我要评论引言
asp项目,在sql查询使用字符串拼接情况下,会受到sql注入攻击,可以使用敏感词过滤和参数化语句进行修改。
敏感词过滤
dim fy_post,fy_get,fy_in,fy_inf,fy_xh,fy_db,fy_dbstr,kill_ip,writesql
'自定义需要过滤的字串,用 "|" 分隔
fy_in = "'|;|and|(|)|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|exist|drop"
kill_ip=true
writesql=true
'----------------------------------
fy_inf = split(fy_in,"|")
'--------post部份------------------
if request.form<>"" then
for each fy_post in request.form
for fy_xh=0 to ubound(fy_inf)
if instr(lcase(request.form(fy_post)),fy_inf(fy_xh))<>0 then
response.redirect "/index.asp"
response.end
end if
next
next
end if
if request.querystring<>"" then
for each fy_get in request.querystring
for fy_xh=0 to ubound(fy_inf)
if instr(lcase(request.querystring(fy_get)),fy_inf(fy_xh))<>0 then
response.redirect "/index.asp"
response.end
end if
next
next
end if对敏感词url进行过滤,重定位或进行其他处理
参数化
public function execsqlopen(connect,cursortype,locktype,args())
set cmdtemp = server.createobject("adodb.command")
cmdtemp.activeconnection = connect
cmdtemp.prepared = true
cmdtemp.commandtext = args(0)
dim i
for i = 1 to ubound(args)
set paramtemp = cmdtemp.createparameter("",201,1,len(args(i))+10,args(i))
cmdtemp.parameters.append paramtemp
next
set rstemp=server.createobject("adodb.recordset")
rstemp.open cmdtemp,,cursortype,locktype
set execsqlopen = rstemp
end function
public function execsqlexecute(connect,args())
set cmdtemp = server.createobject("adodb.command")
cmdtemp.activeconnection = connect
cmdtemp.prepared = true
cmdtemp.commandtext = args(0)
dim i
for i = 1 to ubound(args)
set paramtemp = cmdtemp.createparameter("",201,1,len(args(i))+10,args(i))
cmdtemp.parameters.append paramtemp
next
set execsqlexecute = cmdtemp.execute
end function封装这两个函数,然后进行修改
- 1.使用open的调用execsqlopen(需要调用close,视原代码是否close决定),使用execute的调用execsqlexecute(不调用close)
- 2.需要返回值的用set 一个变量接收,不需要的用call调用
- 3.表名动态拼接的,无法使用占位符,使用原始拼接方式
- 4.使用like的,内部使用?占位,外部使用字符串拼接前后%("%"&keyword&"%")
例子如下:
open普通查询
sql="select * from table where column='"&column&"'"
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,1,1
=>
dim args
args = array("select * from table where column = ?",column)
set rs = execsqlopen(conn,1,1,args)动态参数查询
sql="select * from table where 1=1 and column1='"&request("column1")&"'"
if column2<>"" then
sql=sql&" and column2 like '%"&column2&"%'"
end if
if column3<>"" then
sql=sql&" and column3 ="&column3&""
end if
sql=sql&" order by column4 desc;"
set rs= server.createobject("adodb.recordset")
rs.open sql,conn,1,1
=>
dim args
args = array("select * from table where 1=1 and column1=?",request("column1"))
if column2<>"" then
args(0)=args(0)&" and column2 like ?"
redim preserve args(ubound(args)+1)
args(ubound(args)) = "%"&column2&"%"
end if
if column3<>"" then
args(0)=args(0)&" and column3 =?"
redim preserve args(ubound(args)+1)
args(ubound(args)) = column3
end if
args(0)=args(0)&" order by column4 desc;"
set rs = execsqlopen(conn,1,1,args)table动态
set rs_t=conn.execute("select column from "&table&" where column1="&column1)
=>
dim args
args = array("select column from "&table&" where column1=?",column1)
set rs_t = execsqlexecute(conn,args)执行查询
set rs=conn.execute("select * from table where column="&request("column"))
=>
dim args
args = array("select * from table where column = ?",request("column"))
set rs = execsqlexecute(conn,args)执行更新
conn.execute("update table set column = '"&column&"'")
=>
dim args
args = array("update table set column = ?",column)
call execsqlexecute(conn,args)以上就是asp防sql注入攻击技巧实例详解的详细内容,更多关于asp防sql注入攻击的资料请关注代码网其它相关文章!
发表评论