SQL注入预防Quickfix ..它会工作 [英] SQL Injection Prevention Quickfix.. will it work
问题描述
大家好,
我有一个网站可以重做。在查看代码的过程中,
实时站点对SQL注入开放。我知道需要做些什么,但是现在有限的时间来正确地重做。在我正在重写网站的时候,将添加几行代码,如下所示,防止SQL注入
,直到我有时间重建函数并转移到存储
程序。
基本上客户端我添加了onKeypress javascript例程
来查找''或''并且在登录字段中不允许
< script>
函数checkcode()
{
if(event.keyCode == 34 || event.keyCode == 39){event.returnValue = false;}
}
< / script>
ServerSide然后我添加了一个if else语句来陷阱如果用户有javascript
禁用
<%
if request.form(" submit")=" Login"那么
如果len(rtrim(请求(" UserID")))> 0和len(rtrim(请求("密码))))> 0
然后
''行添加到陷阱单 - dbl引用
if(instr(rtrim(request(" UserID"))),'''") = 0或
instr(rtrim(request(" password")),"''")= 0)和
(instr(rtrim(request( UserID)),","= 0或
instr(rtrim(request(" password")),"""")= 0)然后
rs.openselect * from FTSUsers,其中UserID =''" &
rtrim(request(" UserID"))& "''和密码=''" &安培; rtrim(请求(密码))&
"''",connstrx,3,4
''下面的更多语法不是相对于问题
%>
这将足以暂时阻止SQL注入
,直到我有时间创建新语法和商店程序
Hi All,
I have been given a site to redo. In the process of looking at the code,
the live site is open to SQL injection. I know what needs to be done but
limited time right now to redo correctly. In the interm while I am rewriting
the site, will adding a few lines of code as below prevent SQL injection
until I have the time to rebuild the functions and move to stored
procedures.
Basically client side I added a onKeypress javascript routine
to look for '' or " and disallow in login fields
<script>
function checkcode()
{
if(event.keyCode==34 || event.keyCode==39){event.returnValue = false;}
}
</script>
ServerSide I then added an if else statement to trap if user has javascript
disabled
<%
if request.form("submit")="Login" then
if len(rtrim(request("UserID")))>0 and len(rtrim(request("Password")))>0
then
'' line added to trap single - dbl quote
if (instr(rtrim(request("UserID")),"''")=0 or
instr(rtrim(request("password")),"''")=0) and
(instr(rtrim(request("UserID")),"""")=0 or
instr(rtrim(request("password")),"""")=0) then
rs.open "select * from FTSUsers where UserID=''" &
rtrim(request("UserID")) & "'' and password=''" & rtrim(request("password")) &
"''", connstrx, 3, 4
'' more syntax below not relative to question
%>
will this be sufficient for the time being in preventing SQL Injection
until I have time to create new syntax and store procedures
推荐答案
" Michael Kujawa" < nof at kujawas dot net>在消息中写道
新闻:uZ ************** @ TK2MSFTNGP05.phx.gbl ...
"Michael Kujawa" <nof at kujawas dot net> wrote in message
news:uZ**************@TK2MSFTNGP05.phx.gbl...
将这足以暂时阻止SQL注入,直到我有时间创建新的语法和存储过程
will this be sufficient for the time being in preventing SQL Injection
until I have time to create new syntax and store procedures
将'或'更改为'但是'但是问题仍然存在
if(instr(rtrim(request(" UserID")),"''")= 0和
instr( rtrim(request(" password")),"''")= 0)和
(instr(rtrim(request(" UserID")))""" ")= 0和
instr(rtrim(request(" password"))),""")= 0)then
Changed the or''s to and''s but question still stands
if (instr(rtrim(request("UserID")),"''")=0 and
instr(rtrim(request("password")),"''")=0) and
(instr(rtrim(request("UserID")),"""")=0 and
instr(rtrim(request("password")),"""")=0) then
这对于懒惰或缺乏经验的黑客来说就足够了。对于一个有经验的
黑客谁决定闯入你的数据库/网站,这将是b / b
可能会让他减慢大约10分钟。 20分钟tops。
抱歉。
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf
http://www.spidynamics.com/papers/SQ...WhitePaper.pdf
Michael Kujawa写道:
This will suffice for a lazy or inexperienced hacker. For an experienced
hacker who is determined to break into your database/site, this will
probably slow him down by about 10 min. 20 min. tops.
Sorry.
