[导入][分享]封装了个 WSC 脚本组件(ASP 下的 PreparedStatement)
防注入一直是 ASP 的软肋, 我们都知道在 Java 中访问数据库有 PreparedStatement。这在 JSP 中访问数据库时防 SQL 注入提供了很大方便。
在 ASP 中要也有这么个东东就好了。ASP 一般都通过 ADODB 组件访问数据库的,其实 ADODB.Command 就有 Prepared 的功能。早上没事干就封装了一下,做成 WSC 脚本组件的形式。以方便以后的使用。
下面是 Connection.WSC 的代码:(代码以文本形式保存为 Connection.WSC 就可以了)
<?xml version="1.0" encoding="UTF-8"?> <?component error="0" debug="0" ?> <component> <comment>Alvin(ialvin.cn)</comment> <registration description="Connection" progid="ALIB.Connection" version="1.00" remotable="true" classid="{46dac711-0b77-43b2-b195-1ee912dcb322}"></registration> <public> <property name="Count"><get/></property> <property name="ActiveConnection"><get/></property> <property name="ConnectionString"><get/><put/></property> <method name="Prepare"><PARAMETER name="sql"/></method> <method name="ResetParam"></method> <method name="Open"></method> <method name="Execute"></method> <method name="QueryS"></method> <method name="Query"><PARAMETER name="cursorType"/><PARAMETER name="lockType"/></method> <method name="OpenRS"><PARAMETER name="rs"/><PARAMETER name="cursorType"/><PARAMETER name="lockType"/></method> <method name="EncodeLike"><PARAMETER name="str"/></method> <method name="SetNull"></method> <method name="SetInt"><PARAMETER name="num"/></method> <method name="SetFloat"><PARAMETER name="num"/></method> <method name="SetString"><PARAMETER name="str"/></method> <method name="SetBinary"><PARAMETER name="bits"/></method> <method name="SetBoolean"><PARAMETER name="bln"/></method> <method name="SetDateTime"><PARAMETER name="dt"/></method> </public> <object progid="ADODB.Command" id='oCMD'/> <object progid="ADODB.RecordSet" id='oRS'/> <implements type="ASP" id="ASP"/> <script language="VBScript"><![CDATA[ Dim coxn: Set coxn = New Connection Class Connection Private conn, coxnStr, cnt, opened Public Property Get ActiveConnection() Set ActiveConnection = conn End Property Public Property Get Count() Count = cnt End Property Public Property Get ConnectionString() ConnectionString = coxnStr End Property Public Property Let ConnectionString(ByVal newValue) coxnStr = newValue End Property Private Sub Class_Initialize() cnt = 0 opened = False End Sub Public Sub OpenConnection() Set conn = CreateObject("ADODB.Connection") conn.Open coxnStr oCMD.Prepared = True oCMD.CommandType = 1 Set oCMD.ActiveConnection = conn opened = True End Sub Public Sub Prepare(ByVal sql) If Not opened Then Call OpenConnection() Call ResetParam() oCMD.CommandText = sql End Sub Public Sub AppendParameter(ByVal value, ByVal dataType) Dim param: Set param = oCMD.CreateParameter() param.Type = dataType param.Value = value param.Direction = 1 Call oCMD.Parameters.Append(param) End Sub Public Function Execute() Set Execute = oCMD.Execute() cnt = cnt + 1 End Function Public Sub OpenRS(ByRef rs, ByVal cursorType, ByVal lockType) rs.CursorType = cursorType rs.LockType = lockType Call rs.Open(oCMD) cnt = cnt + 1 End Sub Public Sub ResetParam() While oCMD.Parameters.Count > 0 oCMD.Parameters.Delete 0 Wend End Sub Private Sub Class_Terminate() If IsObject(conn) Then If conn.State=1 Then Call conn.Close() Set conn = Nothing End If End Sub End Class Function get_ConnectionString() get_ConnectionString = coxn.ConnectionString End Function Function put_ConnectionString(newValue) coxn.ConnectionString = newValue End Function Function get_ActiveConnection() Set get_ConnectionString = coxn.ActiveConnection End Function Function