寫過論壇的朋友,特別是把路徑放到數據里,然后在服務器端讀取數據庫里的字段,把路徑信息動態的顯示在客戶端.
如過直接以
http://xxxx.xxxx.net/ShowForum.aspx?id=2&rootID=0&userName=myUserName
就會發現,直接把參數信息顯示在Client端了.別有用心的人,可能會對你的服務器進行攻擊
如果在Client這樣顯示.
http://xxxx.xxxx.net/ShowForum.aspx?bdefEdGa=DEdscFDW&aHJdIDesk=esOddEsA&dsERsdwS=SdEEsaDY
下面我把這樣實現的C#.net代碼貼出��,如大家要轉載��,請保留本人的版權�����。
/*
*Description:加密路徑信息后��,輸出到Client端
*Auther:天很藍_崇崇
*Email:yc_chongchong@tom.com
*Dates:2005-01-18
*Copyright:ChongChong2008 YiChang HuBei China
*/
using System;
using System.Collections;
using System.ComponentModel;
using System.Drawing;
using System.Web;
using System.Web.sessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.IO;
using System.Text;
using System.Text.RegularExPRessions;
using System.Data.SqlClient;
using System.Configuration;
//導入自定義的類庫
using _3Layer.DataLayer.DataCommon;
using _3Layer.DataLayer.DataCommon.Dataaccess;
using Library.ClassLibrary.Crypt.DES;
namespace CHONGCHONG.xml
public class RenderingXML : System.Web.UI.Page
{
/// <summary>
/// 從數據庫預生成XML數據源
/// </summary>
private void PreRenderXML()
{
string strSQL = "select語句略去........................;
myDataLayer.Open();
RenderingXml="<?xml version='1.0' encoding='gb2312'?>/r/n";
RenderingXml+="<xml>/r/n";
try
{
System.Data.SqlClient.SqlDataReader myDR = (SqlDataReader)myDataLayer.ExecuteReader( strSQL );
while(myDR.Read())
{
RenderingXml+="<TreeNode id='"+myDR["BoardID"]+"'>/r/n";
RenderingXml+="<NodeText>"+myDR["BoardName"]+"</NodeText>/r/n";
RenderingXml+="<title>"+myDR["Title"]+"</title>/r/n";
RenderingXml+="<NodeUrl>"+EncodeHTML( EncodeParameter( myDR["Link"].ToString() ) )+"</NodeUrl>/r/n";
RenderingXml+="<child>"+myDR["children"]+"</child>/r/n";
RenderingXml+="<target>"+myDR["Target"]+"</target>/r/n";
RenderingXml+="</TreeNode>/r/n";
}
}
catch(System.Data.SqlClient.SqlException ee)
{
return ;
}
finally
{
myDataLayer.Close() ;
}
RenderingXml+="</xml>";
byte[] bytResult = Encoding.Default.GetBytes( RenderingXml ) ;
Response.ContentType = "text/xml" ;
Response.BinaryWrite( bytResult ) ;
}
/// <summary>
/// Description:加密路徑參數
/// </summary>
/// <param name="sourParameter"></param>
/// <returns></returns>
private string EncodeParameter( string sourParameter )
{
string startString = String.Empty ;
string endString = String.Empty ;
StringBuilder destParameter = new StringBuilder() ;
if( sourParameter == null || sourParameter.Equals("") )
{
destParameter.Append( String.Empty ).ToString() ;
}
else
{
//開始分析路徑里的?字符
if( sourParameter.IndexOf("?")<0 )
{
destParameter.Append( sourParameter ).ToString() ;
}
else
{
//以?號分割路徑
string[] paramPath = sourParameter.Split( new char[]{'?'} ) ;
startString = paramPath[0].ToString() ;
endString = paramPath[1].ToString() ;
//開始分析路徑里的&字符
if(sourParameter.IndexOf("&")<0)
{
//只有一個參數,用=號分割,直接把NameValue進行Des加密
string[] paramNameValue = endString.Split( new char[]{'='} ) ;
string paramName = myDES.Encrypt( paramNameValue[0].ToString() ,myDESKey ) ;
string paramValue = myDES.Encrypt( paramNameValue[1].ToString() ,myDESKey ) ;
destParameter.Append( startString ).Append("?").Append( paramName ).Append("=").Append( paramValue ) ;
}
else
{
//有多個參數,以&號分割?號后面的路徑
string[] paramJoin = endString.Split( new char[]{'&'} ) ;
destParameter.Append( startString ).Append("?").Append( EncoderNameValue( paramJoin ) ) .ToString() ;
}
}
}
return destParameter.ToString() ;
}
/// <summary>
/// Description:加密路徑里的NameValue參數
/// </summary>
/// <param name="sourNameValue"></param>
/// <returns></returns>
private string EncoderNameValue( string[] sourNameValue )
{
string[] paramNameValue ;
string paramName ;
string paramValue ;
StringBuilder sb = new StringBuilder() ;
for( int i = 0 ; i <= sourNameValue.Length-1 ; i++ )
{
//以=號分割每個NameValue參數
paramNameValue = sourNameValue[i].Split( new char[]{'='} ) ;
//開始對NameValue加密
paramName = myDES.Encrypt( paramNameValue[0].ToString() ,myDESKey ) ;
paramValue = myDES.Encrypt( paramNameValue[1].ToString() ,myDESKey ) ;
//存儲加密后的路徑字符串
sb.Append( paramName ).Append("=").Append( paramValue ) ;
//是否最后一個NameValue參數,若不是在路基里添加&參數連接符
if( i<sourNameValue.Length )
{
sb.Append("&") ;
}
}
return sb.ToString() ;
}
}
