引言
asp项目,在sql查询使用字符串拼接情况下,会受到sql注入攻击,可以使用敏感词过滤和参数化语句进行修改。
敏感词过滤
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,Kill_IP,WriteSql'自定义需要过滤的字串,用 "|" 分隔Fy_In = "'|;|and|(|)|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|exist|drop"Kill_IP=TrueWriteSql=True '----------------------------------Fy_Inf = split(Fy_In,"|")'--------POST部份------------------If Request.Form"" Then For Each Fy_Post In Request.Form For Fy_Xh=0 To Ubound(Fy_Inf) If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))0 Then Response.Redirect "/index.asp" Response.End End If Next NextEnd IfIf Request.QueryString"" Then For Each Fy_Get In Request.QueryString For Fy_Xh=0 To Ubound(Fy_Inf) If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))0 Then Response.Redirect "/index.asp" Response.End End If Next NextEnd If |
对敏感词URL进行过滤,重定位或进行其他处理
参数化
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | Public Function execSqlOpen(connect,cursorType,lockType,args()) set cmdTemp = server.CreateObject("ADODB.Command") cmdTemp.ActiveConnection = connect cmdTemp.Prepared = true cmdTemp.CommandText = args(0) Dim i For i = 1 To UBound(args) set paramTemp = cmdTemp.CreateParameter("",201,1,Len(args(i))+10,args(i)) cmdTemp.Parameters.Append paramTemp Next set rsTemp=server.CreateObject("adodb.recordset") rsTemp.open cmdTemp,,cursorType,lockType set execSqlOpen = rsTempend functionPublic Function execSqlExecute(connect,args()) set cmdTemp = server.CreateObject("ADODB.Command") cmdTemp.ActiveConnection = connect cmdTemp.Prepared = true cmdTemp.CommandText = args(0) Dim i For i = 1 To UBound(args) set paramTemp = cmdTemp.CreateParameter("",201,1,Len(args(i))+10,args(i)) cmdTemp.Parameters.Append paramTemp Next set execSqlExecute = cmdTemp.executeend function |
封装这两个函数,然后进行修改
- 1.使用open的调用execSqlOpen(需要调用close,视原代码是否close决定),使用execute的调用execSqlExecute(不调用close)
- 2.需要返回值的用set 一个变量接收,不需要的用call调用
- 3.表名动态拼接的,无法使用占位符,使用原始拼接方式
- 4.使用like的,内部使用?占位,外部使用字符串拼接前后%(“%”&keyword&”%”)
例子如下:
open普通查询
1 2 3 4 5 6 7 | sql="select * from table where column='"&column&"'"set rs=server.CreateObject("ADODB.recordset")rs.Open sql,conn,1,1=>dim argsargs = Array("select * from table where column = ?",column)set rs = execSqlOpen(conn,1,1,args) |
动态参数查询
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | sql="select * from table where 1=1 and column1='"&request("column1")&"'"if column2"" thensql=sql&" and column2 like '%"&column2&"%'"end ifif column3"" thensql=sql&" and column3 ="&column3&""end ifsql=sql&" order by column4 desc;"Set rs= Server.CreateObject("ADODB.Recordset")rs.open sql,conn,1,1=>dim argsargs = Array("select * from table where 1=1 and column1=?",request("column1"))if column2"" thenargs(0)=args(0)&" and column2 like ?"ReDim Preserve args(UBound(args)+1)args(UBound(args)) = "%"&column2&"%"end ifif column3"" thenargs(0)=args(0)&" and column3 =?"ReDim Preserve args(UBound(args)+1)args(UBound(args)) = column3end ifargs(0)=args(0)&" order by column4 desc;"set rs = execSqlOpen(conn,1,1,args) |
table动态
1 2 3 4 5 | Set Rs_t=Conn.Execute("Select column From "&table&" where column1="&column1)=>dim argsargs = Array("Select column From "&table&" where column1=?",column1)set Rs_t = execSqlExecute(conn,args) |
执行查询
1 2 3 4 5 | set rs=conn.execute("select * from table where column="&request("column"))=>dim argsargs = Array("select * from table where column = ?",request("column"))set rs = execSqlExecute(conn,args) |
执行更新
1 2 3 4 5 | conn.execute("update table set column = '"&column&"'")=>dim argsargs = Array("update table set column = ?",column)call execSqlExecute(conn,args) |
以上就是asp防sql注入攻击技巧实例详解的详细内容,更多关于asp防sql注入攻击的资料请关注IT俱乐部其它相关文章!
