今天要修改一段代码,可是找不到源代码了,怎么办呢?
具体情况如下:
某个.NET小网站,在做数据库的查询修改删除操作的时候,没有验证输入参数的合法性,没有做错误处理,导致页面异常.
代码如下:
Private Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)
iClass.Verify(Me)
Me.DirId = Me.Request.QueryString.Item("DirId")
Me.InfoId = Me.Request.QueryString.Item("InfoId")
If Not IsNumber(Me.DirId) Then
Me.DirId = ""
End If
Dim adapter1 As New OleDbDataAdapter(("Select * from Directory where Dirid = " & Me.DirId), Me.mCn)
Dim table1 As New DataTable
adapter1.Fill(table1)
Me.DirPath = StringType.FromObject(table1.Rows.Item(0).Item("DirPath"))
If (StringType.StrCmp(FileSystem.Dir(Me.Server.MapPath(Me.DirPath), FileAttribute.Directory), "", False) = 0) Then
FileSystem.MkDir(Me.Server.MapPath(Me.DirPath))
End If
If Not Me.Page.IsPostBack Then
Dim adapter2 As New OleDbDataAdapter(("Select * from info where InfoId=" & Me.InfoId & "and dirid=" & Me.DirId), Me.mCn)
Dim table2 As New DataTable
adapter2.Fill(table2)
Me.txtTitle.Text = table2.Rows.Item(0).Item("Infotitle").ToString.Trim
Me.txtMain.set_Text(table2.Rows.Item(0).Item("Infomain").ToString.Trim)
Me.txtMain.set_Text(iClass.unchangestr(Me.txtMain.get_Text).ToString.Trim)
Me.txtMaker.Text = table2.Rows.Item(0).Item("Infomaker").ToString.Trim
Me.txtReship.Text = table2.Rows.Item(0).Item("Inforeship").ToString.Trim
End If
End Sub
其中如果参数DirId和InfoId不为数字型的话,会造成
"Select * from Directory where Dirid = " & Me.DirId
以及
"Select * from info where InfoId=" & Me.InfoId & "and dirid=" & Me.DirId
的SQL语句查询出错
解决方法:
If Not IsNumber(Me.DirId) Then
Me.DirId = ""
End If
改成
If Not IsNumber(DirId) Or Not IsNumeric(InfoId) Then
DirId = ""
Return
End If
新建一WEB项目,在Page_Load事件中加入以下代码
Verify(Me)
DirId = Request.QueryString("DirId")
InfoId = Request.QueryString("InfoId")
If Not IsNumber(DirId) Or Not IsNumeric(InfoId) Then
DirId = ""
Return
End If
Dim objApt As New OleDbDataAdapter("Select * from Directory where Dirid = " & DirId, mCn)
Dim objDt1 As New DataTable
objApt.Fill(objDt1)
DirPath = objDt1.Rows(0)("DirPath")
If Dir(Me.Server.MapPath(DirPath), FileAttribute.Directory) = "" Then
MkDir(Me.Server.MapPath(DirPath))
End If
If Not Page.IsPostBack Then
Dim objApt1 As New OleDbDataAdapter("Select * from info where InfoId=" & InfoId & " and dirid=" & DirId, mCn)
Dim objDt As New DataTable
objApt1.Fill(objDt)
txtTitle.Text = objDt.Rows(0)("Infotitle").ToString.Trim
txtMain.Text = objDt.Rows(0)("Infomain").ToString.Trim
txtMain.Text = unchangestr(txtMain.Text).ToString.Trim
txtMaker.Text = objDt.Rows(0)("Infomaker").ToString.Trim
txtReship.Text = objDt.Rows(0)("Inforeship").ToString.Trim
End If
(注意,控件中要用到的一些控件要手动添加,函数根据.NET Reflector反编译出源代码加入到项目中.)
将新建项目编译成DLL
接着,用VS自带的ILDASM将原始DLL反编译成IL,用文本编辑器打开IL文件,用查找功能定位到
"Select * from info where InfoId="
这一行
往下走来到函数结尾
} // end of method Admin_FileEdit::Page_Load
往上走来到函数开头
.method private instance void Page_Load(object sender,
class [mscorlib]System.EventArgs e) cil managed
中间部分就是要修改的代码了
再接着,用VS自带的ILDASM打开刚才生成的项目的DLL,打开IL的树形结构,找到改正后的函数,双击,可以打开一个详细的代码文件
将里面的所有代码复制到刚才打开的IL代码,替换IL文件中的原始函数
即下面的部分
.method private instance void Page_Load(object sender,
class [mscorlib]System.EventArgs e) cil managed
...................................
...................................
...................................
} // end of method Admin_FileEdit::Page_Load
重新编译修改过的IL,"ilasm filename.il /dll" (filename指你开始用ILDASM导出的IL文件名)
将生成的DLL拷贝到BIN目录,覆盖旧的DLL
至此,修改工作告一段落
posted on 2006-04-14 11:35
Jason.NET 阅读(3632)
评论(13) 编辑 收藏 网摘 所属分类:
.NET技术随笔