asp开发学校OA项目中常用到知识点(3)安全
作者:wang 日期:2009-10-12
1、登陆采用验证码
图片验证码生成页yanzheng_s_z.asp代码:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<%
Call Com_CreatValidCode("ValidCode")
Sub Com_CreatValidCode(pSN)
' 禁止缓存
Response.Expires = -9999
Response.AddHeader "Pragma","no-cache"
Response.AddHeader "cache-ctrol","no-cache"
'Response.ContentType = "Image/BMP"
Randomize
Dim i, ii, iii
Const cOdds = 4 ' 杂点出现的机率
Const cAmount = 36 ' 文字数量
'Const cCode = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
Const cCode = "0123456789abcdefghijklmnopqrstuvwxyz"
' 颜色的数据(字符,背景)
Dim vColorData(1),vColorRandom(10)
'vColorData(0) = ChrB(Int(Rnd*155)+100) & ChrB(Int(Rnd*155)+100) & ChrB(Int(Rnd*155)+100) ' 蓝0,绿0,红0(黑色)
vColorRandom(0)=ChrB(150) & ChrB(0) & ChrB(0)
vColorRandom(1)=ChrB(0) & ChrB(150) & ChrB(0)
vColorRandom(2)=ChrB(0) & ChrB(0) & ChrB(150)
vColorRandom(3)=ChrB(0) & ChrB(50) & ChrB(150)
vColorRandom(4)=ChrB(150) & ChrB(50) & ChrB(0)
vColorRandom(5)=ChrB(150) & ChrB(0) & ChrB(150)
vColorRandom(6)=ChrB(150) & ChrB(100) & ChrB(10)
vColorRandom(7)=ChrB(150) & ChrB(40) & ChrB(120)
vColorRandom(8)=ChrB(150) & ChrB(0) & ChrB(250)
vColorRandom(9)=ChrB(100) & ChrB(100) & ChrB(100)
vColorRandom(10)=ChrB(50) & ChrB(50) & ChrB(50)
vColorData(0) = vColorRandom(0)
vColorData(1) = ChrB(250) & ChrB(250) & ChrB(255) '背景色 蓝250,绿236,红211(浅蓝色)
' 随机产生字符
Dim vCode(4),vCodes,vCodeColors(4)
For i = 0 To 3
vCodeColors(i)=vColorRandom(Int(Rnd * 10))
vCode(i) = Int(Rnd * cAmount)
vCodes = vCodes & Mid(cCode, vCode(i) + 1, 1)
Next
Session("pSN") = vCodes '记录入Session
' 字符的数据
Dim vNumberData(35)
vNumberData(0) = "1110000111110111101111011110111101001011110100101111010010111101001011110111101111011110111110000111"
vNumberData(1) = "1111011111110001111111110111111111011111111101111111110111111111011111111101111111110111111100000111"
vNumberData(2) = "1110000111110111101111011110111111111011111111011111111011111111011111111011111111011110111100000011"
vNumberData(3) = "1110000111110111101111011110111111110111111100111111111101111111111011110111101111011110111110000111"
vNumberData(4) = "1111101111111110111111110011111110101111110110111111011011111100000011111110111111111011111111000011"
vNumberData(5) = "1100000011110111111111011111111101000111110011101111111110111111111011110111101111011110111110000111"
vNumberData(6) = "1111000111111011101111011111111101111111110100011111001110111101111011110111101111011110111110000111"
vNumberData(7) = "1100000011110111011111011101111111101111111110111111110111111111011111111101111111110111111111011111"
vNumberData(8) = "1110000111110111101111011110111101111011111000011111101101111101111011110111101111011110111110000111"
vNumberData(9) = "1110001111110111011111011110111101111011110111001111100010111111111011111111101111011101111110001111"
vNumberData(10) = "1111011111111101111111101011111110101111111010111111101011111100000111110111011111011101111000100011"
vNumberData(11) = "1000000111110111101111011110111101110111110000111111011101111101111011110111101111011110111000000111"
vNumberData(12) = "1110000011110111101110111110111011111111101111111110111111111011111111101111101111011101111110001111"
vNumberData(13) = "1000001111110111011111011110111101111011110111101111011110111101111011110111101111011101111000001111"
vNumberData(14) = "1000000111110111101111011011111101101111110000111111011011111101101111110111111111011110111000000111"
vNumberData(15) = "1000000111110111101111011011111101101111110000111111011011111101101111110111111111011111111000111111"
