最火下载站首页
手机版
最火下载站
关注公众号
最火下载站

当前位置:首页 > 网络知识 > 网络编程 > ASP教程> ASP编程易犯的一个错误要注意

ASP编程易犯的一个错误要注意

文章作者:网友投稿 发布时间:2008-08-29 来源:网络

在ASP编程中,身份认证可以说是常要用到的。但怎么样才能做到认证的安全呢?

    表单提交页面:sub.htm


   
    管理员登陆</title> <br />    <body> <br />    <form name="form1" method="post" action="sub.asp"> <br />    <p> 管理员: <br />    <input type="text" name="UserID" size="25" maxlength="20"><br />    密 码: <br />    <input type="text" name="Pass" size="12" maxlength="20"> <br />    <input type="submit" name="Submit" value="提交"> <br />    </p> <br />    </form> <br />    </body> <br />    </html> </p> <p>    SUB.asp程序 </p> <p>    <% <br />    接收表单中的数据 <br />    user=request.from("UserID") <br />    检察表单提交的数据是否为空(表单页面可能你用JAVASCRIPT OR VBSCRIPT控制了,但这里也不要忘记控制! <br />    if user="" then <br />    转到出错提示页面! <br />    response.redirect "err1.htm" <br />    这一句可能没用,但加上为好! <br />    response.end <br />    end if <br />    pass=request.from("Pass") <br />    if pass="" then <br />    response.redirect "err2.htm" <br />    response.end <br />    end if <br />    联接数据库 <br />    file=server.mappath("你的数据库") <br />    set conn=server.createobject("adodb.connection") <br />    dr="driver={microsoft access driver (*.mdb)};dbq="&file <br />    conn.open dr <br />    set rs=server.createobject("adodb.recordset") <br />    关键是这里的SQL语言 <br />    sql="select * from 表 where user= "&user&" and pass= "&pass&" " <br />    rs.open sql <br />    if not rs.eof then <br />    找到的话就进入管理页面 <br />    reponse.redirect "login.asp" <br />    else <br />    没找到就进入错误页面 <br />    response.write "err3.htm" <br />    end if <br />    %> </p> <p>    大家感觉以上代码应该没问题啊,但是这里有一个严重的安全隐患:</p> <p>    我如果想登录管理员的话可以在SUb.htm表单输入框中输入: </p> <p>    第一个文本框中输入:a or 1 = 1 或 OR = </p> <p>    第二个文本框中输入:a or 1 = 1 或 OR = </p> <p>    提交,大家会看到...“呜,听我说完好不好,砖头一会再丢过来..." </p> <p>    "a " 和“1”为任意字符 </p> <p>    有人会问为什么你输入这些字符会以管理员身份进入呢?? </p> <p>    其实这些字符是对你程序中SQL语言的欺骗,而成功进入的 </p> <p>    大家看:开始程序SQL中是对表进行查询满足user= "&user&" and pass= "&pass&" "条件的记录 </p> <p>    sql="select * from 表 where user= "&user&" and pass= "&pass&" " </p> <p>    我而输入上面的代码后就成了: </p> <p>    sql="select * from 表 where user= a or 1 = 1 and pass= a or 1 = 1 " </p> <p>    大家看看,能有不进入的理由吗??给我一个不进入的理由,先! </p> <p>    以上USER PASS字段为字符型 如果是数字型也一样的道理!</p> <p>    解决方法: </p> <p>    一、函数替代法: </p> <p>    用REPLACE将用户端输入的内容中含有特殊字符进行替换,达到控制目的啊!sql="select * from 表 where user= "&replace(user," "," ")&" and pass= "&replace(pass," "," ")&" " </p> <p>    这种方法每次只能替换一个字符,其实危险的字符不只是" ",还有如">"、"<"、"&"、"%"等字符应该全控制起来。但用REPLACE函数好象不太胜任那怎么办呢?? </p> <p>    二、程序控制法 </p> <p>    用程序来对客户端输入的内容全部控制起来,这样能全面控制用户端输入的任何可能的危险字符或代码,我就的这个方法!