 |
|
|
 首页 |
名片设计 CorelDRAW Illustrator AuotoCAD Painter 其他软件 Photoshop Fireworks Flash |
|
Problem with Query String Method Often time we use query string collection to retrieve an unique record from a table. Notice the following piece of code - Detail.asp?RecordID=200 Here we are passing a query string value called "RecordID" using the url. We then use the Query String collection "RecordID" to get the actual number - <% Dim RecordID RecordID = Request.QueryString("RecordID") %> The problem with the above method is that we are exposing "RecordID" to the public. Hence making easy to hackers to just change the RecordID Query string to retrieve other values of the table. Solution to the above problem In order to solve the above problem, we will use two ASP pages and the ASP random number function to scramble the passing query string value so that the real record number is not exposed to others. On the first page we get a random number with the following code - <% Randomize timer \\\' Randomizing the timer function rndNum = abs(int((rnd() * 3001))) \\\' To generate a prime based, non-negative random number.. rndNum = rndNum + 53 Session("rndNum") = rndNum \\\'We place the random number value in a session variable so that we can use it again in the next page %> Now that we have our random number we will scramble our query string with it! Here is how - <% \\\'Assuming you have a record set retrieved - Display_Rs.movefirst While not Display_Rs.Eof Response.Write "<a href=detail.asp?RecordID=" Response.Write (Display_Rs("RecordID")*rndNum) \\\' Notice we are multiplying the actual record number with the random number to scramble the query \\\'string Response.Write Display_Rs("RecordID") & "</a>" Display_Rs.Movenext Wend %> In the next page we will un-scramble the query string! Here is how - <% Dim RecordID RecordID = request.querystring("RecordID")/Session("rndNum") \\\' We are dividing the record ID query string value with the same formula to un-scramble and pass the actual record ID to the SQL statement Session.abandon \\\' Releasing Session value for the next record %> That\\\'s it! Using the above method you can scramble a query string as much as you like. For example multiply the random number with a very complex formula to generate an even more difficult integer number. The key point here is you divide the number with the same formula yielding to the original value. This technique is not full proof but much more difficult to break in that passing a regular query string value. 返回类别: 教程 上一教程: 另类: ASP不用DSN访问数据库 下一教程: 正则表达式简介(14) 您可以阅读与"加密QUERYSTRING数据"相关的教程: · 加密后台数据库的方式 · 加密你的ACCESS数据库 · 防止别人在QUERYSTRING中加入DELETE或其他字符删除你的数据库内容 · 使用ASP加密算法加密你的数据 · 使用ASP加密算法加密你的数据(一) |
  |
| 快精灵印艺坊 版权所有 |
首页 会员中心在线印刷在线编辑付款方式索取样品设计指南连锁门店
|
||
