I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.
我必须在工作中更新旧项目。虽然我熟悉php脚本,但我对经典asp没有任何经验。
- Are there any functions I should use?
- Can you provide me with a good function for some basic protection?
- Is there something like a parameterized query in asp?
我应该使用哪些功能?
你能为我提供一些基本保护的好功能吗?
在asp中有类似参数化查询的东西吗?
Thanks!
5 个解决方案
#1
Sander,
Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).
是的,您可以在经典ASP中使用参数化查询(更准确地说,是经典的ADO)。
Here is a link.
这是一个链接。
As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.
至于编码输出,我可能想要为最新的Microsoft Anti-XSS库创建一个包装器,并使用Server.CreateObject调用它。我在这类事情上远非专家,因为我在.Net上花了更多的时间,所以我只觉得这会有用。
Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.
Server.HTMLEncode真的不够好,因为它只会将一些编码字符列入黑名单。 Anti-XSS库更好,因为它将可接受的内容列入白名单。
#2
Always use Server.HTMLEncode to sanitize user input.
始终使用Server.HTMLEncode来清理用户输入。
For example, if you're setting a variable from a form text box:
例如,如果您要从表单文本框设置变量:
firstName = Server.HTMLEncode(trim(request.form("firstname")))
firstName = Server.HTMLEncode(trim(request.form(“firstname”)))
#3
Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.
注意SQL注入。不要将用户输入连接到SQL字符串然后执行它。相反,始终使用参数化查询。
#4
There is a bunch of functions starting with Is, such as IsNumber, IsArray etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla")) to get it, thus if it's not a integer the CLng function will raise an error.
有许多以Is开头的函数,例如IsNumber,IsArray等,可能会引起人们的兴趣。此外,如果您期望一个整数,您可以使用CLng(Request(“blabla”))来获取它,因此如果它不是整数,则CLng函数将引发错误。
#5
One way to do it might be to add a check in a header.asp file that iterates through the Request object looking for inappropriate characters. For example:
一种方法可能是在header.asp文件中添加一个检查,该文件遍历Request对象以查找不适当的字符。例如:
<%
for each x in Request.Form ' Do this for Request.Querystring also
If InStr(x,"<") <> 0 Then
' encode the value or redirect to error page?
End If
next
%>
#1
Sander,
Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).
是的,您可以在经典ASP中使用参数化查询(更准确地说,是经典的ADO)。
Here is a link.
这是一个链接。
As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.
至于编码输出,我可能想要为最新的Microsoft Anti-XSS库创建一个包装器,并使用Server.CreateObject调用它。我在这类事情上远非专家,因为我在.Net上花了更多的时间,所以我只觉得这会有用。
Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.
Server.HTMLEncode真的不够好,因为它只会将一些编码字符列入黑名单。 Anti-XSS库更好,因为它将可接受的内容列入白名单。
#2
Always use Server.HTMLEncode to sanitize user input.
始终使用Server.HTMLEncode来清理用户输入。
For example, if you're setting a variable from a form text box:
例如,如果您要从表单文本框设置变量:
firstName = Server.HTMLEncode(trim(request.form("firstname")))
firstName = Server.HTMLEncode(trim(request.form(“firstname”)))
#3
Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.
注意SQL注入。不要将用户输入连接到SQL字符串然后执行它。相反,始终使用参数化查询。
#4
There is a bunch of functions starting with Is, such as IsNumber, IsArray etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla")) to get it, thus if it's not a integer the CLng function will raise an error.
有许多以Is开头的函数,例如IsNumber,IsArray等,可能会引起人们的兴趣。此外,如果您期望一个整数,您可以使用CLng(Request(“blabla”))来获取它,因此如果它不是整数,则CLng函数将引发错误。
#5
One way to do it might be to add a check in a header.asp file that iterates through the Request object looking for inappropriate characters. For example:
一种方法可能是在header.asp文件中添加一个检查,该文件遍历Request对象以查找不适当的字符。例如:
<%
for each x in Request.Form ' Do this for Request.Querystring also
If InStr(x,"<") <> 0 Then
' encode the value or redirect to error page?
End If
next
%>