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf
http://www.spidynamics.com/papers/SQ...WhitePaper.pdf
Michael Kujawa wrote:
大家好,
我有一个网站可以重做。在查看代码的过程中,实时站点对SQL注入开放。我知道需要做什么,但现在时间有限,无法正确重做。在我正在重写网站的时候,在下面添加几行代码来防止SQL注入,直到我有时间重建
函数并转移到存储过程。 br />
基本上客户端我添加了一个onKeypress javascript例程
来寻找''或'并且在登录字段中禁用
< script>
函数checkcode()
{if / if if(event.keyCode == 34 || event.keyCode == 39 ){event.returnValue = false;}
}
< / script>
ServerSide然后我添加了一个if else语句来陷阱如果用户已禁用javascript
<%
如果request.form(" submit")=" Login"那么
如果len(rtrim(请求(" UserID")))> 0和
len(rtrim(请求("密码")))> 0那么
''行添加到陷阱单 - dbl引用
if(instr(rtrim(request(" UserID"))),"''")= 0或
instr(rtrim(request(" password") ;)),'''")= 0)和
(instr(rtrim(request(" UserID"))),""")= 0或
instr (rtrim(request(" password")),""")= 0)然后
rs.open" select * from FTSUsers,其中UserID =''" &
rtrim(request(" UserID"))& "''和密码=''" &
rtrim(request(" password"))& "''",connstrx,3,4
''下面的更多语法不是相对于问题
%>
这将足以暂时防止SQL注入
直到我有时间创建新的语法和存储过程
Hi All,
I have been given a site to redo. In the process of looking at the
code, the live site is open to SQL injection. I know what needs to be
done but limited time right now to redo correctly. In the interm
while I am rewriting the site, will adding a few lines of code as
below prevent SQL injection until I have the time to rebuild the
functions and move to stored procedures.
Basically client side I added a onKeypress javascript routine
to look for '' or " and disallow in login fields
<script>
function checkcode()
{
if(event.keyCode==34 || event.keyCode==39){event.returnValue = false;}
}
</script>
ServerSide I then added an if else statement to trap if user has
javascript disabled
<%
if request.form("submit")="Login" then
if len(rtrim(request("UserID")))>0 and
len(rtrim(request("Password")))>0 then
'' line added to trap single - dbl quote
if (instr(rtrim(request("UserID")),"''")=0 or
instr(rtrim(request("password")),"''")=0) and
(instr(rtrim(request("UserID")),"""")=0 or
instr(rtrim(request("password")),"""")=0) then
rs.open "select * from FTSUsers where UserID=''" &
rtrim(request("UserID")) & "'' and password=''" &
rtrim(request("password")) & "''", connstrx, 3, 4
'' more syntax below not relative to question
%>
will this be sufficient for the time being in preventing SQL Injection
until I have time to create new syntax and store procedures
-
Microsoft MVP - ASP / ASP .NET
请回复新闻组。我的From
标题中列出的电子邮件帐户是我的垃圾邮件陷阱,因此我不经常检查它。通过发布到新闻组,您将获得更快的回复。
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don''t check it very often. You will get a
quicker response by posting to the newsgroup.
Michael Kujawa写道:
Michael Kujawa wrote:
<%
如果request.form(" submit")=" Login"那么
如果len(rtrim(请求(" UserID")))> 0和
len(rtrim(请求("密码")))> 0那么
''行添加到陷阱单 - dbl引用
if(instr(rtrim(request(" UserID"))),"''")= 0或
instr(rtrim(request(" password") ;)),'''")= 0)和
(instr(rtrim(request(" UserID"))),""")= 0或
instr (rtrim(request(" password")),""")= 0)然后
rs.open" select * from FTSUsers,其中UserID =''" &
rtrim(request(" UserID"))& "''和密码=''" &
rtrim(request(" password"))& "''",connstrx,3,4
''下面的更多语法与问题无关
%>
<%
if request.form("submit")="Login" then
if len(rtrim(request("UserID")))>0 and
len(rtrim(request("Password")))>0 then
'' line added to trap single - dbl quote
if (instr(rtrim(request("UserID")),"''")=0 or
instr(rtrim(request("password")),"''")=0) and
(instr(rtrim(request("UserID")),"""")=0 or
instr(rtrim(request("password")),"""")=0) then
rs.open "select * from FTSUsers where UserID=''" &
rtrim(request("UserID")) & "'' and password=''" &
rtrim(request("password")) & "''", connstrx, 3, 4
'' more syntax below not relative to question
%>
哦!你真的应该减少对Request
集合的调用次数......以及指定你访问哪个表单集合
。改变形式到querystring在下面的示例中,如果需要
:
dim userid,pwd
if request.form(" submit")= 然后登录
userid = rtrim(request.form(" UserID"))
pwd = rtrim(request.form(" Password"))
等
-
Microsoft MVP - ASP / ASP.NET
请回复新闻组。我的From
标题中列出的电子邮件帐户是我的垃圾邮件陷阱,因此我不经常检查它。通过发布到新闻组,您将获得更快的回复。
Oh! And you really should reduce the number of calls to Request
collections ... as well as specifying which form collection you are
accessing. Change "form" to "querystring" in the following example if
necessary:
dim userid, pwd
if request.form("submit") = "Login then
userid= rtrim(request.form("UserID"))
pwd=rtrim(request.form("Password"))
etc.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don''t check it very often. You will get a
quicker response by posting to the newsgroup.
这篇关于SQL注入预防Quickfix ..它会工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