</p> <p><% <br />    捕捉用户端提交的表单内容 <br />    user=request.from("user") <br />    pass=request.from("pass") <br />    ... <br />    循环控制开始 <br />    for i=1 to len(user) <br />    用MID函数读出变量user中i 位置的一个字符 <br />    us=mid(user,i,1) <br />    将读出的字符进行比较 <br />    if us=" " or us="%" or us="<" or us=">" or us="&" then <br />    如果含有以上字符将出错提示,不能含有以上特殊字符 <br />    response.redirect "err2.htm" <br />    response.end <br />    end if <br />    next <br />    ... <br />    %></p> </div> <!-- 上一篇和下一篇 --> <div style="color:red;margin-top:30px"> <p style="height: 30px;">上一篇: <a href="/a/view/1002.html" title="">读取Excel文件时出现null的解决方法</a> </p> <p style="height: 30px;">下一篇: <a href="/a/view/1142.html" title="">ASP申请单动态添加实现方法及代码</a> </p> </div> </div> <!--相关文章--> <!-- <div class="m-pd"> <h2 class="mr-title">相关文章</h2> <div class="sp-box"> <div class="swiper-container"> <div class="swiper-button-prev"></div> <div class="swiper-button-next"></div> </div> </div> </div> --> <!--相关文章end--> <!--网友评论--> <div class="m-pd "> <input type="hidden" value="1051" id="aid"> <h2 class="mr-title"><span class="f-r count">共有<i class="num">0</i>条评论</span>网友评论 </h2> <div class="pl-box" data-id="168613" data-model="document"> <form> <div class="pl-t"> <textarea class="pl-txta" placeholder="简单评论下吧..." id="saytext" name="saytext"></textarea> </div> <div class="pl-cz"> <span class="emotion express f-l"></span> <input type="button" value="评论" class="pl-btn f-r" /> </div> </form> </div> <div class="pl_cont"> </div> </div> <!--网友评论end--> </div> <!-- 内容右侧 --> <div class="m-r f-r"> <!-- 安卓最新 --> <div class="sbox"> <h2 class="mr-title">最新安卓软件</h2> <ul class="list"> <li> <span class="num">1</span> <a href="/down/html/226396.html" class="txt">禾健康 V6.9.0 安卓版</a> </li> <li> <span class="num">2</span> <a href="/down/html/226391.html" class="txt">天天爱彩票 v1.9.1 安卓版</a> </li> <li> <span class="num">3</span> <a href="/down/html/226388.html" class="txt">积糖 v1.0.0 安卓版</a> </li> <li> <span class="num">4</span> <a href="/down/html/226387.html" class="txt">剑侠世界2 v1.4.9279 安卓版</a> </li> <li> <span class="num">5</span> <a href="/down/html/226354.html" class="txt">Polaris Office v7.3.19 安卓版</a> </li> <li> <span class="num">6</span> <a href="/down/html/226364.html" class="txt">猫和老鼠 v6.0.0 安卓版</a> </li> <li> <span class="num">7</span> <a href="/down/html/226369.html" class="txt">21cn邮箱 v5.6.0 安卓版</a> </li> <li> <span class="num">8</span> <a href="/down/html/226370.html" class="txt">乐克棋牌 v1.2.0 安卓版</a> </li> <li> <span class="num">9</span> <a href="/down/html/226358.html" class="txt">滴滴棋牌 v2.1 安卓版</a> </li> <li> <span class="num">10</span> <a href="/down/html/226351.html" class="txt">女神联盟2 v1.1.3.27 安卓版</a> </li> </ul> </div> <!