加密QueryString数据
新客网 XKER.COM 2003-04-18 来源: 收藏本文
Problem with Query String Method
Often time we use query string collection to retrieve an unique record from a table. Notice the following
piece of code -
Detail.asp?RecordID=200
Here we are passing a query string value called "RecordID" using the url. We then use the Query String
collection "RecordID" to get the actual number -
<%
Dim RecordID
RecordID = Request.QueryString("RecordID")
%>
The problem with the above method is that we are exposing "RecordID" to the public. Hence making easy to
hackers to just change the RecordID Query string to retrieve other values of the table.
Solution to the above problem
In order to solve the above problem, we will use two ASP pages and the ASP random number function to
scramble the passing query string value so that the real record number is not exposed to others.
On the first page we get a random number with the following code -
<%
Randomize timer
' Randomizing the timer function
rndNum = abs(int((rnd() * 3001)))
' To generate a prime based, non-negative random number..
rndNum = rndNum + 53
Session("rndNum") = rndNum
'We place the random number value in a session variable so that we can use it again in the next page %>
Now that we have our random number we will scramble our query string with it! Here is how -
<%
'Assuming you have a record set retrieved -
Display_Rs.movefirst
While not Display_Rs.Eof
Response.Write "<a href=detail.asp?RecordID="
Response.Write (Display_Rs("RecordID")*rndNum)
' Notice we are multiplying the actual record number with the random number to scramble the query 'string
Response.Write Display_Rs("RecordID") & "</a>"
Display_Rs.Movenext
Wend
%>
In the next page we will un-scramble the query string! Here is how -
<%
Dim RecordID
RecordID = request.querystring("RecordID")/Session("rndNum")
' We are dividing the record ID query string value with the same formula to un-scramble and pass the
actual record ID to the SQL statement
Session.abandon
' Releasing Session value for the next record
%>
That's it! Using the above method you can scramble a query string as much as you like. For example
multiply the random number with a very complex formula to generate an even more difficult integer number.
The key point here is you divide the number with the same formula yielding to the original value. This
technique is not full proof but much more difficult to break in that passing a regular query string value.
Often time we use query string collection to retrieve an unique record from a table. Notice the following
piece of code -
Detail.asp?RecordID=200
Here we are passing a query string value called "RecordID" using the url. We then use the Query String
collection "RecordID" to get the actual number -
<%
Dim RecordID
RecordID = Request.QueryString("RecordID")
%>
The problem with the above method is that we are exposing "RecordID" to the public. Hence making easy to
hackers to just change the RecordID Query string to retrieve other values of the table.
Solution to the above problem
In order to solve the above problem, we will use two ASP pages and the ASP random number function to
scramble the passing query string value so that the real record number is not exposed to others.
On the first page we get a random number with the following code -
<%
Randomize timer
' Randomizing the timer function
rndNum = abs(int((rnd() * 3001)))
' To generate a prime based, non-negative random number..
rndNum = rndNum + 53
Session("rndNum") = rndNum
'We place the random number value in a session variable so that we can use it again in the next page %>
Now that we have our random number we will scramble our query string with it! Here is how -
<%
'Assuming you have a record set retrieved -
Display_Rs.movefirst
While not Display_Rs.Eof
Response.Write "<a href=detail.asp?RecordID="
Response.Write (Display_Rs("RecordID")*rndNum)
' Notice we are multiplying the actual record number with the random number to scramble the query 'string
Response.Write Display_Rs("RecordID") & "</a>"
Display_Rs.Movenext
Wend
%>
In the next page we will un-scramble the query string! Here is how -
<%
Dim RecordID
RecordID = request.querystring("RecordID")/Session("rndNum")
' We are dividing the record ID query string value with the same formula to un-scramble and pass the
actual record ID to the SQL statement
Session.abandon
' Releasing Session value for the next record
%>
That's it! Using the above method you can scramble a query string as much as you like. For example
multiply the random number with a very complex formula to generate an even more difficult integer number.
The key point here is you divide the number with the same formula yielding to the original value. This
technique is not full proof but much more difficult to break in that passing a regular query string value.
最新相关文章- ·ASP+ACCESS数据库中文乱码问题解决
- ·编程实例 字母+数字验证码程序
- ·ASP连接数据库错误解决办法新法
- ·初学:ASP内建对象Response
- ·ASP网站Server object error的解决办法
- ·ASP技巧:让Len,Left,Right函数识别中文
- ·把网页中的电话号码生成图片的ASP程序
- ·ASP如何实现IE地址栏参数的判断
- ·细化解析:ASP连接11种数据库语法集锦
- ·ASP实现网页打开任何类型文件都保存
- ·ASP代码直接增加、删除ACCESS表和字段
- ·ASP:判断访问是否来自搜索引擎的函数
- ·ASP技巧:禁用页面缓存的五种方法
- ·学习ASP关于与变量子类型相关的函数
- ·ASP开发中的(VBScript)类基础学习
- ·ASP访问Excel文件
发表评论
评论内容:不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
阅读排行
- 使用bcdedit 更改windows vista 的启动顺序
- Session丢失问题解决方案
- NTFS文件系统的安全属性
- 在DataGridView中获得DataGridViewCheckBoxColumn
- asp http 500 - 内部服务器错误 请求的资源在使用
- windows内核初窥(一)------体系结构
- WIN32下DELPHI中的多线程【线程的调度】(二)
- 一种Windows下线程同步的实现方法
- windows内核初窥(二)-----系统机制
- WIN32下DELPHI中的多线程【变量存储】(三)
- 【最新】IP 地址分配表(14)
- 关于DataGridView中如何接收处于编辑状态下的当前
- Microsoft Internet Transfer Control 使用简介(
- [小技巧]winfrom使用多线程
- 八大法则杜绝ASP网站漏洞入侵
随机推荐
实用信息推荐