最火下载站首页
手机版
最火下载站
关注公众号
最火下载站

当前位置:首页 > 网络知识 > 网络编程 > ASP教程> ASP编程易犯的一个错误要注意

ASP编程易犯的一个错误要注意

文章作者:网友投稿 发布时间:2008-08-29 来源:网络

在ASP编程中,身份认证可以说是常要用到的。但怎么样才能做到认证的安全呢?

    表单提交页面:sub.htm


   
    管理员登陆</title> <br />    <body> <br />    <form name="form1" method="post" action="sub.asp"> <br />    <p> 管理员: <br />    <input type="text" name="UserID" size="25" maxlength="20"><br />    密 码: <br />    <input type="text" name="Pass" size="12" maxlength="20"> <br />    <input type="submit" name="Submit" value="提交"> <br />    </p> <br />    </form> <br />    </body> <br />    </html> </p> <p>    SUB.asp程序 </p> <p>    <% <br />    接收表单中的数据 <br />    user=request.from("UserID") <br />    检察表单提交的数据是否为空(表单页面可能你用JAVASCRIPT OR VBSCRIPT控制了,但这里也不要忘记控制! <br />    if user="" then <br />    转到出错提示页面! <br />    response.redirect "err1.htm" <br />    这一句可能没用,但加上为好! <br />    response.end <br />    end if <br />    pass=request.from("Pass") <br />    if pass="" then <br />    response.redirect "err2.htm" <br />    response.end <br />    end if <br />    联接数据库 <br />    file=server.mappath("你的数据库") <br />    set conn=server.createobject("adodb.connection") <br />    dr="driver={microsoft access driver (*.mdb)};dbq="&file <br />    conn.open dr <br />    set rs=server.createobject("adodb.recordset") <br />    关键是这里的SQL语言 <br />    sql="select * from 表 where user= "&user&" and pass= "&pass&" " <br />    rs.open sql <br />    if not rs.eof then <br />    找到的话就进入管理页面 <br />    reponse.redirect "login.asp" <br />    else <br />    没找到就进入错误页面 <br />    response.write "err3.htm" <br />    end if <br />    %> </p> <p>    大家感觉以上代码应该没问题啊,但是这里有一个严重的安全隐患:</p> <p>    我如果想登录管理员的话可以在SUb.htm表单输入框中输入: </p> <p>    第一个文本框中输入:a or 1 = 1 或 OR = </p> <p>    第二个文本框中输入:a or 1 = 1 或 OR = </p> <p>    提交,大家会看到...“呜,听我说完好不好,砖头一会再丢过来..." </p> <p>    "a " 和“1”为任意字符 </p> <p>    有人会问为什么你输入这些字符会以管理员身份进入呢?? </p> <p>    其实这些字符是对你程序中SQL语言的欺骗,而成功进入的 </p> <p>    大家看:开始程序SQL中是对表进行查询满足user= "&user&" and pass= "&pass&" "条件的记录 </p> <p>    sql="select * from 表 where user= "&user&" and pass= "&pass&" " </p> <p>    我而输入上面的代码后就成了: </p> <p>    sql="select * from 表 where user= a or 1 = 1 and pass= a or 1 = 1 " </p> <p>    大家看看,能有不进入的理由吗??给我一个不进入的理由,先! </p> <p>    以上USER PASS字段为字符型 如果是数字型也一样的道理!</p> <p>    解决方法: </p> <p>    一、函数替代法: </p> <p>    用REPLACE将用户端输入的内容中含有特殊字符进行替换,达到控制目的啊!sql="select * from 表 where user= "&replace(user," "," ")&" and pass= "&replace(pass," "," ")&" " </p> <p>    这种方法每次只能替换一个字符,其实危险的字符不只是" ",还有如">"、"<"、"&"、"%"等字符应该全控制起来。但用REPLACE函数好象不太胜任那怎么办呢?? </p> <p>    二、程序控制法 </p> <p>    用程序来对客户端输入的内容全部控制起来,这样能全面控制用户端输入的任何可能的危险字符或代码,我就的这个方法!</p> <p><% <br />    捕捉用户端提交的表单内容 <br />    user=request.from("user") <br />    pass=request.from("pass") <br />    ... <br />    循环控制开始 <br />    for i=1 to len(user) <br />    用MID函数读出变量user中i 位置的一个字符 <br />    us=mid(user,i,1) <br />    将读出的字符进行比较 <br />    if us=" " or us="%" or us="<" or us=">" or us="&" then <br />    如果含有以上字符将出错提示,不能含有以上特殊字符 <br />    response.redirect "err2.htm" <br />    response.end <br />    end if <br />    next <br />    ... <br />    %></p> </div> </div> <!--相关文章--> <!-- <div class="m-pd"> <h2 class="mr-title">相关文章</h2> <div class="sp-box"> <div class="swiper-container"> <div class="swiper-button-prev"></div> <div class="swiper-button-next"></div> </div> </div> </div> --> <!--相关文章end--> <!