--排行榜--> <div class="sbox a-detail-rank"> <h2 class="mr-title">游戏排行榜</h2> <dl class="rank-main"> <dd> <ul> <li> <div class="show"> <em class="nub">1</em> <a href="/down/html/226391.html" title="天天爱彩票" target="_blank"><img class="lazy"src="//pic.veryhuo.com/upload/soft/20191112/2a71b7a1ec282794dada5c8a6cebd8c7.png" alt="天天爱彩票"></a> <div class="info"> <a href="/down/html/226391.html" target="_blank" title="天天爱彩票">天天爱彩票</a> <span class="cata">类型:彩票软件</span> </div> </div> <div class="hide"> <em class="nub">1</em> <a href="/down/html/226391.html" target="_blank" title="天天爱彩票">天天爱彩票 v1.9.1 安卓版</a> </div> </li> <li> <div class="show"> <em class="nub">2</em> <a href="/down/html/226387.html" title="剑侠世界2" target="_blank"><img class="lazy"src="//pic.veryhuo.com/upload/soft/20191112/7671be3a483063001d0613436305198d.jpg" alt="剑侠世界2"></a> <div class="info"> <a href="/down/html/226387.html" target="_blank" title="剑侠世界2">剑侠世界2</a> <span class="cata">类型:网游专区</span> </div> </div> <div class="hide"> <em class="nub">2</em> <a href="/down/html/226387.html" target="_blank" title="剑侠世界2">剑侠世界2 v1.4.9279 安卓版</a> </div> </li> <li> <div class="show"> <em class="nub">3</em> <a href="/down/html/226364.html" title="猫和老鼠" target="_blank"><img class="lazy"src="//pic.veryhuo.com/upload/soft/20191111/bc5eb1d68fb33c50d64f5a42bd5916d7.png" alt="猫和老鼠"></a> <div class="info"> <a href="/down/html/226364.html" target="_blank" title="猫和老鼠">猫和老鼠</a> <span class="cata">类型:休闲益智</span> </div> </div> <div class="hide"> <em class="nub">3</em> <a href="/down/html/226364.html" target="_blank" title="猫和老鼠">猫和老鼠 v6.0.0 安卓版</a> </div> </li> <li> <div class="show"> <em class="nub">4</em> <a href="/down/html/226370.html" title="乐克棋牌" target="_blank"><img class="lazy"src="//pic.veryhuo.com/upload/soft/20191111/6e428cfc7388e5e8f835364fe9c1d7a6.png" alt="乐克棋牌"></a> <div class="info"> <a href="/down/html/226370.html" target="_blank" title="乐克棋牌">乐克棋牌</a> <span class="cata">类型:棋牌桌游</span> </div> </div> <div class="hide"> <em class="nub">4</em> <a href="/down/html/226370.html" target="_blank" title="乐克棋牌">乐克棋牌 v1.2.0 安卓版</a> </div> </li> <li> <div class="show"> <em class="nub">5</em> <a href="/down/html/226358.html" title="滴滴棋牌" target="_blank"><img class="lazy"src="//pic.veryhuo.com/upload/soft/20191111/863ce735db399a8f70813d3d2f08ec3d.png" alt="滴滴棋牌"></a> <div class="info"> <a href="/down/html/226358.html" target="_blank" title="滴滴棋牌">滴滴棋牌</a> <span class="cata">类型:棋牌桌游</span> </div> </div> <div class="hide"> <em class="nub">5</em> <a href="/down/html/226358.html" target="_blank" title="滴滴棋牌">滴滴棋牌 v2.1 安卓版</a> </div> </li> <li> <div class="show"> <em class="nub">6</em> <a href="/down/html/226351.html" title="女神联盟2" target="_blank"><img class="lazy"src="//pic.veryhuo.com/upload/soft/20191111/ded548783f11fcbc6752f847b78c3b75.jpg" alt="女神联盟2"></a> <div class="info"> <a href="/down/html/226351.html" target="_blank" title="女神联盟2">女神联盟2</a> <span class="cata">类型:网游专区</span> </div> </div> <div class="hide"> <em