以后地位:首页 > 建站常识 > 列表

ASP静态参数通报怎样停止宁静过滤?

点击: 次时候:2017/3/20关头词:asp参数 上海网页设想公司
ASP网站的静态参数通报一向是个不小的宁静题目,如不停止宁静过滤常常会被黑客操纵,普通的注入便是因为网站设想时不注重好通报过去的参数停止过滤,比方http://www.52banmian.com/news.asp?id=5间接用request("id")来

ASP静态参数通报怎样停止宁静过滤?

ASP网站的静态参数通报一向是个不小的宁静题目,如不停止宁静过滤常常会被黑客操纵,普通的注入便是因为网站设想时不注重好通报过去的参数停止过滤,比方http://www.52banmian.com/news.asp?id=5间接用request("id")来获得ID=5,黑客则可等闲操纵此入侵。

方式一:

<%'过滤宁静字符Function SafeRequest(ParaName,ParaType) '--- 传入参数 --- 'ParaName:参数称号-字符型 'ParaType:参数范例-数字型(1表现以上参数是数字,0表现以上参数为字符)Dim ParaValue ParaValue=Request(ParaName) If ParaType=1 then If not isNumeric(ParaValue) then Response.write "参数" & ParaName & "必须为数字型!<br /><br />" Response.end End if Else ParaValue=replace(ParaValue,"'","''")  ParaValue = WordStr(ParaValue, "select", "sel&#101;ct") ParaValue = WordStr(ParaValue, "join", "jo&#105;n") ParaValue = WordStr(ParaValue, "union", "un&#105;on") ParaValue = WordStr(ParaValue, "where", "wh&#101;re") ParaValue = WordStr(ParaValue, "insert", "ins&#101;rt") ParaValue = WordStr(ParaValue, "delete", "del&#101;te") ParaValue = WordStr(ParaValue, "update", "up&#100;ate") ParaValue = WordStr(ParaValue, "like", "lik&#101;") ParaValue = WordStr(ParaValue, "drop", "dro&#112;") ParaValue = WordStr(ParaValue, "create", "cr&#101;ate") ParaValue = WordStr(ParaValue, "modify", "mod&#105;fy") ParaValue = WordStr(ParaValue, "rename", "ren&#097;me") ParaValue = WordStr(ParaValue, "alter", "alt&#101;r") ParaValue = WordStr(ParaValue, "cast", "ca&#115;t") ParaValue = WordStr(ParaValue, "and", "an&#100;") ParaValue = WordStr(ParaValue, "or", "o&#114;")End if SafeRequest=ParaValue End function%>

用法:当通报过去的参数ID为数字时,用safeRequest("id",1)领受;当通报的ID为字符时,用safeRequest("id",0)领受,如许便可进攻普通黑客的参数注入。

方式二:

简略过滤黑客须要用到的经常使用注入标记:<%id=replace(request("id"), " ' ", " ' ' ")%>
预定建站
收费供给网站优化
支付关头词