ASP also uses ORM: end all SQL Injection on ASP

Author: kj021320
Information Source: evil

Most of my friends who write asp php code probably use SQL directly ~
See the following code

Copy code

<%
Dim conn, rs
Set conn = CreateObject ("Adodb. Connection ")
Conn. open ....
Set rsw.conn.exe cute ("select * from news ");
...
Traverse rs ....
%>

The implementation speed is certainly faster, but the first half of the statements in the structure logic do not feel like this! A problem arises when there are more statements!
Parameters are not filtered. SQL Injection exists ~ Okay. Now let's change the design model!
Three-layer structure + ORM
ORM: OBJECT RELATION MAPPING
What is ORM technology? A friend familiar with JAVA. NET development must be very familiar with... object relationship ing.
Map a table to a class field to a property, while a record is mapped to an object... now the java orm persistence layer framework has more than N.
For example, hibernate ibatis EntityBean (one of EJB)

What about ASP? We can also implement it.

Layer 3 structure: WEB presentation layer middle layer Persistence Layer

Here is a simple news table.

Copy code

Create table news (
Id int,
Title varchar (200 ),
Contect varchar (50000)
)

We map it to a class.

Copy code

<%
Class News
Private id, title, contect
Sub setID (sid)
Id = Cint (sid)
End Sub
Function getID
GetID = id
End Function
Sub setTitle (stitle)
Title = mid (stitle, 1,200) limits Length
End Sub

....
End Class
%>

Then we design the code for converting the database to an object.

Copy code

<%
Class NewsDataAccessObject
Dim conn, rs, cmd
Query a news article
Function getNewsByID (id)
Set conn = Applcation ("connection") obtains a connection from the connection pool.
Set cmd = GetCmd () GETCMD function implements return createobject ("Adodb. Command ")
SelectString = "select * from NEWS where id = @ id"

Cmd. ActiveConnection = conn
Cmd. CommandType = ad1_text Const ad1_text = 1
Cmd. CommandText = selectString
Append the parameter to @ id, constant adInteger = 3 adParamInput = 1
Cmd. Parameters. Append cmd. CreateParameter ("@ id", adInteger, adParamInput, id)
SQL statement execution result set
Set rs1_cmd.exe cute ()
Dim anews
Set anew = new News
If rs. eof then
Else
Anew. setID (rs ("id ")&"")
Anew. setTitle (rs ("title ")&"")
Anew. setContect (rs ("Contect ")&"")
End if
Rs. close
Set rs = nothing
Set cmd = nothing
Set conn = nothing
Set getNewsByID = anew
End Function
Insert a news article
Function addNews (anew)
Dim conn, cmd
If isempty (anew) then addNews = false
Set conn = Applcation ("connection") obtains a connection from the connection pool.
Set cmd = GetCmd () GETCMD function implements return createobject ("Adodb. Command ")
InsertString = "insert into NEWS (id, title, contect) values (@ id, @ title, @ contect )"
Cmd. ActiveConnection = conn
Cmd. CommandType = ad1_text Const ad1_text = 1
Cmd. CommandText = insertString
Append the parameter to @ id @ title @ contect, constant adInteger = 3 adParamInput = 1 adVarWChar = 202
Cmd. Parameters. Append cmd. CreateParameter ("@ id", adInteger, adParamInput, anew. getID ())
Cmd. Parameters. Append cmd. CreateParameter ("@ title", adVarWChar, adParamInput, 200, anew. getTitle ())
Cmd. Parameters. Append cmd. CreateParameter ("@ contect", adVarWChar, adParamInput, 50000, anew. getConect ())

Run SQL statements
Cmd.exe cute ()
Set cmd = nothing
Set conn = nothing
AddNews = true
End Function
Function findByTitle (stitle)
....
End Function
Function getPageNews (page, size)
....
End Function
End Class
%>

The above is to operate the database and encapsulate the result into the object or write the object into the database.
In this way, although the speed is relatively slow, the overall logic structure is very obvious, and you do not need to worry about whether the variable has been filtered or multi-Filter
Web page surface designers focus more on the interface.
The following code is used to submit and add news

Copy code

<%
Dim id, title, contect, anew, dao
Id = Request ("id ")
Title = Request. Form ("title ")
Contect = Request. Form ("contect ")
Set anew = new NEWS
Anew. setID (id)
Anew. setTitle (title)
Anew. setContect (contect)
Set dao = new NewsDataAccessObject
If dao. addNews (anew) then
Response. write
Echo "success"
Else
Echo "error"
End if
%>

Display the news

Copy code

<%
Dim id, dao, anew
Id = Request ("id ")
Set dao = new NewsDataAccessObject
Set anew = dao. getNewsByID (id)
If anew. getID () <> "then
%>
Title: <% = anew. getTitle () %>
Content: <% = anew. getContect () %>

.....

If any of the above code snippets is incorrect or missing, thank you for your advice ~~~
This design method does not need to be like the xxxblog xxxbbs xxx article system.
Injection is generated when you forget Replace (SQL!
There will be no SQL statements for the page's purity. The connection and other artists are responsible for their own work, and then place the object attributes in the corresponding location.
Some may think of user authentication! It is easier to put the user object of the User table into the session.

Copy code

<%
If isempty (session ("user") or session ("user") = "" then
Jump
Else
Set auser = session ("user ")
Echo "Welcome:" & auser. getName ()
%>

Full text