get_Count() get_Count = coxn.Count End Function Function Prepare(ByVal sql) Call coxn.Prepare(sql) End Function Function SetInt(ByVal num) Call coxn.AppendParameter(num, 3) End Function Function SetFloat(ByVal num) Call coxn.AppendParameter(num, 4) End Function Function SetString(ByVal str) Call coxn.AppendParameter(str, 8) End Function Function SetDateTime(ByVal dt) Call coxn.AppendParameter(dt, 135) End Function Function SetBoolean(ByVal bln) Call coxn.AppendParameter(bln, 11) End Function Function SetBinary(ByRef bits) Dim param Set param = oCMD.CreateParameter("", 205, &H001, -1) Call param.AppendChunk(bits) Call oCmd.Parameters.Append(param) Set param = Nothing End Function Function SetNull() Call oCMD.Parameters.Append(oCMD.CreateParameter("", 200, &H0001, 1, Null)) End Function Function Open() Call coxn.OpenConnection() End Function Function Execute() Set Execute = coxn.Execute() End Function Function OpenRS(ByRef rs, ByVal cursorType, ByVal lockType) Call coxn.OpenRS(rs, cursorType, lockType) End Function Function Query(ByVal cursorType, ByVal lockType) Set Query = CreateObject("ADODB.RecordSet") Call OpenRS(Query, cursorType, lockType) End Function Function QueryS() QueryS = Null Call OpenRS(oRS, 0, 1) If oRS.State <> 1 Then Exit Function If Not oRS.EOF Then QueryS = oRS.Fields.Item(0).Value Call oRS.Close() End Function Function ResetParam() Call coxn.ResetParam() End Function Function EncodeLike(ByVal str) Dim regex: Set regex = New RegExp regex.Pattern = "[\]\[`\-=\\;',./~!@#$%^&*()_+|{}:""<>?]" regex.Global = True EncodeLike = regex.Replace(str, "[$+]") Set regex = Nothing End Function ]]></script> </component>
这是一个脚本,但它却是一个不折不扣的 ActiveX 组件了。
保存成 Connection.WSC 后,右键菜单可以选择注册和注销。
使用方法:
<% Dim coxn, rs, connStr connStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath("data.mdb") ' 创建对象 (无注册组件) --------------------- Set coxn = GetObject("script:" & Server.MapPath("Connection.WSC")) coxn.ConnectionString = connStr ' ... Set coxn = Nothing ' 或者 (需要注册组件) ---------------------- Set coxn = Server.CreateObject("ALIB.Connection") ' coxn.ConnectionString = connStr '... Set coxn = Nothing %>
' 执行无返回结果的 SQL Call coxn.Prepare("Insert INTO [test] VALUES(?, ?, ?, ?, ?, ?, ?)") Call coxn.SetInt(1) Call coxn.SetFloat(106.56) Call coxn.SetString("测试") Call coxn.SetDateTime(Now()) Call coxn.SetNull() Call coxn.SetBoolean(True) Call coxn.SetBinary(bits) ' 二进制数据 [byte() 数组] Call coxn.Execute()
'查询返回唯一值的 SQL coxn.Prepare "SELECT Count(*) FROM [test] WHERE [id]>? AND [title]=?" coxn.SetInt 10 coxn.SetString "测试" result = coxn.QueryS() ' 直接返回结果,而不是 RecordSet Response.Write result
' 普通查询 coxn.Prepare "SELECT * FROM [test] WHERE [id]>? AND [title]=?" coxn.SetInt 10 coxn.SetString "测试" Set rs = coxn.Execute() .... rs.Close Set rs = Nothing
' 返回指定了 CursorType、LockType 的 RecordSet coxn.Prepare "SELECT * FROM [test] WHERE [id]>? AND [title]=?" coxn.SetInt 10 coxn.SetString "测试" Set rs = coxn.Query(1, 1) ' coxn.Execute() 相当于 coxn.Query(0, 1) .... rs.Close Set rs = Nothing
' 打开现有的 RecordSet ' 先建立了 RecordSet Set rs = Server.CreateObject("ADODB.RecordSet") coxn.Prepare "SELECT * FROM [test] WHERE [id]>? AND [title]=?" coxn.SetInt 10 coxn.SetString "测试" Call coxn.OpenRS(rs, 1, 1) ' 打开 rs ' 操作 rs ' ... Call rs.Close() '关闭 rs Call coxn.Prepare("SELECT * FROM [test] WHERE 1=2") Call coxn.OpenRS(rs, 1, 3) '再次打开 rs Call rs.AddNew() rs("title") = "测试2" Call rs.Update() Call rs.Close() ' 关闭 rs Set rs = Nothing
大家如果发现有问题漏洞什么的欢迎留言告知,大家也可以自行完善一下。
