ASP过滤SQL非法字符并格式化html代码
2010-10-25 22:36
561 查看
<%
function changechr(str)
changechr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"<br>")," "," ")
changechr=replace(replace(replace(replace(changechr,"[sayyes]","<div align=center><img src="),"","<b>"),"[red]","<font color=CC0000>"),"[big]","<font size=7>")
changechr=replace(replace(replace(replace(changechr,"[/sayyes]","></img></div>"),"","</b>"),"[/red]","</font>"),"[/big]","</font>")
end function
'过滤SQL非法字符并格式化html代码
function Replace_Text(fString)
if isnull(fString) then
Replace_Text=""
exit function
else
fString=trim(fString)
fString=replace(fString,"'","''")
fString=replace(fString,";",";")
fString=replace(fString,"--","—")
fString=server.htmlencode(fString)
Replace_Text=fString
end if
end function
'会员发布的各种信息过滤
'Function Replace_Text(fString)
'If Not IsNull(fString) Then
'fString = trim(fString)
'fString = replace(fString, ";", ";") '分号过滤
'fString = replace(fString, "--", "——") '--过滤
'fString = replace(fString, "%20", "") '特殊字符过滤
'fString = replace(fString, "==", "") '==过滤
'fString = replace(fString, ">", ">")
'fString = replace(fString, "<", "<")
'fString = Replace(fString, CHR(32), " ") '
'fString = Replace(fString, CHR(9), " ") '
'fString = Replace(fString, CHR(34), """)
'fString = Replace(fString, CHR(39), "'") '单引号过滤
'fString = Replace(fString, CHR(13), "")
'fString = Replace(fString, CHR(10) & CHR(10), "</P><P> ")
'fString = Replace(fString, CHR(10), "<BR> ")
'Replace_Text = fString
'End If
'End Function
'过滤SQL非法字符
Function checkStr(Chkstr)
dim Str:Str=Chkstr
if isnull(Str) then
checkStr = ""
exit Function
else
Str=replace(Str,"'","")
Str=replace(Str,";","")
Str=replace(Str,"--","")
checkStr=Str
end if
End Function
'检测传递的参数是否为数字型
Function Chkrequest(Para)
Chkrequest=False
If Not (IsNull(Para) or Trim(Para)="" or Not IsNumeric(Para)) Then
Chkrequest=True
End If
End Function
'检测传递的参数是否为日期型
Function Chkrequestdate(Para)
Chkrequestdate=False
If Not (IsNull(Para) or Trim(Para)="" or Not IsDate(Para)) Then
Chkrequestdate=True
End If
End Function
'得到当前页面的地址
Function GetUrl()
On Error Resume Next
Dim strTemp
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & CheckStr(Request.ServerVariables("SERVER_NAME"))
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & CheckStr(Request.ServerVariables("SERVER_PORT"))
strTemp = strTemp & CheckStr(Request.ServerVariables("URL"))
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & CheckStr(Trim(Request.QueryString))
GetUrl = strTemp
End Function
'Function CheckReferer() '检查用户是否在浏览器里输入了本页的地址
' Dim sReferer, Icheck
' CheckReferer = True
' sReferer = Request.ServerVariables("HTTP_REFERER")
' ServerIP = Request.ServerVariables("LOCAL_ADDR")
' Icheck = InStr(sReferer, "ServerIP")
' If Icheck = 0 Then
' CheckReferer = False
' End If
'End Function
'日期格式化
Function FormatDate(DT,tp)
dim Y,M,D
Y=Year(DT)
M=month(DT)
D=Day(DT)
if M<10 then M="0"&M
if D<10 then D="0"&D
select case tp
case 1 FormatDate=Y&"年"&M&"月"&D&"日"
case 2 FormatDate=Y&"-"&M&"-"&D
end select
End Function
'不允许外部提交数据的选择
Function ChkPost()
dim HTTP_REFERER,SERVER_NAME
dim server_v1,server_v2
chkpost=false
SERVER_NAME=CheckStr(Request.ServerVariables("SERVER_NAME"))
HTTP_REFERER=CheckStr(Request.ServerVariables("HTTP_REFERER"))
server_v1=Cstr(HTTP_REFERER)
server_v2=Cstr(SERVER_NAME)
if mid(server_v1,8,len(server_v2))<>server_v2 then
chkpost=false
else
chkpost=true
end if
End Function
'构造上传图片文件名随机数
function MakedownName()
dim fname
fname = now()
fname = replace(fname,"-","")
fname = replace(fname," ","")
fname = replace(fname,":","")
fname = replace(fname,"PM","")
fname = replace(fname,"AM","")
fname = replace(fname,"上午","")
fname = replace(fname,"下午","")
fname = int(fname) + int((10-1+1)*Rnd + 1)
MakedownName=fname
end function
'Email检测
function IsValidEmail(email)
dim names, name, i, c
IsValidEmail = true
names = Split(email, "@")
if UBound(names) <> 1 then
IsValidEmail = false
exit function
end if
for each name in names
if Len(name) <= 0 then
IsValidEmail = false
exit function
end if
for i = 1 to Len(name)
c = Lcase(Mid(name, i, 1))
if InStr("abcdefghijklmnopqrstuvwxyz_-.", c) <= 0 and not IsNumeric(c) then
IsValidEmail = false
exit function
end if
next
if Left(name, 1) = "." or Right(name, 1) = "." then
IsValidEmail = false
exit function
end if
next
if InStr(names(1), ".") <= 0 then
IsValidEmail = false
exit function
end if
i = Len(names(1)) - InStrRev(names(1), ".")