vNumberData(16) = "1110000111110111011110111101111011111111101111111110111111111011100011101111011111011101111110001111"
vNumberData(17) = "1000100011110111011111011101111101110111110000011111011101111101110111110111011111011101111000100011"
vNumberData(18) = "1100000111111101111111110111111111011111111101111111110111111111011111111101111111110111111100000111"
vNumberData(19) = "1110000011111110111111111011111111101111111110111111111011111111101111111110111110111011111000011111"
vNumberData(20) = "1000100011110111011111011011111101011111110001111111010111111101101111110110111111011101111000100011"
vNumberData(21) = "1000111111110111111111011111111101111111110111111111011111111101111111110111111111011110111000000011"
vNumberData(22) = "1000100011110010011111001001111100100111110101011111010101111101010111110101011111010101111001010011"
vNumberData(23) = "1000100011110011011111001101111101010111110101011111010101111101100111110110011111011001111000110111"
vNumberData(24) = "1110001111110111011110111110111011111011101111101110111110111011111011101111101111011101111110001111"
vNumberData(25) = "1000000111110111101111011110111101111011110000011111011111111101111111110111111111011111111000111111"
vNumberData(26) = "1110001111110111011110111110111011111011101111101110111110111011111011101001101111011001111110001011"
vNumberData(27) = "1000001111110111011111011101111101110111110000111111010111111101101111110110111111011101111000110011"
vNumberData(28) = "1110000011110111101111011110111101111111111001111111111001111111111011110111101111011110111100000111"
vNumberData(29) = "1000000011101101101111110111111111011111111101111111110111111111011111111101111111110111111110001111"
vNumberData(30) = "1000100011110111011111011101111101110111110111011111011101111101110111110111011111011101111110001111"
vNumberData(31) = "1000100011110111011111011101111101110111111010111111101011111110101111111010111111110111111111011111"
vNumberData(32) = "1001010011110101011111010101111101010111110101011111001001111110101111111010111111101011111110101111"
vNumberData(33) = "1000100011110111011111101011111110101111111101111111110111111110101111111010111111011101111000100011"
vNumberData(34) = "1000100011110111011111011101111110101111111010111111110111111111011111111101111111110111111110001111"
vNumberData(35) = "1100000011110111011111111101111111101111111110111111110111111111011111111011111111101110111100000011"
' 输出图像文件头
Response.BinaryWrite ChrB(66) & ChrB(77) & ChrB(230) & ChrB(4) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) &_
ChrB(0) & ChrB(0) & ChrB(54) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(40) & ChrB(0) &_
ChrB(0) & ChrB(0) & ChrB(40) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(10) & ChrB(0) &_
ChrB(0) & ChrB(0) & ChrB(1) & ChrB(0)
' 输出图像信息头
Response.BinaryWrite ChrB(24) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(176) & ChrB(4) &_
ChrB(0) & ChrB(0) & ChrB(18) & ChrB(11) & ChrB(0) & ChrB(0) & ChrB(18) & ChrB(11) &_
ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) &_
ChrB(0) & ChrB(0)
For i = 9 To 0 Step -1 ' 历经所有行
For ii = 0 To 3 ' 历经所有字
For iii = 1 To 10 ' 历经所有像素
' 逐行、逐字、逐像素地输出图像数据
vColorData(0)=vCodeColors(ii)
If Rnd * 99 + 1 < cOdds Then ' 随机生成杂点
Response.BinaryWrite vColorData(0)
Else
Response.BinaryWrite vColorData(Mid(vNumberData(vCode(ii)), i * 10 + iii, 1))
End If
Next
Next
Next
End Sub
%>
验证码读取页index.asp页代码:
验证码演示
验证码判断页yanzhengok.asp页代码:
<%
yanzheng=Trim(Request.Form("xiaolei"))
psn=UCase(Cstr(Session("pSN")))
If yanzheng=psn Then
Response.Write ("OK!验证码正确!")
