Things to keep in mind when developing web pages with ASP. Friends who use ASP can take a look at the steps.
1. Never trust that user input is of the appropriate size or contains the appropriate characters. User input should always be validated before using it to make decisions. Your best option is to create a COM+ component that you can call from an ASP page to validate user input. You can also use the Server.HTMLEncode method, the Server.URLEncode method, or one of the code samples at the bottom of this page.
2. Do not create the database connection string in the ASP page by concatenating the string entered by the user. Malicious users can gain access to the database by inserting code into their input. If you are using a SQL database, use a stored procedure to create the database connection string.
3. Do not use the default SQL administrator account name sa. Everyone who uses SQL knows that the sa account exists. Create another SQL management account with a safe and secure password, and delete the sa account.
4. Before you store client user passwords, please use a hash algorithm, base64 encode, or use Server.HTMLEncode or Server.URLEncode to encode these passwords. You can also use one of the code samples at the bottom of this page to verify the characters in the client secret.
5. Do not place administrative account names or passwords in administrative scripts or ASP pages.
6. Do not make decisions in your code based on request headers, as header data can be forged by malicious users. Always encode request data before using it or verify the characters it contains using the code example below.
7. Do not store security data in cookies or hide input fields in web pages.
Always use Secure Sockets Layer (SSL) with session-based applications to avoid the risk of sending session cookies without encrypting them. If the session cookie is not encrypted, a malicious user can use a session cookie in one application to gain access to another application in the same process.
8. When writing ISAPI applications, filters, or COM+ objects, please be aware of buffer overflows due to the size of variables and data. Also be aware of canonicalization issues that may result from interpretation, such as interpreting absolute pathnames as relative pathnames or URLs.
9. When an ASP application running in a single-threaded apartment (STA) is switched to a multi-threaded apartment (MTA), the impersonation token will become obsolete. This may cause the application to run without impersonation, allowing it to effectively run with the identity of the process that may allow access to other resources. If you must switch threading models, disable and uninstall the application before making the change.
code example
This code example contains a function that removes potentially harmful characters from a string sent to the function. In both examples above, specify the code page to ensure correct encoding. The following example uses Microsoft Visual Basic® Scripting Edition (VBScript):
<%@ LANGUAGE=VBScript %> <% Response.CodePage = 1252 Response.Write(Hello, & RemoveBadCharacters(Request.Form(UserName))) Response.Write(<BR>This is why you received an error:) Function RemoveBadCharacters(strTemp) Dim regEx Set regEx = New RegExp regEx.Pattern = [^/s/w] regEx.Global = True RemoveBadCharacters = regEx.Replace(strTemp, ) End Function %> |
The following example uses Microsoft JScript®:
<%@ LANGUAGE=JScript %> <% Response.CodePage = 1252; Response.Write(Hello, + RemoveBadCharacters(Request.Form(UserName))); Response.Write(<BR>This is why you received an error:); function RemoveBadCharacters(strTemp) { strTemp = strTemp.replace(/[^/s/w]/g,); return strTemp; } %> |