当前位置: 首页 > 图文教程 > 网络编程 > ASP > 加密QueryString数据

ASP
超级ASP版DataGrid:SkyGrid本地下载
用QuickWAP组件结合ASP建设Wap站点
ASP中取得图片宽度和高度的类(无组件)
在ASP处理程序时显示进度
结合FSO操作和Aspjpeg组件写的Class
asp实现的7xi音乐网的采集源代码
用asp+xmlhttp编写web采集程序
推荐ASP超速入门视频教程
关于“未指定的错误”的问题 的比较正解的解决方法
用asp脚本实现限制IP访问
aspupload 3.0 下载与使用集锦
[教程+分享]具有良好体验度的Web注册系统
asp 实现视频显示的效果函数
asp实现图片右键滑轮控制大小的函数
彻底掌握ASP分页技术杂谈
aspupload文件重命名及上传进度条的解决方法附代码
ASPJPEG综合操作的CLASS类
asp通用采集函数冗余版可以保存文件到本地
使用ODBC数据库管理Serv-U的FTP用户及相关ASP编程[附源码示例下载]
[asp]阿里西西的alexa采集效果代码

ASP 中的 加密QueryString数据


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-03   浏览: 200 ::
收藏到网摘: n/a

  Problem with Query String Method  
Often time we use query string collection to retrieve an unique record from a table. Notice the following
piece of code -

Detail.asp?RecordID=200

Here we are passing a query string value called "RecordID" using the url. We then use the Query String collection "RecordID" to get the actual number -

<%
Dim RecordID
RecordID = Request.QueryString("RecordID")
%>

The problem with the above method is that we are exposing "RecordID" to the public. Hence making easy to hackers to just change the RecordID Query string to retrieve other values of the table.

Solution to the above problem

In order to solve the above problem, we will use two ASP pages and the ASP random number function to scramble the passing query string value so that the real record number is not exposed to others.

On the first page we get a random number with the following code -

<%
Randomize timer
' Randomizing the timer function
rndNum = abs(int((rnd() * 3001)))
' To generate a prime based,  non-negative random number..
rndNum = rndNum + 53
Session("rndNum") = rndNum
'We place the random number value in a session variable so that we can use it again in the next page %>

Now that we have our random number we will scramble our query string with it! Here is how -

<%
'Assuming you have a record set retrieved -
Display_Rs.movefirst
While not Display_Rs.Eof
Response.Write "<a href=detail.asp?RecordID="
Response.Write (Display_Rs("RecordID")*rndNum)
' Notice we are multiplying the actual record number with the random number to scramble the query 'string
Response.Write Display_Rs("RecordID") & "</a>"
Display_Rs.Movenext
Wend
%>

In the next page we will un-scramble the query string! Here is how -

<%
Dim RecordID
RecordID = request.querystring("RecordID")/Session("rndNum")
' We are dividing the record ID query string value with the same formula to un-scramble and pass the
actual record ID to the SQL statement
Session.abandon
' Releasing Session value for the next record
%>

That's it! Using the above method you can scramble a query string as much as you like. For example multiply the random number with a very complex formula to generate an even more difficult integer number.
The key point here is you divide  the number with the same formula yielding to the original value. This technique is not full proof but much more difficult to break in that passing a regular query string value.