class="nub">6</em> <a href="/down/html/226351.html" target="_blank" title="女神联盟2">女神联盟2 v1.1.3.27 安卓版</a> </div> </li> <li> <div class="show"> <em class="nub">7</em> <a href="/down/html/226353.html" title="好彩票" target="_blank"><img class="lazy"src="//pic.veryhuo.com/upload/soft/20191111/41b1290608fde33bf815cb2c6fa5b61e.jpg" alt="好彩票"></a> <div class="info"> <a href="/down/html/226353.html" target="_blank" title="好彩票">好彩票</a> <span class="cata">类型:彩票软件</span> </div> </div> <div class="hide"> <em class="nub">7</em> <a href="/down/html/226353.html" target="_blank" title="好彩票">好彩票 v6.21 安卓版</a> </div> </li> <li> <div class="show"> <em class="nub">8</em> <a href="/down/html/226341.html" title="6合宝典" target="_blank"><img class="lazy"src="//pic.veryhuo.com/upload/soft/20191021/5058da6d27bea7d5e77a3403fe03b3bc.png" alt="6合宝典"></a> <div class="info"> <a href="/down/html/226341.html" target="_blank" title="6合宝典">6合宝典</a> <span class="cata">类型:彩票软件</span> </div> </div> <div class="hide"> <em class="nub">8</em> <a href="/down/html/226341.html" target="_blank" title="6合宝典">6合宝典 v1.0.0 安卓版</a> </div> </li> </ul> </dd> </dl> </div> <!--排行榜end--> <!--热荐资讯--> <div class="sbox"> <h2 class="mr-title">热荐资讯</h2> <ul class="list"> <li> <span class="num">1</span> <a href="/a/view/161114.html" class="txt">快手直播伴侣苹果版安装说明</a> </li> <li> <span class="num">2</span> <a href="/a/view/161128.html" class="txt">快手直播伴侣苹果ios版使用教程</a> </li> <li> <span class="num">3</span> <a href="/a/view/201110.html" class="txt">趣步链赚钱是真的假的 趣步是合法的吗</a> </li> <li> <span class="num">4</span> <a href="/a/view/154287.html" class="txt">TeamViewer获取注册码(激活许可证)方法</a> </li> <li> <span class="num">5</span> <a href="/a/view/192230.html" class="txt">快手时光机怎么用 快手时光机在哪里</a> </li> <li> <span class="num">6</span> <a href="/a/view/172638.html" class="txt">腾讯视频会员免费领七天教程</a> </li> <li> <span class="num">7</span> <a href="/a/view/103081.html" class="txt">税控开票软件金税盘版使用教程与常见问题</a> </li> <li> <span class="num">8</span> <a href="/a/view/188598.html" class="txt">2018哪个APP看书最全免费 看小说的APP哪个好</a> </li> <li> <span class="num">9</span> <a href="/a/view/122830.html" class="txt">交管12123取消考试操作方法</a> </li> <li> <span class="num">10</span> <a href="/a/view/122826.html" class="txt">交管12123app预约考试图文教程</a> </li> </ul> </div> <!--热荐资讯end--> <!--最新资讯--> <div class="sbox"> <h2 class="mr-title">最新资讯</h2> <ul class="list"> <li> <span class="num">1</span> <a href="/a/view/226363.html" class="txt">Apple Watch应用程序新增遥控器功能</a> </li> <li> <span class="num">2</span> <a href="/a/view/226052.html" class="txt">进击北极圈!斗鱼24小时直播北极极地风光</a> </li> <li> <span class="num">3</span> <a href="/a/view/214221.html" class="txt">一甜相机火花滤镜在哪里? 一甜相机怎么用</a> </li> <li> <span class="num">4</span> <a href="/a/view/215925.html" class="txt">QQ亲密关系在哪设置?