彻底解决ASP注入漏洞

本人最近研究彻底解决asp注入漏洞的方法!希望大家多提建议 原理,就是象java一样使用preparestatement. 下面例子连接的是sql server数据库 代码如下: PrepareSql.asp <% ' 定义数据库操作常量 Const adStateClosed = 0 Const adOpenForwardOnly = 0, adOpenKeyset = 1, adOpenDynamic = 2, adOpenStatic = 3 Const adLockReadOnly = 1, adLockPessimistic = 2, adLockOptimistic = 3, adLockBatchOptimistic = 4 Const adCmdText = 1, adCmdTable = 2, adCmdStoredProc = 4, adExecuteNoRecords = 128 Const adBigInt = 20, adBoolean = 11, adChar = 129, adDate = 7, adInteger = 3, adSmallInt = 2, adTinyInt = 16, adVarChar = 200 const adParamInput = 1, adParamOutput = 2, adParamInputOutput = 3, adParamReturnValue = 4 %> <%Class PrepareSQL Private cmdPrep Private m_String Private m_Sql Private m_conn public function setconn(conn) set m_conn=conn end function Public Function prepare(sql) set cmdPrep=nothing SET cmdPrep=Server.CreateObject("ADODB.Command") set cmdPrep.ActiveConnection=m_conn cmdPrep.CommandText =sql End Function Public Function setInt(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adInteger, adParamInput,, theValue) End Function Public Function setDate(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 100, theValue) End Function Public Function setBoolean(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adBoolean, adParamInput, 1, theValue) End Function Public Function setString(theValue ) if(len(theValue)=0 )then cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 1, theValue) else cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, lenb(theValue), theValue) end if End Function Public Function execute() set execute=cmdPrep.Execute End Function End Class%> test.asp <!--#include file="../include/datastore.asp"--> <!--#include file="../include/PrepareSql.asp"--> <% Dim ps Dim cn set cn=server.CreateObject("adodb.connection") Dim strcn strCn="driver={SQL server};server=127.0.0.1;uid=sa;pwd=test;database=PUBS" cn.Open strCn set ps=new  PrepareSql ps.setconn cn ps.prepare "select * from user where id =?" ps.setint 1 dim rs set rs=ps.execute %>
posted @ 2012-07-15 21:11  adodo1  Views(498)  Comments(0Edit  收藏  举报