt = 16, adVarChar = 200
 const adParamInput = 1, adParamOutput = 2, adParamInputOutput = 3, adParamReturnValue = 4
%>
<%Class PrepareSQL
 Private cmdPrep
 Private m_String
 Private m_Sql
 Private m_conn
 public function setconn(conn)
  set m_conn=conn
 end function
 Public Function prepare(sql)
  set cmdPrep=nothing
     SET cmdPrep=Server.CreateObject("ADODB.Command")
  set cmdPrep.ActiveConnection=m_conn
  cmdPrep.CommandText =sql
 End Function
 Public Function setInt(theValue ) 
  cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adInteger, adParamInput,, theValue) 
 End Function
 Public Function setDate(theValue ) 
    cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 100, theValue) 
 End Function
 Public Function setBoolean(theValue ) 
  cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adBoolean, adParamInput, 1, theValue)  
 End Function 
 Public Function setString(theValue ) 
  if(len(theValue)=0 )then
  
  cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 1, theValue)
  else
  cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, lenb(theValue), theValue)
  end if
 End Function
 Public Function execute()
  set execute=cmdPrep.Execute
 End Function
End Class%>


test.asp
<!--#include file="../include/datastore.asp"-->
<!--#include file="../include/PrepareSql.asp"-->
<%
Dim ps
Dim cn
set cn=server.CreateObject("adodb.connection")
Dim strcn
strCn="driver={SQL server};server=127.0.0.1;uid=sa;pwd=test;database=PUBS"
cn.Open strCn
set ps=new  PrepareSql 
ps.setconn cn
ps.prepare "select * from user where id =?"
ps.setint 1
dim rs
set rs=ps.execute
%> 

 

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值