手机QQ情侣闺蜜基友亲密关系绑定教程</a> </li> <li> <span class="num">5</span> <a href="/a/view/225782.html" class="txt">东家App传家节:不走寻常路,品位和传家是王道</a> </li> <li> <span class="num">6</span> <a href="/a/view/225644.html" class="txt">微信支付故障,重复支付你中招了吗?</a> </li> <li> <span class="num">7</span> <a href="/a/view/225573.html" class="txt">从狼人杀到音遇,它们为什么这么火?</a> </li> <li> <span class="num">8</span> <a href="/a/view/225552.html" class="txt">有哪些好用的恋爱记录APP?</a> </li> <li> <span class="num">9</span> <a href="/a/view/225451.html" class="txt">当狂欢节变成了奥数题,双十一正离我们而去</a> </li> <li> <span class="num">10</span> <a href="/a/view/225463.html" class="txt">从一战停战纪念日到全球购物狂欢节,话说双十一的发展史</a> </li> </ul> </div> <!--最新资讯end--> <!--游戏专题--> <div class="sbox"> <h2 class="mr-title">游戏专题</h2> <ul class="list-img list-imgt"> <li> <a href="/z/youxihe/"> <img src="//pic.veryhuo.com/upload/spec/20190610/b373f5663d8833bdc3a7250ac27ec591.jpg" alt="游戏盒子安卓版合集" /> </a> <a href="/z/youxihe/" class="name">游戏盒子安卓版合集</a> </li> <li> <a href="/z/bbqmzjrj/"> <img src="//pic.veryhuo.com/upload/spec/20191021/341e1c50353985fe02309a81464d2c8e.jpg" alt="儿童启蒙早教app推荐" /> </a> <a href="/z/bbqmzjrj/" class="name">儿童启蒙早教app推荐</a> </li> <li> <a href="/z/mtcyxdjbxzhj/"> <img src="//pic.veryhuo.com/upload/spec/20190611/3f6cb740c645a2e965c7a7a9c0675514.jpg" alt="摩托车游戏合集" /> </a> <a href="/z/mtcyxdjbxzhj/" class="name">摩托车游戏合集</a> </li> <li> <a href="/z/paobu_shouyou/"> <img src="//pic.veryhuo.com/upload/spec/20191107/5a4583e75f4a33cd0897c2fcbbdd19b4.jpg" alt="跑步类手游推荐" /> </a> <a href="/z/paobu_shouyou/" class="name">跑步类手游推荐</a> </li> </ul> </div> <!--游戏专题end--> </div> </div> </div> <!-- 底部 --> <!--底部--> <div id="footer"> <div class="bottomText greena"> <a href="/help/guanyu.html" rel="nofollow" target="_blank">关于本站</a> | <a href="/help/mianze.html" rel="nofollow" target="_blank">版权声明</a> | <a href="/sitemap.html" target="_blank">网站地图</a> </div> <p class="tips_text" style="line-height: 24px;margin-top: 8px;"> <span style="margin-bottom: -24px;">Copyright © 2011-2019 最火软件站(www.veryhuo.com).All Rights Reserved</span> <br> <span>备案编号:<a href="http://www.beian.miit.gov.cn/" target="_balnk" style="text-decoration:none">蜀ICP备19014760号-2</a>,版权投诉请发邮件到341261131#qq.com(请将#换成@),我们会尽快处理</span> <br> <span>本站资源均收集整理于互联网,其著作权归原作者所有,如果有侵犯您权利的资源,请来信告知,我们将及时撤销相应资源</span> <br> <span>温馨提示:抵制不良游戏 拒绝盗版游戏 注意自我保护 谨防受骗上当 适度游戏益脑 沉迷游戏伤身 合理安排时间 享受健康生活</span> </p> <div class="wxewm"> <img src="/static/images/gzhewm.jpg" alt="最火软件站" style="width: 100px; height: 100px;"> <p>关注公众号</p> </div> </div> <!--回到顶部按钮--> <div class="backtop"><span></span></div> <script src="/static/js/jquery.js"></script><script src="/static/js/home/common.js"></script> <script src="/static/js/home/swiper.min.js"></script> <script src="/static/js/home/article.js"></script> </body> </html>