Else
Response.Write ("No!验证码错误!")
End If
Session("pSN")=""
%>
2、asp+MSSQL防注入
首先就是在程序中加上防止注入的过滤函数:
检测非字符
SQL_injdata = "|exec|insert|||delete|set | || | |char | || ||mid( |asc( ||cast|declare|exec|varchar|
检测GET
If Request.QueryString <>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法,数据库拒绝一些特殊的字符!"
Response.end
end if
next
Next
End If
检测POST
If Request.Form <>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法,数据库拒绝一些特殊的字符!"
Response.end
end if
next
next
end if
检测cookie
If Request.Cookies <>"" Then
For Each Sql_Cookie In Request.Cookies
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.Cookies(Sql_Cookie)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法,数据库拒绝一些特殊的字符!"
Response.end
end if
next
next
end if
这样就基本上把表单提交数据........................................
dim server_v1,server_v2
server_v1=Cstr(Request.ServerVariables("HTTP_REFERER"))
if server_v1<>"" then
if instr(server_v1,"3bomb")>0 then
response.write "
"
response.end
end if
else
server_v1=Cstr(Request.ServerVariables("SERVER_NAME"))
end if
server_v2=Cstr(Request.ServerVariables("SERVER_NAME"))
if instr(server_v1,"3bomb")>0instr(server_v2,"3bomb")>0 then
response.write "
"
response.end
end if
这段程序首先得到访问你网站的来源,如果是从您知道的一个非法域名3bomb上过来就不让他访问。
这个就完成了对某一指定域名的屏蔽,这个域名极有可能就是一段妈妈程序!
禁止某些ip访问 ---------------------
if instr(Request.ServerVariables("REMOTE_ADDR"),"209.172.33")>0 then
Response.Write "拒绝访问"
response.End()
end if
实在不行就通过ip进行屏蔽,如果访问来源是某一个ip段就进行屏蔽
图片验证码生成页yanzheng_s_z.asp代码:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<%
Call Com_CreatValidCode("ValidCode")
Sub Com_CreatValidCode(pSN)
' 禁止缓存
Response.Expires = -9999
Response.AddHeader "Pragma","no-cache"
Response.AddHeader "cache-ctrol","no-cache"
'Response.ContentType = "Image/BMP"
Randomize
Dim i, ii, iii
Const cOdds = 4 ' 杂点出现的机率
Const cAmount = 36 ' 文字数量
'Const cCode = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
Const cCode = "0123456789abcdefghijklmnopqrstuvwxyz"
' 颜色的数据(字符,背景)
Dim vColorData(1),vColorRandom(10)
'vColorData(0) = ChrB(Int(Rnd*155)+100) & ChrB(Int(Rnd*155)+100) & ChrB(Int(Rnd*155)+100) ' 蓝0,绿0,红0(黑色)
vColorRandom(0)=ChrB(150) & ChrB(0) & ChrB(0)
vColorRandom(1)=ChrB(0) & ChrB(150) & ChrB(0)
vColorRandom(2)=ChrB(0) & ChrB(0) & ChrB(150)
vColorRandom(3)=ChrB(0) & ChrB(50) & ChrB(150)
vColorRandom(4)=ChrB(150) & ChrB(50) & ChrB(0)
vColorRandom(5)=ChrB(150) & ChrB(0) & ChrB(150)
vColorRandom(6)=ChrB(150) & ChrB(100) & ChrB(10)
vColorRandom(7)=ChrB(150) & ChrB(40) & ChrB(120)
vColorRandom(8)=ChrB(150) & ChrB(0) & ChrB(250)
vColorRandom(9)=ChrB(100) & ChrB(100) & ChrB(100)
vColorRandom(10)=ChrB(50) & ChrB(50) & ChrB(50)
vColorData(0) = vColorRandom(0)
vColorData(1) = ChrB(250) & ChrB(250) & ChrB(255) '背景色 蓝250,绿236,红211(浅蓝色)
' 随机产生字符
Dim vCode(4),vCodes,vCodeColors(4)
For i = 0 To 3
vCodeColors(i)=vColorRandom(Int(Rnd * 10))
vCode(i) = Int(Rnd * cAmount)
vCodes = vCodes & Mid(cCode, vCode(i) + 1, 1)
Next
Session("pSN") = vCodes '记录入Session
' 字符的数据
Dim vNumberData(35)
vNumberData(0) = "1110000111110111101111011110111101001011110100101111010010111101001011110111101111011110111110000111"
vNumberData(1) = "1111011111110001111111110111111111011111111101111111110111111111011111111101111111110111111100000111"
vNumberData(2) = "1110000111110111101111011110111111111011111111011111111011111111011111111011111111011110111100000011"
vNumberData(3) = "1110000111110111101111011110111111110111111100111111111101111111111011110111101111011110111110000111"
