ASP网页编程之怎样避免SQL注进
减少客户内IT专业人才缺乏带来的影响。ASP的客户员工利用浏览器进入相关的应用软件,简单易用,无需专业技术支持。次要是防asp的几个中央:1、地点栏参数注进,就是用request.querystring获得值的这个
2、表单参数注进,就是用request.form获得值的这个
3、cookies
实在能够当作一个理儿,就是能输出值,能交互的让用户输出的中央都得做一下防。
做一个函数,截取这些中央提交的值,与一个数组(内里放着要过滤或反省的敏感字符)做一下对照
再献上我的一个过滤函数
以下是援用片断:
FunctionChkStr(Str)
ifIsnull(Str)then
ChkStr=""
exitFunction
Endif
Str=Replace(Str,Chr(0),"",1,-1,1)
Str=Replace(Str,"""",""",1,-1,1)
Str=Replace(Str,"<","<",1,-1,1)
Str=Replace(Str,">",">",1,-1,1)
Str=Replace(Str,"script","script",1,-1,0)
Str=Replace(Str,"SCRIPT","SCRIPT",1,-1,0)
Str=Replace(Str,"Script","Script",1,-1,0)
Str=Replace(Str,"script","Script",1,-1,1)
Str=Replace(Str,"object","object",1,-1,0)
Str=Replace(Str,"OBJECT","OBJECT",1,-1,0)
Str=Replace(Str,"Object","Object",1,-1,0)
Str=Replace(Str,"object","Object",1,-1,1)
Str=Replace(Str,"applet","applet",1,-1,0)
Str=Replace(Str,"APPLET","APPLET",1,-1,0)
Str=Replace(Str,"Applet","Applet",1,-1,0)
Str=Replace(Str,"applet","Applet",1,-1,1)
Str=Replace(Str,"[","[")
Str=Replace(Str,"]","]")
Str=Replace(Str,"=","=",1,-1,1)
Str=Replace(Str,"’","",1,-1,1)
Str=Replace(Str,"select","select",1,-1,1)
Str=Replace(Str,"execute","execute",1,-1,1)
Str=Replace(Str,"exec","exec",1,-1,1)
Str=Replace(Str,"join","join",1,-1,1)
Str=Replace(Str,"union","union",1,-1,1)
Str=Replace(Str,"where","where",1,-1,1)
Str=Replace(Str,"insert","insert",1,-1,1)
Str=Replace(Str,"delete","delete",1,-1,1)
Str=Replace(Str,"update","update",1,-1,1)
Str=Replace(Str,"like","like",1,-1,1)
Str=Replace(Str,"drop","drop",1,-1,1)
Str=Replace(Str,"create","create",1,-1,1)
Str=Replace(Str,"rename","rename",1,-1,1)
Str=Replace(Str,"count","count",1,-1,1)
Str=Replace(Str,"chr","chr",1,-1,1)
Str=Replace(Str,"mid","mid",1,-1,1)
Str=Replace(Str,"truncate","truncate",1,-1,1)
Str=Replace(Str,"nchar","nchar",1,-1,1)
Str=Replace(Str,"char","char",1,-1,1)
Str=Replace(Str,"alter","alter",1,-1,1)
Str=Replace(Str,"cast","cast",1,-1,1)
Str=Replace(Str,"exists","exists",1,-1,1)
Str=Replace(Str,VbCrlf,"",1,-1,1)
Str=Replace(Str,"","",1,-1,1)
ChkStr=Str
EndFunction
利用:
更新数据时,rs(“字段”)=ChkStr(trim(Request.Form("表单参数")))
当然了,现在国内CRM厂商的产品与其说是CRM,但从至少从我的角度分析上来看,充其量只是一个大型的进销存而已了,了解尚浅,不够胆详评,这里只提技术问题 ASP.Net和ASP的最大区别在于编程思维的转换,而不仅仅在于功能的增强。ASP使用VBS/JS这样的脚本语言混合html来编程,而那些脚本语言属于弱类型、面向结构的编程语言,而非面向对象,这就明显产生以下几个问题: Response:从字面上讲是“响应”,因此这个是服务端向客户端发送东西的,例如Response.Write Request:从字面上讲就是“请求”,因此这个是处理客户端提交的东东的,例如Resuest.Form,Request.QueryString,或者干脆Request("变量名") 学习ASP其实应该上升到如何学习程序设计这种境界,其实学习程序设计又是接受一种编程思想。比如ASP如何学习,你也许在以前的学习中碰到过。以下我仔细给你说几点: 虽然ASP也有很多网络教程。但是这些都不系统。都是半路出家,只是从一个例子告诉你怎么用。不会深入讨论,更不会将没有出现在例子里的方法都一一列举出来。 学习是为了用的,是为了让你的程序产生价值,把握住这个原则会比较轻松点。除此之外,课外时间一定要多参加一些社会实践活动,来锻炼自己的能力。 虽然ASP也有很多网络教程。但是这些都不系统。都是半路出家,只是从一个例子告诉你怎么用。不会深入讨论,更不会将没有出现在例子里的方法都一一列举出来。 完全不知道到底自己学的是什么。最后,除了教程里面说的几个例子,还是什么都不会。
页:
[1]