转义 ASP/ASP.net 中的所有 POST/GET 参数
我是一名 PHP 开发人员,试图解决 ASP/ASP.net (.aspx) 中的问题。我们有一个非常旧的应用程序,存在许多安全问题(在多个页面上,到处都是,一团糟)。
为了解决这个问题,我正在考虑在每个页面的顶部添加一些代码,以在应用程序处理任何 POST/GET 请求之前转义它。
如果是 PHP,我会在前面添加一个 PHP 文件(使用 .htaccess - auto_prepend)并基本上执行以下操作:
foreach($_POST as $myval => $anything)
{
$_POST[$myval] = htmlspecialchars($_POST[$myval]);
.. other escaping ..
}
ASP 中有这样的东西吗?只是想在传递到那些没人想碰的混乱代码之前转义任何用户输入:(
I am a PHP developer trying to solve a problem in ASP/ASP.net (.aspx). We have a very old application that is having many security issues (on multiple pages, everywhere, big mess).
To solve this problem, I was thinking on adding some code to the top of every page to escape any POST/GET request before getting it processed by the application.
If it was PHP, I would prepend a PHP file (using .htaccess - auto_preppend) and basically do:
foreach($_POST as $myval => $anything)
{
$_POST[$myval] = htmlspecialchars($_POST[$myval]);
.. other escaping ..
}
Is there such a thing in ASP? Just want to escape any user input before passing to that mess of code that nobody wants to touch :(
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这是 ASP 还是 ASP.NET?完全不同的野兽。如果您使用 .NET,您可以使用类似以下内容:
在 VB
或 C#中
Is this ASP or ASP.NET? Different beasts entirely. If you're using .NET you could use something like:
in VB
or C#
从个人控制的角度来看,这可能会有所帮助:防止文本框中出现特殊字符
如果您想保护整个表单免受脚本注入攻击,请查看 RequestValidation:http://www.asp.net/learn/whitepapers/request-validation
From an individual control perspective, this might help: Prevent special characters in a TextBox
If you are wanting to protect your entire form from script-injection attacks then take a look at RequestValidation: http://www.asp.net/learn/whitepapers/request-validation