Never believe that the content input by the user has an appropriate size or contains the appropriate character. The user input should always be verified before using it to make a decision. The best choice is to create a COM component so you can call the component from the ASP page to verify the user's input content. You can also use the Server.htmlenCode method, server.urlencode method, or one of this page bottom code example.
Do not create a database connection string in an ASP page by connecting the user input string. Malicious users can get access to the database by inserting code in their input content. If you are using a SQL database, use the stored procedure to create a database connection string.
Do not use the default SQL administrator account name SA. Every user who uses SQL knows that there is a SA account. Create another SQL management account with a secure and reliable password and delete the SA account.
Before you store the client user password, use the hash algorithm for these passwords, perform BASE64 encoding, or use Server.htmlencode or Server.urlenCode encoding. You can also verify the characters in the client password using a code sample at the bottom of this page.
Do not place the management account name or password in the management script or ASP page.
Do not make decisions in your code based on request headings, because the title data can be faked by malicious users. Before using request data, it is always necessary to encode or use the following code example to verify the characters contained.
Do not store secure data in cookies or hide the input field in the web page.
Always use the security socket layer (SSL) for session-based applications to avoid the risk of sending them to send them. If the session cookie has not been encrypted, malicious users can use session cookies in an application to enter another application in the same process.
When writing ISAPI applications, filters, or COM objects, note that buffers caused due to variables and data size overflow. It should also be noted that the normalization problem may be interpreted, for example, the absolute path name is interpreted as a relative path name or URL.
When the ASP application running within a single line unit (STA) is switched to the multi-thread unit (MTA), the analog token will out. This can cause the application to run without analog, allowing it to operate efficiently with the identity that may allow access to other resources. If you have to switch thread models, please disable the application before making changes, uninstall it.
The code example This code example contains a function that deletes possible harmful characters sent in the string of the function. In the above two examples, the code page is specified to ensure proper encoding. The following example uses Microsoft Visual Basic® Scripting Edition (VBScript):
<% @ Language = "VBScript"%> <% response.code = 1252 response.write ("Hello," & Removebadcharacters (Request.form ("UserName")) Response.write ("
this is why you Received an error: ")
Function RemoveBadCharacters (strTemp) Dim regEx Set regEx = New RegExp regEx.Pattern = "[^ / s / w]" regEx.Global = True RemoveBadCharacters = regEx.Replace (strTemp, "") End Function%>
The following example uses Microsoft JScript®: <% @ language = "JScript"%> <% response.codepage = 1252; response.write ("Hello," Removebadcharacters (Request.form ("UserName"))) Response.write ("
this is why you received an error:");
Function Removebadcharacters (strtemp) {strtemp = strtemp.replace (/ [^ / s / w] / g, "); return strtemp;}%> Excerpt from the net sea
