20 errors for programmers
1. Do not send the user who is not filtered to the client. Such as: Response.write "You Have Entered" & Request ("UserInput") 2. Do not trust the client and session variables. 3. Don't forget the specified character set. < Meta http-equiv = "content-type" content = "text / html; charset = GB2312"> 4. Do not allow users to access files without processing file paths. Such as: This expression is not normal .http : //www.example.net/Article.asp? file = new.htm This will result in the following situation: http://www.example.net/Article.asp? file = / global.asahttp: // www .example.net / article.asp? file = / .. / .. / .. / boot.inihttp://www.example.net/Article.asp? file = lpt1http://www.example.net/Article .asp? file = /% 2E% 2e / global.asa can be handled correctly by using the following method: <% set fso = creteObject ("scripting.filesystemObject") on error resume next set f = fso.getfile (Request " ")) If Err Then Response.write" Error "Else Response.write F.Pathend IF%>
5. Do not perform SQL query without filtering users. 6. If your database content comes from the user's input, do not believe it. 7. Do not save your password or other sensitive data in the ASP page. 8. Do not rely on the weak security check. Such as: HTTP redirection, the maximum length limit of the text field in HTML, etc. 9. Do not leave the comment in the HTML page, especially some sensitive information .10. Don't give too many Unnecessary information is given to the client. For example, if the message failed to log in, if it will: password is four, the user does not have excessive information to the client, will give those unreasonable The guy is organically multiplied! 11. Do not write files in the current path, database operation. To put files, database files separately in a partition or in the directory of the web root directory. Do not use sensitive information Do not use Inc files. Because IIS is not processed by default by default, it is best to use .inc.asp extension. 14. Do not send mail without verifying user input .15. Don't be in Form Save sensitive data in the Hidden field. 16. Do not let IIS to handle errors, because it will send too much information to the client. Best to change IIS's script debugging to only send text information. 17. Take your code. Delete those, temporary code, such as .test.asp, index.asp.bak18. Don't post your code without testing. 19. Don't put unnecessary sensitive data in the database, so that When your database is broken, don't cause more losses. 20. Don't think that this is enough, and more situations are considered in practice.
Second, AdoDb.Stream instructions
Components: "AdoDB.Stream" has the following methods: CANCEL method Usage The following Object.cancel description: Cancel the call to the pending asynchronous Execute or Open method. Close method How to use Object.close: Turn off the log case COPYTO method Usage Object.copyTo (DestStream, [Charnumber]) Description: Copy the object's data, DestStReam points to the object to copy, charnumber is an optional parameter, Inforition, the number of bytes must be copied, not all copied. Flush method How to use Object.flush Description: LoadFromFile method Usage Object.LoadFromFile (filename) Description: Load FileName The file is loaded into the object, the parameter filename is the specified username. Open method uses Object.Open (Source, [Mode], [Options], [UserName], [Password]) Description: Open Open Out, Parameter Description: SouRe Pair source, may not specify Mode specified open mode, not specified optional parameters are as follows: adModeRead = 1 adModeReadWrite = 3 adModeRecursive = 4194304 adModeShareDenyNone = 16 adModeShareDenyRead = 4 adModeShareDenyWrite = 8 adModeShareExclusive = 12 adModeUnknown = 0 adModeWrite = 2 options option specified open, may designate, optional parameters are as follows: adOpenStreamAsync = 1 AdoPenStreamFromRecord = 4 AdoPenStreamunSpecified = -1 username Specifies the username, not specified. Password Specifies the password of the username Read method Usage: Object.read (NumBytes) Description: Read the binary content of the specified length. Parameter Description: Numbytes Specifies the Land to read, not specified, read all. The readtext method uses the following: Object.readText (Numchars) Description: Read the text parameters of the specified length Description: Numchars specified by the spot to read, not specified, read all.
The SaveTofile method is used as follows: Object.savetofile (filename, [options]) Description: Write the contents of the contents of the file to the parameter description: filename specified by file Options option, may not be specified, optional parameters are as follows : Adsavecreatenotexist = 1 adsavecreateoverwrite = 2
The SETEOS method is as follows: Object.seteos () Description: skipline method Usage: Object.skipline () Description: Write method Usage The method is as follows: Object.write (BUFFER) Description: Load the specified data into the object. Parameter Description: Buffer is the content you want to write. The WriteText method is used as follows: Object.write (DATA, [OPTIONS]) Description: Load the specified text data into the object. Parameter Description: DATA is the content you want to write. Options Write options, optionally, optional parameters are as follows: AdWriteChar = 0 AdWriteline = 1 Have the following attribute: CHARSET EOS returns whether the data is empty within the object.
LINESEPARATOR specifies a changing format, optional parameter has an ADCR = 13 ADCRLF = -1 ADLF = 10 MODE specified or returns mode. Position specifies or returns the current pointer to the image within the image. SIZE returns the size of the data within the object. State returns to whether the object state is opened. Type specified or returned data type, optional parameter is: adtypebinary = 1 adtypetext = 2
Third, depending on the Dynamic Include different files (requires FSO support)
This file must be existing in the macro limit and will be pre-compiled (regardless of whether it is conditioned in front)
There are often such requirements, requiring the number of different files such as the individual people according to different requirements, so it is required to dynamically include files.
code show as below:
Function include (filename) Dim re, content, fso, f, aspStart, aspEnd set fso = CreateObject ( "Scripting.FileSystemObject") set f = fso.OpenTextFile (server.mappath (filename)) content = f.ReadAll f.close Set f = nothing set fso = nothing set re = new regexp re.pattern = "^ / s * =" aspend = 1 aspstart = INSTR (Aspend, Content, "<%") 2 do while ASPSTART> Aspend 1 Response .write MID (Content, Aspend, Aspend-2) Aspend = INSTR (ASPSTART, Content, "% />") 2 Execute (Re.Replace (Content, AsPstart, Aspend-AspStart-2), " Respstart = INSTR (Aspend, Content, "<%") 2 loop response.write mid (content, aspend) set re = nothingend function
Use example:
Include ("Youinc.asp")
