当前位置: 首页 > 图文教程 > 网络编程 > ASP > 加密QueryString数据

ASP
asp获取客户端某一个图片的x,y坐标的代码
asp编程中常用的javascript辅助代码
asp下生成目录树结构的类
[原创]站长感慨asp编程究竟何去何从
asp水印组件之AspJpeg的结合代码实例
asp实现dig功能的js代码
[原创]asp下用实现模板加载的的几种方法总结
asp常用函数集合,非常不错以后研究
一个asp替换函数img里面多余的代码
检查上传图片是否合法的函数,木马改后缀名、图片加恶意代码均逃不过
一想千开PJblog审核功能补丁 v2.0版 发布
asp汉字中文图片验证码
用asp实现网页调用doc附Response.ContentType 详细列表
利用MSXML2.XmlHttp和Adodb.Stream采集图片
[原创]asp获取URL参数的几种方法分析总结
asp实现的可以提醒生日的几种方法附代码
Asp无组件生成缩略图的代码
功能不错的asp模板类代码附下载
不用WinRar只有asp将网络空间上的文件打包下载
AJAX简单应用实例-弹出层

ASP 中的 加密QueryString数据


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-03   浏览: 210 ::
收藏到网摘: n/a

  Problem with Query String Method  
Often time we use query string collection to retrieve an unique record from a table. Notice the following
piece of code -

Detail.asp?RecordID=200

Here we are passing a query string value called "RecordID" using the url. We then use the Query String collection "RecordID" to get the actual number -

<%
Dim RecordID
RecordID = Request.QueryString("RecordID")
%>

The problem with the above method is that we are exposing "RecordID" to the public. Hence making easy to hackers to just change the RecordID Query string to retrieve other values of the table.

Solution to the above problem

In order to solve the above problem, we will use two ASP pages and the ASP random number function to scramble the passing query string value so that the real record number is not exposed to others.

On the first page we get a random number with the following code -

<%
Randomize timer
' Randomizing the timer function
rndNum = abs(int((rnd() * 3001)))
' To generate a prime based,  non-negative random number..
rndNum = rndNum + 53
Session("rndNum") = rndNum
'We place the random number value in a session variable so that we can use it again in the next page %>

Now that we have our random number we will scramble our query string with it! Here is how -

<%
'Assuming you have a record set retrieved -
Display_Rs.movefirst
While not Display_Rs.Eof
Response.Write "<a href=detail.asp?RecordID="
Response.Write (Display_Rs("RecordID")*rndNum)
' Notice we are multiplying the actual record number with the random number to scramble the query 'string
Response.Write Display_Rs("RecordID") & "</a>"
Display_Rs.Movenext
Wend
%>

In the next page we will un-scramble the query string! Here is how -

<%
Dim RecordID
RecordID = request.querystring("RecordID")/Session("rndNum")
' We are dividing the record ID query string value with the same formula to un-scramble and pass the
actual record ID to the SQL statement
Session.abandon
' Releasing Session value for the next record
%>

That's it! Using the above method you can scramble a query string as much as you like. For example multiply the random number with a very complex formula to generate an even more difficult integer number.
The key point here is you divide  the number with the same formula yielding to the original value. This technique is not full proof but much more difficult to break in that passing a regular query string value.