有安全问题吗? [英] is there security problem?
问题描述
我的朋友我在webform中使用了datalist,我将从数据库中获取图像。为此,我使用了httphandler。
< asp:Image ID =Image1 runat =serverImageUrl ='<%#../xxxxxxx.ashx?ImID =+ Eval(id)%>'Height =244pxWidth =244pxEnableViewState = True/>
我使用查询字符串将图像ID Eval(id)发送到httpsndler。
这是一个querystring安全问题?????
我怎么隐藏id或怎么能保护注射或任何攻击。
引用:< pre lang =HTML> < asp:Image ID = Image1 runat = server ImageUrl =' <%# ../ xxxxxxx.ashx?ImID = + EncodeID (Eval( id))%>' 高度 = 244px 宽度 = 244px EnableViewState = True / >
实际上,在浏览器上渲染后,
ImageUrl
会引用图像路径而不是任何ID
。
这是因为根据代码,它会在ID
的帮助下动态绑定Path。 i>服务器端。在客户端浏览器中没有ID
或任何参数的痕迹。
您可以检查HTML 检查元素的浏览器图像code>。
但是,如果要保护数据,可以添加一些编码功能和修改代码为...
< asp:图像 ID = Image1 runat < span class =code-keyword> = server ImageUrl =' <%# ../ xxxxxxx.ashx? ImID = + EncodeID (Eval( id ))%>' 高度 = 244px 宽度 = 244px EnableViewState = True / >
这里EncodeID()
是 Code Behind 的函数,它将编码ID
并返回编码ID
。
查看以下参考资料
http://stackoverflow.com/questions/9110561/e ncrypt-query-string-including-keys
http://www.codeproject.com/Tips/583097/Global-Query-String-Encryption
http://www.codeproject.com/Articles/20147/Encrypt-a-Querystring-with-Expiration
my friends I used datalist in webform and I will get image from the database.For this I used httphandler.
<asp:Image ID="Image1" runat="server" ImageUrl='<%# "../xxxxxxx.ashx?ImID=" + Eval("id")%>' Height="244px" Width="244px" EnableViewState="True" />
I send image id Eval("id") to httphandler with querystring.
is this a querystring security problem?????
how I hide id or how can protect injection or any attacks.
Quote:<asp:Image ID="Image1" runat="server" ImageUrl='<%# "../xxxxxxx.ashx?ImID=" + EncodeID(Eval("id"))%>' Height="244px" Width="244px" EnableViewState="True" />Actually the
ImageUrl
after rendered on Browser, would refer to a Image Path rather than anyID
.
That is because according to the code, it will dynamically bind the Path with the help ofID
at Server side. There will be no trace ofID
or any parameters at the client side Browser.
You can check theHTML
of Image on Browser by Inspecting the Element.
However, if you want to protect the data, you can add some Encoding function and modify code as...
<asp:Image ID="Image1" runat="server" ImageUrl='<%# "../xxxxxxx.ashx?ImID=" + EncodeID(Eval("id"))%>' Height="244px" Width="244px" EnableViewState="True" />
HereEncodeID()
is a function at Code Behind, which would encode theID
and return you the EncodedID
.
go through the below references
http://stackoverflow.com/questions/9110561/encrypt-query-string-including-keys
http://www.codeproject.com/Tips/583097/Global-Query-String-Encryption
http://www.codeproject.com/Articles/20147/Encrypt-a-Querystring-with-Expiration
这篇关于有安全问题吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!