--网友评论--> <div class="m-pd "> <h2 class="mr-title"><span class="f-r count">共有<i class="num">0</i>条评论</span>网友评论 </h2> <div class="pl-box" data-id="168613" data-model="document"> <div class="pl-t"> <textarea class="pl-txta" placeholder="简单评论下吧..." id="saytext" name="saytext"></textarea> </div> <div class="pl-cz"> <span class="emotion express f-l"></span> <input type="button" value="评论" class="pl-btn f-r" /> </div> </div> <p class="pl-no-tip">当前没有评论!</p> <ul class="pl-list"> </ul> <span class="load-more">加载更多</span> </div> <!--网友评论end--> </div> <!-- 内容右侧 --> <div class="m-r f-r"> <!-- 安卓最新 --> <div class="sbox"> <h2 class="mr-title">最新安卓软件</h2> <ul class="list"> <li> <span class="num">1</span> <a href="/down/html/220274.html" class="txt">新浪微盘</a> </li> <li> <span class="num">2</span> <a href="/down/html/220287.html" class="txt">萌侠仙萝</a> </li> <li> <span class="num">3</span> <a href="/down/html/220288.html" class="txt">机器人勇士塔防</a> </li> <li> <span class="num">4</span> <a href="/down/html/220272.html" class="txt">虫虫助手</a> </li> <li> <span class="num">5</span> <a href="/down/html/220275.html" class="txt">娜娜假期</a> </li> <li> <span class="num">6</span> <a href="/down/html/220279.html" class="txt">心悦海岛</a> </li> <li> <span class="num">7</span> <a href="/down/html/220280.html" class="txt">短信群发助手</a> </li> <li> <span class="num">8</span> <a href="/down/html/220283.html" class="txt">热血街篮</a> </li> <li> <span class="num">9</span> <a href="/down/html/220282.html" class="txt">水上乐园滑行大作战</a> </li> <li> <span class="num">10</span> <a href="/down/html/220285.html" class="txt">钢琴瓷砖</a> </li> </ul> </div> <!--排行榜--> <div class="sbox a-detail-rank"> <h2 class="mr-title">游戏排行榜</h2> <dl class="rank-main"> <dd> <ul> <li> <div class="show"> <em class="nub">1</em> <a href="/down/html/220287.html" title="萌侠仙萝" target="_blank"><img class="lazy"src="http://pic.veryhuo.com/upload/soft/20190817/7d80883cfa86c71ed735941aa5a6c27b.png" alt="萌侠仙萝"></a> <div class="info"> <a href="/down/html/220287.html" target="_blank" title="萌侠仙萝">萌侠仙萝</a> <span class="cata">类型:网游专区</span> </div> </div> <div class="hide"> <em class="nub">1</em> <a href="/down/html/220287.html" target="_blank" title="萌侠仙萝">萌侠仙萝</a> </div> </li> <li> <div class="show"> <em class="nub">2</em> <a href="/down/html/220288.html" title="机器人勇士塔防" target="_blank"><img class="lazy"src="http://pic.veryhuo.com/upload/soft/20190817/e10a7609ecb045dee42ec55f0785ac2f.png" alt="机器人勇士塔防"></a> <div class="info"> <a href="/down/html/220288.html" target="_blank" title="机器人勇士塔防">机器人勇士塔防</a> <span class="cata">类型:动作射击</span> </div> </div> <div class="hide"> <em class="nub">2</em> <a href="/down/html/220288.html" target="_blank" title="机器人勇士塔防">机器人勇士塔防</a> </div> </li> <li> <div class="show"> <em class="nub">3</em> <a href="/down/html/220275.html" title="娜娜假期" target="_blank"><img class="lazy"src="http://pic.veryhuo.com/upload/soft/20190817/4aaddee3c94c0686c5d6338ae2945bb2.png" alt="娜娜假期"></a> <div class="info"> <a href="/down/html/220275.html" target="_blank" title="娜娜假期">娜娜假期</a> <span class="cata">类型:角色扮演</span> </div> </div> <div class="hide"> <em class="nub">3</em> <a href="/down/html/220275.html" target="_blank" title="娜娜假期">娜娜假期</a> </div> </li> <li> <div class="show"> <em class="">4</em> <a href="/down/html/220279.html" title="心悦海岛" target="_blank"><img