vNumberData(4) = "1111101111111110111111110011111110101111110110111111011011111100000011111110111111111011111111000011"
vNumberData(5) = "1100000011110111111111011111111101000111110011101111111110111111111011110111101111011110111110000111"
vNumberData(6) = "1111000111111011101111011111111101111111110100011111001110111101111011110111101111011110111110000111"
vNumberData(7) = "1100000011110111011111011101111111101111111110111111110111111111011111111101111111110111111111011111"
vNumberData(8) = "1110000111110111101111011110111101111011111000011111101101111101111011110111101111011110111110000111"
vNumberData(9) = "1110001111110111011111011110111101111011110111001111100010111111111011111111101111011101111110001111"
vNumberData(10) = "1111011111111101111111101011111110101111111010111111101011111100000111110111011111011101111000100011"
vNumberData(11) = "1000000111110111101111011110111101110111110000111111011101111101111011110111101111011110111000000111"
vNumberData(12) = "1110000011110111101110111110111011111111101111111110111111111011111111101111101111011101111110001111"
vNumberData(13) = "1000001111110111011111011110111101111011110111101111011110111101111011110111101111011101111000001111"
vNumberData(14) = "1000000111110111101111011011111101101111110000111111011011111101101111110111111111011110111000000111"
vNumberData(15) = "1000000111110111101111011011111101101111110000111111011011111101101111110111111111011111111000111111"
vNumberData(16) = "1110000111110111011110111101111011111111101111111110111111111011100011101111011111011101111110001111"
vNumberData(17) = "1000100011110111011111011101111101110111110000011111011101111101110111110111011111011101111000100011"
vNumberData(18) = "1100000111111101111111110111111111011111111101111111110111111111011111111101111111110111111100000111"
vNumberData(19) = "1110000011111110111111111011111111101111111110111111111011111111101111111110111110111011111000011111"
vNumberData(20) = "1000100011110111011111011011111101011111110001111111010111111101101111110110111111011101111000100011"
vNumberData(21) = "1000111111110111111111011111111101111111110111111111011111111101111111110111111111011110111000000011"
vNumberData(22) = "1000100011110010011111001001111100100111110101011111010101111101010111110101011111010101111001010011"
vNumberData(23) = "1000100011110011011111001101111101010111110101011111010101111101100111110110011111011001111000110111"
vNumberData(24) = "1110001111110111011110111110111011111011101111101110111110111011111011101111101111011101111110001111"
vNumberData(25) = "1000000111110111101111011110111101111011110000011111011111111101111111110111111111011111111000111111"
vNumberData(26) = "1110001111110111011110111110111011111011101111101110111110111011111011101001101111011001111110001011"
vNumberData(27) = "1000001111110111011111011101111101110111110000111111010111111101101111110110111111011101111000110011"
vNumberData(28) = "1110000011110111101111011110111101111111111001111111111001111111111011110111101111011110111100000111"
vNumberData(29) = "1000000011101101101111110111111111011111111101111111110111111111011111111101111111110111111110001111"
vNumberData(30) = "1000100011110111011111011101111101110111110111011111011101111101110111110111011111011101111110001111"
vNumberData(31) = "1000100011110111011111011101111101110111111010111111101011111110101111111010111111110111111111011111"
