一般问题：最佳实践 [英] general questions: best practices

问题描述

昨天，我发布了一个问题，顺便说一句，我还没有能够解决问题。但是在Aaron的回复中，他质疑为什么我做了几件事，就像我做的那样。我的简短回答是我有很多需要学习的东西，但现在我想要询问读这篇文章的人，包括Aaron，以获得一些澄清。我想b / b
想象其他人也可能会受益。


Aaron Bertrand - MVP" < AA *** @ TRASHaspfaq.com>写了

一些建议。
（3）为什么你经常设置rs = createobject（" ADODB.Recordset"）但是
永远不会销毁它们中的任何一个？



我回去照顾它：set rs = nothing


我的问题是，这是否足够？


（4）为什么你不允许将request.querystring中的值放入你的SQL
语句中？您是否尝试过类似...
DisplaySortableTickets.asp strStatus = A '？'; DELETE％20T KT_STATUS;选择20％ '' B



决不想到这一点。这对于内联网来说真的是一个问题吗？

（5）你为什么要使用ADODB.Recordset？这些都似乎是
仅向前，静态记录集。



我真的不明白这个问题/陈述。还有另一种

记录集吗？


这是第一部分的重写。
<！ - #INCLUDE FILE =" includes / functions.asp" - >
<！ - #INCLUDE FILE =" includes / argodbinc.asp" - >
<！ - #INCLUDE FILE =" includes / colors.inc" - >
<％
function fixVal（s）
s = replace（request.QueryString（s），"''"，"'''''" ））
结束函数

这只是从查询字符串中取出撇号吗？这只是为了让它不会被恶意的人使用，而这个恶意的人会使用邪恶的SQL

声明吗？

解决方案

" middletree"写道......

我回去照顾它：set rs = nothing
我的问题是，这够了吗？


呀，记得要关闭连接藏汉时用的特殊照顾它做。
DisplaySortableTickets .asp？strStatus = a''; DELETE％20T KT_STATUS; SELECT％20''b

从未想过这一点。这对于内联网来说真的是一个问题吗？

Yeppo - 想象一下，一个熟悉的开发者可能会带来的乐趣

在他离开之前不满...再见重要的数据库内容......你可以在这上面阅读 - 尝试在谷歌搜索SQL注入。


取代''我相信是一个解决方案......

我真的不明白这个问题/陈述。还有另一种
的记录集吗？


你可以在记录集中使用''curosors''，允许你在记录集中返回的记录之间移动BACK和

FORTH，如果你不需要向后移动，只有前进 - 正如亚伦上面提到的那样......

s =取代（的Request.QueryString（S），" '' "，" '' '' "））

则这只是把从撇号请求参数？


它不会拿走它们 - 它只是用2个撇号替换它们

这是为了防止它被恶意的人使用谁会把
一个邪恶的SQL语句？

呵呵 - ''邪恶'' - 呵呵 - 是的:)


注意，我不像这里的人那么多，所以以上只是我的建议/意见和想法 - 不要把''em作为福音（除非我是

正确在哪种情况下随时给我发送铜箱的甜蜜包装

雪利酒！）


希望我能帮助，


问候


Rob

" middletree" < MI ******** @ htomail.com>在消息中写道

新闻：Om **************** @ TK2MSFTNGP11.phx.gbl ...

我回去照顾它：set rs = nothing

我的问题是，这够了吗？


做：


rs.Close

设定rs =无任何

（4）为什么不允许来自request.querystring的值到您的SQL

语句中？你尝试过类似的东西吗？

DisplaySortableTickets.asp？strStatus = a''; DELETE％20T KT_STATUS; SELECT％20''b

从未想过这一点。这对于内联网来说真的是一个问题吗？

是的！当然，你可以解雇一个桌子什么东西，但是那个
并不意味着你应该让它发生。

（5）你为什么要使用ADODB.Recordset？这些似乎都是

仅向前，静态记录集。

我真的不明白这个问题/陈述。还有另一种

的记录集吗？



YEah。如果Aaron还没有发布这个链接，那么当你有一小段时间的时候读这个。
http://www.aspfaq.com/2191

function fixVal（s）
s = replace（request.QueryString（s），"''"，"''''"））
结束函数

这是否只需要撇号从查询字符串？是否仅仅是为了防止恶意的人使用它会发出邪恶的SQL
声明？

这是为了保持''不在你的SQL查询中，因为''是SQL中的分隔符。

示例：


sVar =" O''Brien"

sSQL =" SELECT Something FROM SomeTable WHERE LastName =''" &安培; sVar& "''"