class="lazy"src="http://pic.veryhuo.com/upload/soft/20190817/a8bc80b581d891ce2a5194226c370147.jpg" alt="心悦海岛"></a> <div class="info"> <a href="/down/html/220279.html" target="_blank" title="心悦海岛">心悦海岛</a> <span class="cata">类型:模拟经营</span> </div> </div> <div class="hide"> <em class="nub">4</em> <a href="/down/html/220279.html" target="_blank" title="心悦海岛">心悦海岛</a> </div> </li> <li> <div class="show"> <em class="">5</em> <a href="/down/html/220283.html" title="热血街篮" target="_blank"><img class="lazy"src="http://pic.veryhuo.com/upload/soft/20190817/6194ffd65e3f5465f2eaa6fced8588e3.png" alt="热血街篮"></a> <div class="info"> <a href="/down/html/220283.html" target="_blank" title="热血街篮">热血街篮</a> <span class="cata">类型:体育竞技</span> </div> </div> <div class="hide"> <em class="nub">5</em> <a href="/down/html/220283.html" target="_blank" title="热血街篮">热血街篮</a> </div> </li> <li> <div class="show"> <em class="">6</em> <a href="/down/html/220282.html" title="水上乐园滑行大作战" target="_blank"><img class="lazy"src="http://pic.veryhuo.com/upload/soft/20190817/f913b8ce065c7e73275f0890e722f759.png" alt="水上乐园滑行大作战"></a> <div class="info"> <a href="/down/html/220282.html" target="_blank" title="水上乐园滑行大作战">水上乐园滑行大作战</a> <span class="cata">类型:休闲益智</span> </div> </div> <div class="hide"> <em class="nub">6</em> <a href="/down/html/220282.html" target="_blank" title="水上乐园滑行大作战">水上乐园滑行大作战</a> </div> </li> <li> <div class="show"> <em class="">7</em> <a href="/down/html/220285.html" title="钢琴瓷砖" target="_blank"><img class="lazy"src="http://pic.veryhuo.com/upload/soft/20190817/79e3798020a311fbdb7a823e054d875c.png" alt="钢琴瓷砖"></a> <div class="info"> <a href="/down/html/220285.html" target="_blank" title="钢琴瓷砖">钢琴瓷砖</a> <span class="cata">类型:音乐游戏</span> </div> </div> <div class="hide"> <em class="nub">7</em> <a href="/down/html/220285.html" target="_blank" title="钢琴瓷砖">钢琴瓷砖</a> </div> </li> <li> <div class="show"> <em class="">8</em> <a href="/down/html/220286.html" title="蓝光云挂机" target="_blank"><img class="lazy"src="http://pic.veryhuo.com/upload/soft/20190817/410c088157708b81577c7d3f2bdb8958.png" alt="蓝光云挂机"></a> <div class="info"> <a href="/down/html/220286.html" target="_blank" title="蓝光云挂机">蓝光云挂机</a> <span class="cata">类型:手游辅助</span> </div> </div> <div class="hide"> <em class="nub">8</em> <a href="/down/html/220286.html" target="_blank" title="蓝光云挂机">蓝光云挂机</a> </div> </li> </ul> </dd> </dl> </div> <!--排行榜end--> <!--热荐资讯--> <div class="sbox"> <h2 class="mr-title">热荐资讯</h2> <ul class="list"> <li> <span class="num">1</span> <a href="/a/view/161114.html" class="txt">快手直播伴侣苹果版安装说明</a> </li> <li> <span class="num">2</span> <a href="/a/view/161128.html" class="txt">快手直播伴侣苹果ios版使用教程</a> </li> <li> <span class="num">3</span> <a href="/a/view/201110.html" class="txt">趣步链赚钱是真的假的 趣步是合法的吗</a> </li> <li> <span class="num">4</span> <a href="/a/view/154287.html" class="txt">TeamViewer获取注册码(激活许可证)方法</a> </li> <li> <span class="num">5</span> <a href="/a/view/192230.html" class="txt">快手时光机怎么用 快手时光机在哪里</a> </li> <li> <span class="num">6</span> <a href="/a/view/172638.html" class="txt">腾讯视频会员免费领七天教程</a> </li> <li> <span class="num">7</span> <a href="/a/view/103081.html" class="txt">税控开票软件金税盘版使用教程与常见问题</a> </li> <li> <span class="num">8</span> <a href="/a/view/122830.html" class="txt">交管12123取消考试操作方法</a> </li> <li> <span class="num">9</span> <a href="/a/view/122826.html" class="txt">交管12123app预约考试图文教程</a> </li> <li> <span class="num">10</span> <a href="/a/view/188598.html" class="txt">2018哪个APP看书最全免费 看小说的APP哪个好</a> </li> </ul> </div> <!