vNumberData(32) = "1001010011110101011111010101111101010111110101011111001001111110101111111010111111101011111110101111"
vNumberData(33) = "1000100011110111011111101011111110101111111101111111110111111110101111111010111111011101111000100011"
vNumberData(34) = "1000100011110111011111011101111110101111111010111111110111111111011111111101111111110111111110001111"
vNumberData(35) = "1100000011110111011111111101111111101111111110111111110111111111011111111011111111101110111100000011"
' 输出图像文件头
Response.BinaryWrite ChrB(66) & ChrB(77) & ChrB(230) & ChrB(4) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) &_
ChrB(0) & ChrB(0) & ChrB(54) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(40) & ChrB(0) &_
ChrB(0) & ChrB(0) & ChrB(40) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(10) & ChrB(0) &_
ChrB(0) & ChrB(0) & ChrB(1) & ChrB(0)
' 输出图像信息头
Response.BinaryWrite ChrB(24) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(176) & ChrB(4) &_
ChrB(0) & ChrB(0) & ChrB(18) & ChrB(11) & ChrB(0) & ChrB(0) & ChrB(18) & ChrB(11) &_
ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) & ChrB(0) &_
ChrB(0) & ChrB(0)
For i = 9 To 0 Step -1 ' 历经所有行
For ii = 0 To 3 ' 历经所有字
For iii = 1 To 10 ' 历经所有像素
' 逐行、逐字、逐像素地输出图像数据
vColorData(0)=vCodeColors(ii)
If Rnd * 99 + 1 < cOdds Then ' 随机生成杂点
Response.BinaryWrite vColorData(0)
Else
Response.BinaryWrite vColorData(Mid(vNumberData(vCode(ii)), i * 10 + iii, 1))
End If
Next
Next
Next
End Sub
%>
验证码读取页index.asp页代码:
验证码判断页yanzhengok.asp页代码:
<%
yanzheng=Trim(Request.Form("xiaolei"))
psn=UCase(Cstr(Session("pSN")))
If yanzheng=psn Then
Response.Write ("OK!验证码正确!")
Else
Response.Write ("No!验证码错误!")
End If
Session("pSN")=""
%>
2、asp+MSSQL防注入
首先就是在程序中加上防止注入的过滤函数:
检测非字符
SQL_injdata = "|exec|insert|||delete|set | || | |char | || ||mid( |asc( ||cast|declare|exec|varchar|
检测GET
If Request.QueryString <>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法,数据库拒绝一些特殊的字符!"
Response.end
end if
next
Next
End If
检测POST
If Request.Form <>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法,数据库拒绝一些特殊的字符!"
Response.end
end if
next
next
end if
检测cookie
If Request.Cookies <>"" Then
For Each Sql_Cookie In Request.Cookies
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.Cookies(Sql_Cookie)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法,数据库拒绝一些特殊的字符!"
Response.end
end if
next
next
end if
这样就基本上把表单提交数据........................................
dim server_v1,server_v2
server_v1=Cstr(Request.ServerVariables("HTTP_REFERER"))
if server_v1<>"" then
if instr(server_v1,"3bomb")>0 then
response.write "
| " response.write "你提交的路径有误,禁止从站点外部提交数据请不要乱该参数!" response.write " |
response.end
end if
else
server_v1=Cstr(Request.ServerVariables("SERVER_NAME"))
end if
server_v2=Cstr(Request.ServerVariables("SERVER_NAME"))
if instr(server_v1,"3bomb")>0instr(server_v2,"3bomb")>0 then
response.write "
| " response.write "你提交的路径有误,禁止从站点外部提交数据请不要乱该参数!" response.write " |
response.end
end if
这段程序首先得到访问你网站的来源,如果是从您知道的一个非法域名3bomb上过来就不让他访问。
这个就完成了对某一指定域名的屏蔽,这个域名极有可能就是一段妈妈程序!
禁止某些ip访问 ---------------------
if instr(Request.ServerVariables("REMOTE_ADDR"),"209.172.33")>0 then
Response.Write "拒绝访问"
response.End()
end if
实在不行就通过ip进行屏蔽,如果访问来源是某一个ip段就进行屏蔽
上一篇: asp开发学校OA项目中常用到知识点(2)sql
下一篇: asp开发学校OA项目中常用到知识点(4)权限
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: 
相关日志:
评论: 0 | 引用: 0 | 查看次数: 2070
发表评论
