彻底解决asp注入漏洞

2022-07-15 80酷酷网 80kuku.com

　　解决

blog:http://blog.csdn.net/weizhonghua1978/archive/2006/07/21/951890.aspx

本人最近研究彻底解决asp注入漏洞的方法！希望大家多提建议
原理，就是象java一样使用preparestatement.
下面例子连接的是sqlserver数据库
代码如下：
PrepareSql.asp
<%
'定义数据库操作常量
ConstadStateClosed=0
ConstadOpenForwardOnly=0,adOpenKeyset=1,adOpenDynamic=2,adOpenStatic=3
ConstadLockReadOnly=1,adLockPessimistic=2,adLockOptimistic=3,adLockBatchOptimistic=4
ConstadCmdText=1,adCmdTable=2,adCmdStoredProc=4,adExecuteNoRecords=128
ConstadBigInt=20,adBoolean=11,adChar=129,adDate=7,adInteger=3,adSmallInt=2,adTinyInt=16,adVarChar=200
constadParamInput=1,adParamOutput=2,adParamInputOutput=3,adParamReturnValue=4
%>
<%ClassPrepareSQL
PrivatecmdPrep
Privatem_String
Privatem_Sql
Privatem_conn
publicfunctionsetconn(conn)
  setm_conn=conn
endfunction
PublicFunctionprepare(sql)
  setcmdPrep=nothing
    SETcmdPrep=Server.CreateObject("ADODB.Command")
  setcmdPrep.ActiveConnection=m_conn
  cmdPrep.CommandText=sql
EndFunction
PublicFunctionsetInt(theValue)
  cmdPrep.Parameters.AppendcmdPrep.CreateParameter("",adInteger,adParamInput,,theValue)
EndFunction
PublicFunctionsetDate(theValue)
   cmdPrep.Parameters.AppendcmdPrep.CreateParameter("",adVarChar,adParamInput,100,theValue)
EndFunction
PublicFunctionsetBoolean(theValue)
  cmdPrep.Parameters.AppendcmdPrep.CreateParameter("",adBoolean,adParamInput,1,theValue)
EndFunction
PublicFunctionsetString(theValue)
  if(len(theValue)=0)then

  cmdPrep.Parameters.AppendcmdPrep.CreateParameter("",adVarChar,adParamInput,1,theValue)
  else
  cmdPrep.Parameters.AppendcmdPrep.CreateParameter("",adVarChar,adParamInput,lenb(theValue),theValue)
  endif
EndFunction
PublicFunctionexecute()
  setexecute=cmdPrep.Execute
EndFunction
EndClass%>

test.asp


<%
Dimps
Dimcn
setcn=server.CreateObject("adodb.connection")
Dimstrcn
strCn="driver={SQLserver};server=127.0.0.1;uid=sa;pwd=test;database=PUBS"
cn.OpenstrCn
setps=new PrepareSql
ps.setconncn
ps.prepare"select*fromuserwhereid=?"
ps.setint1
dimrs
setrs=ps.execute
%>