添加時(shí)間:2012/8/28 18:08:48 編輯:奇億網(wǎng)站建設(shè)公司
ASP網(wǎng)站的動(dòng)態(tài)參數(shù)傳遞一直是個(gè)不小的安全問題,如不進(jìn)行安全過(guò)濾經(jīng)常會(huì)被黑客利用,一般的注入便是由于網(wǎng)站設(shè)計(jì)時(shí)沒有注意好傳遞過(guò)來(lái)的參數(shù)進(jìn)行過(guò)濾,比如http://www.829e.cn/news.asp?id=5直接用request("id")來(lái)獲取ID=5,黑客則可輕易利用此入侵。
下面教你兩種方法簡(jiǎn)單防御:
方法一:
<%'過(guò)濾安全字符
Function SafeRequest(ParaName,ParaType)
'--- 傳入?yún)?shù) ---
'ParaName:參數(shù)名稱-字符型
'ParaType:參數(shù)類型-數(shù)字型(1表示以上參數(shù)是數(shù)字,0表示以上參數(shù)為字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "參數(shù)" & ParaName & "必須為數(shù)字型!<br /><br />"
Response.end
End if
Else
ParaValue=replace(ParaValue,"'","''")
ParaValue = Replace(ParaValue, "select", "select")
ParaValue = Replace(ParaValue, "join", "join")
ParaValue = Replace(ParaValue, "union", "union")
ParaValue = Replace(ParaValue, "where", "where")
ParaValue = Replace(ParaValue, "insert", "insert")
ParaValue = Replace(ParaValue, "delete", "delete")
ParaValue = Replace(ParaValue, "update", "update")
ParaValue = Replace(ParaValue, "like", "like")
ParaValue = Replace(ParaValue, "drop", "drop")
ParaValue = Replace(ParaValue, "create", "create")
ParaValue = Replace(ParaValue, "modify", "modify")
ParaValue = Replace(ParaValue, "rename", "rename")
ParaValue = Replace(ParaValue, "alter", "alter")
ParaValue = Replace(ParaValue, "cast", "cast")
ParaValue = Replace(ParaValue, "and", "and")
ParaValue = Replace(ParaValue, "or", "or")
End if
SafeRequest=ParaValue
End function
%>
用法:當(dāng)傳遞過(guò)來(lái)的參數(shù)ID為數(shù)字時(shí),用safeRequest("id",1)接收;當(dāng)傳遞的ID為字符時(shí),用safeRequest("id",0)接收,這樣便可防御一般黑客的參數(shù)注入。
方法二:
簡(jiǎn)單過(guò)濾黑客需要用到的常用注入符號(hào):<%id=replace(request("id"), " ' ", " ' ' ")%>