20 mistakes that programmers can easily make

20 mistakes that programmers can easily make
 

1. Do not send unfiltered user input to the client.
For example: Response. Write "you have entered" & request ("userinput ")
2. Do not trust the client and session variables.
3. Do not forget to specify the character set.
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
4. Do not allow users to access files without processing the file path.
Such expressions are not normal.
Http://www.example.net/article.asp? File1_new.htm
This will cause the following situations:
Http://www.example.net/article.asp? File =/global. asa
Http://www.example.net/article.asp? File =/../boot. ini
Http://www.example.net/article.asp? File = LPT1
Http://www.example.net/article.asp? File =/% 2e % 2e/global. asa
You can use the following methods to correctly handle this situation:
<%
Set FSO = Createobject ("scripting. FileSystemObject ")
On Error resume next
Set F = FSO. GetFile (Request ("file "))
If err then
Response. Write "error"
Else
Response. Write F. Path
End if
%>

5. Do not perform SQL queries without filtering user input.
6. If your database content comes from user input, do not trust it.
7. Do not store passwords or other sensitive data on the ASP page.
8. Do not rely on the content of the weak security check.
For example, HTTP redirection and the maximum length of text fields in HTML.
9. Do not leave comments on HTML pages, especially some sensitive information.
10. Do not give too much unnecessary information to the client.
For example, on a logon page, there cannot be too many logon failures. If you send too many information such as the password is four characters and the user does not exist to the client, you will be given a chance for the unfriendly guys!
11. Do not write files in the current path, database operations. Put files and database files in a separate partition or directory outside the Web root directory.
12. do not include sensitive information in the URL.
13. Do not use inc files.
Because IIS does not process inc files by default, it is best to use the. Inc. asp extension.
14. Do not send emails without verifying user input.
15. Do not store sensitive data in the form hidden field.
16. Do not let IIS handle errors because too much information is sent to the client.
It is best to change the IIS script debugging to only send text information.
17. Properly control your code.
Delete unnecessary and temporary code, such as. Test. asp, index. asp. Bak.
18. Do not publish your code without testing.
19. Do not store unnecessary sensitive data in the database. In this case, if your database is cracked, do not cause greater losses.
20. Don't think this is enough. There are more cases to consider.

Ii. Instructions for using ADODB. Stream

Component: "ADODB. Stream"
There are the following methods:
Cancel Method
The usage is as follows:
Object. Cancel
Description: cancels the call of an asynchronous execute or open method suspended for execution.
Close Method
The usage is as follows:
Object. Close
: Close the object
Copyto Method
The usage is as follows:
Object. copyto (deststream, [charnumber])
Note: copy the data of the image. deststream points to the image to be copied. charnumber is an optional parameter, indicating the number of bytes to be copied. If not, it is all copied.
Flush Method
The usage is as follows:
Object. Flush
Note:
Loadfromfile Method
The usage is as follows:
Object. loadfromfile (filename)
Note: mount the file specified by filename into the object. The filename parameter is the specified user name.
Open Method
The usage is as follows:
Object. Open (source, [mode], [Options], [username], [Password])
Note: Open the object,
Parameter description: sourece object source, not specified
Mode specifies the open mode. Optional parameters are as follows:
Admoderead = 1
Admodereadwrite = 3
Admoderecursive = 4194304
Admodesharedenynone = 16
Admodesharedenyread = 4
Admodesharedenywrite = 8
Admodemo-exclusive = 12
Admodeunknown = 0
Admodewrite = 2
Options:
Adopenstreamasync = 1
Adopenstreamfromrecord = 4
Adopenstreamunspecified =-1
Username: Specifies the user name. Do not specify it.
Password specifies the password of the user name
Read Method
The usage is as follows:
Object. Read (numbytes)
Description: reads the binary content of the specified length.
Parameter description: numbytes specifies the degree to be read. If not specified, all data is read.

Readtext Method
The usage is as follows:
Object. readtext (numchars)
Description: reads the text of a specified length.
Parameter description: numchars specifies the degree to be read. If it is not specified, all data is read.

Savetofile Method
The usage is as follows:
Object. savetofile (filename, [Options])
Description: writes the object content to the file specified by filename.
Parameter description: file specified by filename
The options access option is not specified. The optional parameters are as follows:
Adsavecreatenotexist = 1
Adsavecreateoverwrite = 2

Seteos Method
The usage is as follows:
Object. seteos ()
Note:
Skipline Method
The usage is as follows:
Object. skipline ()
Note:
Write Method
The usage is as follows:
Object. Write (buffer)
Description: loads the specified data into the object.
Parameter description: buffer is the specified content to be written.
Writetext Method
The usage is as follows:
Object. Write (data, [Options])
Description: loads the specified text data into the object.
Parameter description: data is the specified content to be written.
The options write option is not specified. The optional parameters are as follows:
Adwritechar = 0
Adwriteline = 1

 

Has the following attributes:
Charset
Whether the data in the object is null is returned by EOS.

Lineseparator specifies the line feed format. Optional parameters include
Adcr = 13
Adcrlf =-1
Adlf = 10
 
Mode or return mode.
 
Position specifies or returns the current pointer to the data in the image.
 
Size returns the size of the data in the object.
 
Whether the status of the State add-back object is enabled.
 
Data type specified or returned. The optional parameter is:
Adtypebinary = 1
Adtypetext = 2

3. dynamically include different files as needed (FSO is required)

Accept <! # Include file = "filename. asp" --> macro Restriction
This file must exist and be pre-compiled (no matter whether the preceding conditions are met)

This is often the case where different files are included according to different requirements.
If you have different settings, you must dynamically include files.

The Code is as follows:

Function include (filename)
Dim re, content, FSO, F, aspstart, aspend
 
Set FSO = Createobject ("scripting. FileSystemObject ")
Set F = FSO. opentextfile (server. mappath (filename ))
Content = f. readall
F. Close
Set F = nothing
Set FSO = nothing
 
Set Re = new Regexp
Re. pattern = "^/S * ="
Aspend = 1
Aspstart = instr (aspend, content, "<%") + 2
Do While aspstart> aspend + 1
Response. Write mid (content, aspend, aspStart-aspEnd-2)
Aspend = instr (aspstart, content, "%/>") + 2
Execute (Re. Replace (mid (content, aspstart, aspEnd-aspStart-2), "response. Write "))
Aspstart = instr (aspend, content, "<%") + 2
Loop
Response. Write mid (content, aspend)
Set Re = nothing
End Function

Example:

Include ("youinc. asp ")