彻底解决asp注入漏洞

本人最近研究彻底解决asp注入漏洞的方法!希望大家多提建议
原理,就是象java一样使用preparestatement.
下面例子连接的是sql server数据库
代码如下:
PrepareSql.asp
<% ' 定义数据库操作常量 Const adStateClosed = 0 Const adOpenForwardOnly = 0, adOpenKeyset = 1, adOpenDynamic = 2, adOpenStatic = 3 Const adLockReadOnly = 1, adLockPessimistic = 2, adLockOptimistic = 3, adLockBatchOptimistic = 4 Const adCmdText = 1, adCmdTable = 2, adCmdStoredProc = 4, adExecuteNoRecords = 128 Const adBigInt = 20, adBoolean = 11, adChar = 129, adDate = 7, adInteger = 3, adSmallInt = 2, adTinyInt = 16, adVarChar = 200 const adParamInput = 1, adParamOutput = 2, adParamInputOutput = 3, adParamReturnValue = 4 %>
<%Class PrepareSQL Private cmdPrep Private m_String Private m_Sql Private m_conn public function setconn(conn) set m_conn=conn end function Public Function prepare(sql) set cmdPrep=nothing SET cmdPrep=Server.CreateObject("ADODB.Command") set cmdPrep.ActiveConnection=m_conn cmdPrep.CommandText =sql End Function Public Function setInt(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adInteger, adParamInput,, theValue) End Function Public Function setDate(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 100, theValue) End Function Public Function setBoolean(theValue ) cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adBoolean, adParamInput, 1, theValue) End Function Public Function setString(theValue ) if(len(theValue)=0 )then cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, 1, theValue) else cmdPrep.Parameters.Append cmdPrep.CreateParameter("", adVarChar, adParamInput, lenb(theValue), theValue) end if End Function Public Function execute() set execute=cmdPrep.Execute End Function End Class%>

test.asp


<% Dim ps Dim cn set cn=server.CreateObject("adodb.connection") Dim strcn strCn="driver={SQL server};server=127.0.0.1;uid=sa;pwd=test;database=PUBS" cn.Open strCn set ps=new PrepareSql ps.setconn cn ps.prepare "select * from user where id =?" ps.setint 1 dim rs set rs=ps.execute %>

本人最近研究彻底解决asp注入漏洞的方法!希望大家多提建议
原理,就是象java一样使用preparestatement.
下面例子连接的是sql server数据库
代码如下:
PrepareSql.asp

test.asp

Related Posts