--热荐资讯end--> <!--最新资讯--> <div class="sbox"> <h2 class="mr-title">最新资讯</h2> <ul class="list"> <li> <span class="num">1</span> <a href="/a/view/220225.html" class="txt">微信电脑版终于支持小程序!新版PC版微信实测</a> </li> <li> <span class="num">2</span> <a href="/a/view/220111.html" class="txt">还敢剁手吗!教你查总共在淘宝花过多少钱</a> </li> <li> <span class="num">3</span> <a href="/a/view/219905.html" class="txt">斗图大战开始!新版微信以表情搜表情包新功能上线</a> </li> <li> <span class="num">4</span> <a href="/a/view/219802.html" class="txt">界面功能焕然一新!高德地图10.0新版体验</a> </li> <li> <span class="num">5</span> <a href="/a/view/219690.html" class="txt">华为发布鸿蒙OS:可用于手机PC车机手表和大屏</a> </li> <li> <span class="num">6</span> <a href="/a/view/219581.html" class="txt">搜狗讯飞语音PK,到底谁是国内语音应用老大?</a> </li> <li> <span class="num">7</span> <a href="/a/view/219521.html" class="txt">搜索引擎大战开始!今日头条全网搜索体验</a> </li> <li> <span class="num">8</span> <a href="/a/view/219364.html" class="txt">爱奇艺又推出一款良心工具,不比播放器差!</a> </li> <li> <span class="num">9</span> <a href="/a/view/219244.html" class="txt">任天堂Switch可运行安卓,非官方ROM将开放下载</a> </li> <li> <span class="num">10</span> <a href="/a/view/219166.html" class="txt">能读懂你心思的AI输入法!百度输入法新版体验</a> </li> </ul> </div> <!--最新资讯end--> <!--游戏专题--> <div class="sbox"> <h2 class="mr-title">游戏专题</h2> <ul class="list-img list-imgt"> <li> <a href="/z/fxyxhj/"> <img src="http://pic.veryhuo.com/upload/spec/20190612/a487397e27fc95e204e4cb75fa1abfb9.jpg" alt="佛系游戏合集" /> </a> <a href="/z/fxyxhj/" class="name">佛系游戏合集</a> </li> <li> <a href="/z/cpapphjdq/"> <img src="http://pic.veryhuo.com/upload/spec/20190801/65e14454ccc6ab9bf1b74294a4055bfc.jpg" alt="彩票APP合集大全" /> </a> <a href="/z/cpapphjdq/" class="name">彩票APP合集大全</a> </li> <li> <a href="/z/ckbdxz/"> <img src="http://pic.veryhuo.com/upload/spec/20190706/2121b5ae4550322679e8724dcfcb05da.jpg" alt="彩库宝典软件大全" /> </a> <a href="/z/ckbdxz/" class="name">彩库宝典软件大全</a> </li> <li> <a href="/z/lhbdxz/"> <img src="http://pic.veryhuo.com/upload/spec/20190706/787329487eb7c99aee2a97e52b03a79e.jpg" alt="六合宝典软件大全" /> </a> <a href="/z/lhbdxz/" class="name">六合宝典软件大全</a> </li> </ul> </div> <!--游戏专题end--> </div> </div> </div> <!-- 底部 --> <!--底部--> <div id="footer"> <div class="bottomText greena"> <a href="/help/guanyu.html" rel="nofollow" target="_blank">关于本站</a> | <a href="/help/mianze.html" rel="nofollow" target="_blank">版权声明</a> | <a href="/sitemap.html" target="_blank">网站地图</a> </div> <p class="tips_text" style="line-height: 24px;margin-top: 8px;"> <span style="margin-bottom: -24px;">Copyright © 2011-2019 最火软件站(www.veryhuo.com).All Rights Reserved</span> <br> <span>备案编号:蜀ICP备19014760号-2,版权投诉请发邮件到341261131#qq.com(请将#换成@),我们会尽快处理</span> <br> <span>本站资源均收集整理于互联网,其著作权归原作者所有,如果有侵犯您权利的资源,请来信告知,我们将及时撤销相应资源</span> <br> <span>温馨提示:抵制不良游戏 拒绝盗版游戏 注意自我保护 谨防受骗上当 适度游戏益脑 沉迷游戏伤身 合理安排时间 享受健康生活</span> </p> <div class="wxewm"> <img src="/static/images/gzhewm.jpg" alt="最火软件站" style="width: 100px; height: 100px;"> <p>关注公众号</p> </div> </div> <!--回到顶部按钮--> <div class="backtop"><span></span></div> <script src="/static/js/jquery.js"></script><script src="/static/js/home/common.js"></script> <script src="/static/js/home/swiper.min.js"></script> <script src="/static/js/home/article.js"></script> </body> </html>