当前位置: 首页 > 图文教程 > 网络编程 > ASP > 加密QueryString数据

ASP
ASP下经常用的字符串等函数参考资料
asp下连接数据库 ASP链接数据库字符串大全总结
asp内置对象 ObjectContext 事务管理 详解
asp 内置对象 Application 详解
ASP中 SQL语句 使用方法
ASP 中 Split 函数的实例分析
ASP 中 DateDiff 函数详解 主要实现两日期加减操作
asp 存贮过程 (SQL版asp调用存储过程)
利用ASP实现在线生成电话图片效果脚本附演示
使用ASP记录在线用户的数量的代码
关于ASP生成伪参数技巧 简洁实用的伪(僞)参数
asp 关键词字符串分割如何实现方法
用ASP编写的加密和解密类
ASP之处理用Javascript动态添加的表单元素数据的代码
asp下最常用的19个基本技巧
一些Asp技巧和实用解决方法
asp实现一个统计当前在线用户的解决方案
asp下的一个很简单的验证码程序
asp又一个分页的代码例子
asp实现防止从外部提交数据的三种方法

ASP 中的 加密QueryString数据


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-03   浏览: 185 ::
收藏到网摘: n/a

  Problem with Query String Method  
Often time we use query string collection to retrieve an unique record from a table. Notice the following
piece of code -

Detail.asp?RecordID=200

Here we are passing a query string value called "RecordID" using the url. We then use the Query String collection "RecordID" to get the actual number -

<%
Dim RecordID
RecordID = Request.QueryString("RecordID")
%>

The problem with the above method is that we are exposing "RecordID" to the public. Hence making easy to hackers to just change the RecordID Query string to retrieve other values of the table.

Solution to the above problem

In order to solve the above problem, we will use two ASP pages and the ASP random number function to scramble the passing query string value so that the real record number is not exposed to others.

On the first page we get a random number with the following code -

<%
Randomize timer
' Randomizing the timer function
rndNum = abs(int((rnd() * 3001)))
' To generate a prime based,  non-negative random number..
rndNum = rndNum + 53
Session("rndNum") = rndNum
'We place the random number value in a session variable so that we can use it again in the next page %>

Now that we have our random number we will scramble our query string with it! Here is how -

<%
'Assuming you have a record set retrieved -
Display_Rs.movefirst
While not Display_Rs.Eof
Response.Write "<a href=detail.asp?RecordID="
Response.Write (Display_Rs("RecordID")*rndNum)
' Notice we are multiplying the actual record number with the random number to scramble the query 'string
Response.Write Display_Rs("RecordID") & "</a>"
Display_Rs.Movenext
Wend
%>

In the next page we will un-scramble the query string! Here is how -

<%
Dim RecordID
RecordID = request.querystring("RecordID")/Session("rndNum")
' We are dividing the record ID query string value with the same formula to un-scramble and pass the
actual record ID to the SQL statement
Session.abandon
' Releasing Session value for the next record
%>

That's it! Using the above method you can scramble a query string as much as you like. For example multiply the random number with a very complex formula to generate an even more difficult integer number.
The key point here is you divide  the number with the same formula yielding to the original value. This technique is not full proof but much more difficult to break in that passing a regular query string value.