文章来源: http://www.ialvin.cn/blog/article.asp?id=154
在 ASP 中要也有这么个东东就好了。ASP 一般都通过 ADODB 组件访问数据库的,其实 ADODB.Command 就有 Prepared 的功能。早上没事干就封装了一下,做成 WSC 脚本组件的形式。以方便以后的使用。
下面是 Connection.WSC 的代码:(代码以文本形式保存为 Connection.WSC 就可以了)
<?xml version="1.0" encoding="UTF-8"?> <?component error="0" debug="0" ?> <component> <comment>Alvin(ialvin.cn)</comment> <registration description="Connection" progid="ALIB.Connection" version="1.00" remotable="true" classid="{46dac711-0b77-43b2-b195-1ee912dcb322}"></registration> <public> <property name="Count"><get/></property> <property name="ActiveConnection"><get/></property> <property name="ConnectionString"><get/><put/></property> <method name="Prepare"><PARAMETER name="sql"/></method> <method name="ResetParam"></method> <method name="Open"></method> <method name="Execute"></method> <method name="QueryS"></method> <method name="Query"><PARAMETER name="cursorType"/><PARAMETER name="lockType"/></method> <method name="OpenRS"><PARAMETER name="rs"/><PARAMETER name="cursorType"/><PARAMETER name="lockType"/></method> <method name="EncodeLike"><PARAMETER name="str"/></method> <method name="SetNull"></method> <method name="SetInt"><PARAMETER name="num"/></method> <method name="SetFloat"><PARAMETER name="num"/></method> <method name="SetString"><PARAMETER name="str"/></method> <method name="SetBinary"><PARAMETER name="bits"/></method> <method name="SetBoolean"><PARAMETER name="bln"/></method> <method name="SetDateTime"><PARAMETER name="dt"/></method> </public> <object progid="ADODB.Command" id='oCMD'/> <object progid="ADODB.RecordSet" id='oRS'/> <implements type="ASP" id="ASP"/> <script language="VBScript"><![CDATA[ Dim coxn: Set coxn = New Connection Class Connection Private conn, coxnStr, cnt, opened Public Property Get ActiveConnection() Set ActiveConnection = conn End Property Public Property Get Count() Count = cnt End Property Public Property Get ConnectionString() ConnectionString = coxnStr End Property Public Property Let ConnectionString(ByVal newValue) coxnStr = newValue End Property Private Sub Class_Initialize() cnt = 0 opened = False End Sub Public Sub OpenConnection() Set conn = CreateObject("ADODB.Connection") conn.Open coxnStr oCMD.Prepared = True oCMD.CommandType = 1 Set oCMD.ActiveConnection = conn opened = True End Sub Public Sub Prepare(ByVal sql) If Not opened Then Call OpenConnection() Call ResetParam() oCMD.CommandText = sql End Sub Public Sub AppendParameter(ByVal value, ByVal dataType) Dim param: Set param = oCMD.CreateParameter() param.Type = dataType param.Value = value param.Direction = 1 Call oCMD.Parameters.Append(param) End Sub Public Function Execute() Set Execute = oCMD.Execute() cnt = cnt + 1 End Function Public Sub OpenRS(ByRef rs, ByVal cursorType, ByVal lockType) rs.CursorType = cursorType rs.LockType = lockType Call rs.Open(oCMD) cnt = cnt + 1 End Sub Public Sub ResetParam() While oCMD.Parameters.Count > 0 oCMD.Parameters.Delete 0 Wend End Sub Private Sub Class_Terminate() If IsObject(conn) Then If conn.State=1 Then Call conn.Close() Set conn = Nothing End If End Sub End Class Function get_ConnectionString() get_ConnectionString = coxn.ConnectionString End Function Function put_ConnectionString(newValue) coxn.ConnectionString = newValue End Function Function get_ActiveConnection() Set get_ConnectionString = coxn.ActiveConnection End Function Function get_Count() get_Count = coxn.Count End Function Function Prepare(ByVal