在经典的asp中消毒输入的好方法

时间:2020-11-30 02:03:05

I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.

我必须在工作中更新旧项目。虽然我熟悉php脚本,但我对经典asp没有任何经验。

  • Are there any functions I should use?
  • 我应该使用哪些功能?

  • Can you provide me with a good function for some basic protection?
  • 你能为我提供一些基本保护的好功能吗?

  • Is there something like a parameterized query in asp?
  • 在asp中有类似参数化查询的东西吗?

Thanks!

5 个解决方案

#1


Sander,

Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).

是的,您可以在经典ASP中使用参数化查询(更准确地说,是经典的ADO)。

Here is a link.

这是一个链接。

As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.

至于编码输出,我可能想要为最新的Microsoft Anti-XSS库创建一个包装器,并使用Server.CreateObject调用它。我在这类事情上远非专家,因为我在.Net上花了更多的时间,所以我只觉得这会有用。

Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.

Server.HTMLEncode真的不够好,因为它只会将一些编码字符列入黑名单。 Anti-XSS库更好,因为它将可接受的内容列入白名单。

#2


Always use Server.HTMLEncode to sanitize user input.

始终使用Server.HTMLEncode来清理用户输入。

For example, if you're setting a variable from a form text box:

例如,如果您要从表单文本框设置变量:

firstName = Server.HTMLEncode(trim(request.form("firstname")))

firstName = Server.HTMLEncode(trim(request.form(“firstname”)))

#3


Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.

注意SQL注入。不要将用户输入连接到SQL字符串然后执行它。相反,始终使用参数化查询。

#4


There is a bunch of functions starting with Is, such as IsNumber, IsArray etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla")) to get it, thus if it's not a integer the CLng function will raise an error.

有许多以Is开头的函数,例如IsNumber,IsArray等,可能会引起人们的兴趣。此外,如果您期望一个整数,您可以使用CLng(Request(“blabla”))来获取它,因此如果它不是整数,则CLng函数将引发错误。

#5


One way to do it might be to add a check in a header.asp file that iterates through the Request object looking for inappropriate characters. For example:

一种方法可能是在header.asp文件中添加一个检查,该文件遍历Request对象以查找不适当的字符。例如:

<%
    for each x in Request.Form ' Do this for Request.Querystring also
        If InStr(x,"<") <> 0 Then
            ' encode the value or redirect to error page?
        End If
    next
%>

#1


Sander,

Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).

是的,您可以在经典ASP中使用参数化查询(更准确地说,是经典的ADO)。

Here is a link.

这是一个链接。

As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.

至于编码输出,我可能想要为最新的Microsoft Anti-XSS库创建一个包装器,并使用Server.CreateObject调用它。我在这类事情上远非专家,因为我在.Net上花了更多的时间,所以我只觉得这会有用。

Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.

Server.HTMLEncode真的不够好,因为它只会将一些编码字符列入黑名单。 Anti-XSS库更好,因为它将可接受的内容列入白名单。

#2


Always use Server.HTMLEncode to sanitize user input.

始终使用Server.HTMLEncode来清理用户输入。

For example, if you're setting a variable from a form text box:

例如,如果您要从表单文本框设置变量:

firstName = Server.HTMLEncode(trim(request.form("firstname")))

firstName = Server.HTMLEncode(trim(request.form(“firstname”)))

#3


Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.

注意SQL注入。不要将用户输入连接到SQL字符串然后执行它。相反,始终使用参数化查询。

#4


There is a bunch of functions starting with Is, such as IsNumber, IsArray etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla")) to get it, thus if it's not a integer the CLng function will raise an error.

有许多以Is开头的函数,例如IsNumber,IsArray等,可能会引起人们的兴趣。此外,如果您期望一个整数,您可以使用CLng(Request(“blabla”))来获取它,因此如果它不是整数,则CLng函数将引发错误。

#5


One way to do it might be to add a check in a header.asp file that iterates through the Request object looking for inappropriate characters. For example:

一种方法可能是在header.asp文件中添加一个检查,该文件遍历Request对象以查找不适当的字符。例如:

<%
    for each x in Request.Form ' Do this for Request.Querystring also
        If InStr(x,"<") <> 0 Then
            ' encode the value or redirect to error page?
        End If
    next
%>