这将产生一个字符串：

SELECT Something FROM SomeTable WHERE LastName =''O''Brien''


O''Brien中的那个'将结束字符串，然后SQL会看到

Brien''并且感到困惑。逃避''的方法是将它翻倍，所以

字符串看起来像：

SELECT Something FROM SomeTable WHERE LastName =''O'' ''Brien''


通过fixVal函数传递值将使任何实例加倍

''。


这有意义吗？


雷在工作


ps如需阅读，请以pdf格式下载整个aspfaq.com常见问题

，并在周末阅读。 Aaron非常酷，以pdf的形式提供整个

的东西。

< BLOCKQUOTE>" middletree" < MI ******** @ htomail.com>在消息中写道

news：Om **************** @ TK2MSFTNGP11.phx.gbl ...

" Aaron Bertrand - MVP < AA *** @ TRASHaspfaq.com>写了

一些建议。

（3）为什么你经常设置rs = createobject（" ADODB.Recordset"）但

永远不会破坏它们中的任何一个？

我回去并用它来处理它：set rs = nothing

我的问题是，这还够吗？

完成后你应该关闭它们：


rs .close

set rs = nothing

（4）为什么你允许来自request.querystring的值进入你的SQL

语句未经检查？你尝试过类似的东西吗？

DisplaySortableTickets.asp？strStatus = a''; DELETE％20T KT_STATUS; SELECT％20''b

从未想过这一点。这对于内联网来说真的是一个问题吗？

你想冒风险吗？有一天你可能会在

数据库中没有记录而醒来，不知道发生了什么。 :)

这是第一部分的重写。

< ;! - #INCLUDE FILE =" includes / functions.asp" - >
<！ - #INCLUDE FILE =" includes / argodbinc.asp" - >
<！ - #INCLUDE FILE =" includes / colors.inc" - >
<％
function fixVal（s）
s = replace（request.QueryString（s），"''"，"'''''" ））
结束函数

这只是从查询字符串中取出撇号吗？是否仅仅是为了防止它被恶意的人使用会发出邪恶的SQL
声明？

这取代了一个单一的引号有两个单引号。这就是你如何以b $ b逃避单一报价。它应该照顾我认为的恶意SQL语句，但它也会处理你的数据包含

单引号的情况。例如，如果我想插入字符串：


我不喜欢这个


然后你的SQL字符串会在它结束时结束在

字符串中遇到单引号。上面的代码将替换单引号，因此字符串看起来像这样：
：


我不喜欢这个


你的SQL字符串将是有效的。


希望这会有所帮助。


问候，

Peter Foti

Yesterday, I posted a problem which, by the way, I haven''t been able to
solve yet. But in Aaron''s reply, he questioned why I did several things the
way I did. My short answer is that I have a lot to learn, but now I''d like
to ask anyone who reads this, including Aaron, for some clarification. I
imagine others might benefit, too.

"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote

A few suggestions. (3) why do you constantly set rs = createobject("ADODB.Recordset") but never destroy any of them?

I went back and took care of it with this: set rs = nothing

My question is, is this enough?

(4) why are you allowing values from request.querystring into your SQL statements unchecked? Have you tried something like... DisplaySortableTickets.asp?strStatus=a'';DELETE%20T KT_STATUS;SELECT%20'' b

Never thought of that. Is that really an issue for an Intranet, though?
(5) why are you using ADODB.Recordset at all? These all seem to be forward-only, static recordsets.

I don''t really understand this question/statement. Is there another kind of
recordset?

Here is a rewrite of the first portion. <!-- #INCLUDE FILE="includes/functions.asp" -->
<!-- #INCLUDE FILE="includes/argodbinc.asp" -->
<!-- #INCLUDE FILE="includes/colors.inc" -->
<%
function fixVal(s)
s = replace(request.QueryString(s), "''", "''''"))
end function

Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?

解决方案

"middletree" wrote ...

I went back and took care of it with this: set rs = nothing
My question is, is this enough?
aye, remember to close the connection aswell when you''re done with it.

DisplaySortableTickets.asp?strStatus=a'';DELETE%20T KT_STATUS;SELECT%20'' b

Never thought of that. Is that really an issue for an Intranet, though?