sql) Call coxn.Prepare(sql) End Function Function SetInt(ByVal num) Call coxn.AppendParameter(num, 3) End Function Function SetFloat(ByVal num) Call coxn.AppendParameter(num, 4) End Function Function SetString(ByVal str) Call coxn.AppendParameter(str, 8) End Function Function SetDateTime(ByVal dt) Call coxn.AppendParameter(dt, 135) End Function Function SetBoolean(ByVal bln) Call coxn.AppendParameter(bln, 11) End Function Function SetBinary(ByRef bits) Dim param Set param = oCMD.CreateParameter("", 205, &H001, -1) Call param.AppendChunk(bits) Call oCmd.Parameters.Append(param) Set param = Nothing End Function Function SetNull() Call oCMD.Parameters.Append(oCMD.CreateParameter("", 200, &H0001, 1, Null)) End Function Function Open() Call coxn.OpenConnection() End Function Function Execute() Set Execute = coxn.Execute() End Function Function OpenRS(ByRef rs, ByVal cursorType, ByVal lockType) Call coxn.OpenRS(rs, cursorType, lockType) End Function Function Query(ByVal cursorType, ByVal lockType) Set Query = CreateObject("ADODB.RecordSet") Call OpenRS(Query, cursorType, lockType) End Function Function QueryS() QueryS = Null Call OpenRS(oRS, 0, 1) If oRS.State <> 1 Then Exit Function If Not oRS.EOF Then QueryS = oRS.Fields.Item(0).Value Call oRS.Close() End Function Function ResetParam() Call coxn.ResetParam() End Function Function EncodeLike(ByVal str) Dim regex: Set regex = New RegExp regex.Pattern = "[\]\[`\-=\\;',./~!@#$%^&*()_+|{}:""<>?]" regex.Global = True EncodeLike = regex.Replace(str, "[$+]") Set regex = Nothing End Function ]]></script> </component>
这是一个脚本,但它却是一个不折不扣的 ActiveX 组件了。
保存成 Connection.WSC 后,右键菜单可以选择注册和注销。
使用方法:
<% Dim coxn, rs, connStr connStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath("data.mdb") ' 创建对象 (无注册组件) --------------------- Set coxn = GetObject("script:" & Server.MapPath("Connection.WSC")) coxn.ConnectionString = connStr ' ... Set coxn = Nothing ' 或者 (需要注册组件) ---------------------- Set coxn = Server.CreateObject("ALIB.Connection") ' coxn.ConnectionString = connStr '... Set coxn = Nothing %>
' 执行无返回结果的 SQL Call coxn.Prepare("Insert INTO [test] VALUES(?, ?, ?, ?, ?, ?, ?)") Call coxn.SetInt(1) Call coxn.SetFloat(106.56) Call coxn.SetString("测试") Call coxn.SetDateTime(Now()) Call coxn.SetNull() Call coxn.SetBoolean(True) Call coxn.SetBinary(bits) ' 二进制数据 [byte() 数组] Call coxn.Execute()
'查询返回唯一值的 SQL coxn.Prepare "SELECT Count(*) FROM [test] WHERE [id]>? AND [title]=?" coxn.SetInt 10 coxn.SetString "测试" result = coxn.QueryS() ' 直接返回结果,而不是 RecordSet Response.Write result
' 普通查询 coxn.Prepare "SELECT * FROM [test] WHERE [id]>? AND [title]=?" coxn.SetInt 10 coxn.SetString "测试" Set rs = coxn.Execute() .... rs.Close Set rs = Nothing
' 返回指定了 CursorType、LockType 的 RecordSet coxn.Prepare "SELECT * FROM [test] WHERE [id]>? AND [title]=?" coxn.SetInt 10 coxn.SetString "测试" Set rs = coxn.Query(1, 1) ' coxn.Execute() 相当于 coxn.Query(0, 1) .... rs.Close Set rs = Nothing
' 打开现有的 RecordSet ' 先建立了 RecordSet Set rs = Server.CreateObject("ADODB.RecordSet") coxn.Prepare "SELECT * FROM [test] WHERE [id]>? AND [title]=?" coxn.SetInt 10 coxn.SetString "测试" Call coxn.OpenRS(rs, 1, 1) ' 打开 rs ' 操作 rs ' ... Call rs.Close() '关闭 rs Call coxn.Prepare("SELECT * FROM [test] WHERE 1=2") Call coxn.OpenRS(rs, 1, 3) '再次打开 rs Call rs.AddNew() rs("title") = "测试2" Call rs.Update() Call rs.Close() ' 关闭 rs Set rs = Nothing
大家如果发现有问题漏洞什么的欢迎留言告知,大家也可以自行完善一下。
文章来源: http://www.ialvin.cn/blog/article.asp?id=154