Yeppo - imagine the fun that could be had by a clued up developer just
before he leaves disgruntled...goodbye important database content...you can
read up on this - try doing a Google search for SQL Injection.

Replacing the '' I believe is one solution...
I don''t really understand this question/statement. Is there another kind of recordset?
You can use ''curosors'' within recordsets, the allow you to move BACK and
FORTH between the records you return in the recordset, if you do not need to
ever move back, and only forward - as Aaron mentions above etc...

s = replace(request.QueryString(s), "''", "''''"))

Does this just take the apostrophes from the querystring?
It wont ''take'' them away - it simply replaces them with 2 apostrophes
Is that just to keep it from being used by a malicious person who would put an evil SQL statement?

hehe - ''evil'' - hehe - yes :)

Note, I am not as clued up as many here, so the above are only my
suggestions/opinions and thoughts - dont take ''em as gospel (unless I''m
correct in which case feel free to send me crates of copperfields sweet
sherry!)

Hope I helped,

Regards

Rob

"middletree" <mi********@htomail.com> wrote in message
news:Om****************@TK2MSFTNGP11.phx.gbl...

I went back and took care of it with this: set rs = nothing

My question is, is this enough?
Do:

rs.Close
Set rs = Nothing

(4) why are you allowing values from request.querystring into your SQL

statements unchecked? Have you tried something like...

DisplaySortableTickets.asp?strStatus=a'';DELETE%20T KT_STATUS;SELECT%20'' b

Never thought of that. Is that really an issue for an Intranet, though?

Yes! Sure, you can fire someone for dropping a table or something, but that
doesn''t mean you should allow it to happen.

(5) why are you using ADODB.Recordset at all? These all seem to be

forward-only, static recordsets.

I don''t really understand this question/statement. Is there another kind

of recordset?

YEah. If Aaron did not already post this link, read this when you have a
few moments.
http://www.aspfaq.com/2191

function fixVal(s)
s = replace(request.QueryString(s), "''", "''''"))
end function

Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?

It''s to keep the '' from your SQL query, since '' is a delimiter in SQL.
Example:

sVar = "O''Brien"
sSQL = "SELECT Something FROM SomeTable WHERE LastName=''" & sVar & "''"

That will result in a string of:
SELECT Something FROM SomeTable WHERE LastName=''O''Brien''

That '' in the O''Brien will be the end of the string, and then SQL will see
Brien'' and get confused. The way to escape the '' is to double it up, so the
string would wind up looking like:
SELECT Something FROM SomeTable WHERE LastName=''O''''Brien''

Passing the value through the fixVal function will double up any instances
of ''.

Does that make sense?

Ray at work

p.s. For pleasure reading, download the whole aspfaq.com FAQ in pdf format
and read it over the weekend. It''s very cool of Aaron to offer that whole
thing as a pdf.

"middletree" <mi********@htomail.com> wrote in message
news:Om****************@TK2MSFTNGP11.phx.gbl...

"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote

A few suggestions.

(3) why do you constantly set rs = createobject("ADODB.Recordset") but

never destroy any of them?

I went back and took care of it with this: set rs = nothing

My question is, is this enough?

You should close them when you are done with them:

rs.close
set rs = nothing

(4) why are you allowing values from request.querystring into your SQL

statements unchecked? Have you tried something like...

DisplaySortableTickets.asp?strStatus=a'';DELETE%20T KT_STATUS;SELECT%20'' b

Never thought of that. Is that really an issue for an Intranet, though?

Do you want to risk it? One day you might wake up with no records in the
database an not know what happened to them. :)

Here is a rewrite of the first portion.

<!-- #INCLUDE FILE="includes/functions.asp" -->
<!-- #INCLUDE FILE="includes/argodbinc.asp" -->
<!-- #INCLUDE FILE="includes/colors.inc" -->
<%
function fixVal(s)
s = replace(request.QueryString(s), "''", "''''"))
end function

Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?

This replaces one single quotes with two single quotes. This is how you
escape the single quote. It should take care of the evil SQL statement I
think, but it also takes care of situations where your data contains a
single quote. For example, if I wanted to insert the string:

I don''t like this

Then your SQL string would end when it encountered the single quote in that
string. The code above would replace the single quote so the string looked
like this:

I don''''t like this

Your SQL string would then be valid.

Hope this helps.

Regards,
Peter Foti

这篇关于一般问题：最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！