if i <> 2 and i <> 3 then
IsValidEmail = false
exit function
end if
if InStr(email, "..") > 0 then
IsValidEmail = false
end if
end function
'Jmail邮件发送
Function SendJmail(Email,Topic,MailBody)
Dim JMail
on error resume next
Set JMail = Server.CreateObject("JMail.SMTPMail")
JMail.LazySend = true
JMail.silent = true
JMail.Charset = "gb2312"
JMail.ContentType = "text/html"
JMail.Sender = "wemaster@alibaba.info" '我们网站自己的邮箱
JMail.ReplyTo = "wemaster@alibaba.info" '我们网站自己的邮箱
JMail.SenderName = "阿里爸爸邮件发送"
JMail.Subject = Topic
JMail.SimpleLayout = true
JMail.Body = MailBody
JMail.Priority = 3
JMail.AddRecipient Email
JMail.AddHeader "Originating-IP", GBL_IPAddress
If JMail.Execute() = false Then
SendJmail = 0
Else
SendJmail = 1
End If
JMail.Close
Set JMail = Nothing
End Function
'分页
Function listPages(LinkFile)
if not (rs.eof and rs.bof) then
gopage=currentpage
totalpage=n
blockPage=Int((gopage-1)/10)*10+1
' if instr(linkfile,"?page=")>0 or instr(linkfile,"&page=")>0 then
' pos=instr(linkfile,"page=")-2
' linkfile=left(linkfile,pos)
' end if
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & CheckStr(Request.ServerVariables("SERVER_NAME"))
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & CheckStr(Request.ServerVariables("SERVER_PORT"))
strTemp = strTemp & CheckStr(Request.ServerVariables("URL"))
lenstrTemp=len(strTemp)+1
if instr(left(linkfile,lenstrTemp),"?")>0 then
if blockPage = 1 Then
Response.Write "<span disabled>【←前10页</span> "
Else
Response.Write("<span disabled>【</span><a href=" & LinkFile & "&page="&blockPage-10&">←前10页</a> ")
End If
i=1
Do Until i > 10 or blockPage > n
If blockPage=int(gopage) Then
Response.Write("<font color=#FF0000>[<b>"&blockPage&"</b>]</font>")
Else
Response.Write(" <a href=" & LinkFile & "&page="&blockPage&">["&blockPage&"]</a> ")
End If
blockPage=blockPage+1
i = i + 1
Loop
if blockPage > totalpage Then
Response.Write " <span disabled>后10页→】"
Else
Response.Write(" <a href=" & LinkFile & "&page="&blockPage&">后10页→</a><span disabled>】")
End If
response.write" 直接到第 "
response.write"<select onchange=if(this.options[this.selectedIndex].value!=''){location=this.options[this.selectedIndex].value;}>"
for i=1 to totalpage
response.write"<option value='" & LinkFile & "&page=" & i & "'"
if i=gopage then response.write"selected"
response.write">"&i&"</option>"
next
response.write"</select>"
response.write" 页<Br><Br>"
else
if blockPage = 1 Then
Response.Write "<span disabled>【←前10页</span> "
Else
Response.Write("<span disabled>【</span><a href=" & LinkFile & "?page="&blockPage-10&">←前10页</a> ")
End If
i=1
Do Until i > 10 or blockPage > n
If blockPage=int(gopage) Then
Response.Write("<font color=#FF0000>[<b>"&blockPage&"</b>]</font>")
Else
Response.Write(" <a href=" & LinkFile & "?page="&blockPage&">["&blockPage&"]</a> ")
End If
blockPage=blockPage+1
i = i + 1
Loop
if blockPage > totalpage Then
Response.Write " <span disabled>后10页→】"
Else
Response.Write(" <a href=" & LinkFile & "?page="&blockPage&">后10页→</a><span disabled>】")
End If
response.write" 直接到第 "
response.write"<select onchange=if(this.options[this.selectedIndex].value!=''){location=this.options[this.selectedIndex].value;}>"
for i=1 to totalpage
response.write"<option value='" & LinkFile & "?page=" & i & "'"
if i=gopage then response.write"selected"
response.write">"&i&"</option>"
next
response.write"</select>"
response.write" 页<Br><Br>"
End If
Startinfo=((gopage-1)*msg_per_page)+1
Endinfo=gopage*msg_per_page
if Endinfo>totalrec then Endinfo=totalrec
Response.Write(" 共 "&totalrec&" 条信息 当前显示第 "&Startinfo&" - "&Endinfo&" 条 每页 "&msg_per_page&" 条信息 共 "&n&" 页")
end if
End Function
'分页2
Function listPages2(LinkFile)
if not (rs.eof and rs.bof) then
gopage=currentpage
totalpage=n
blockPage=Int((gopage-1)/10)*10+1
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & CheckStr(Request.ServerVariables("SERVER_NAME"))
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & CheckStr(Request.ServerVariables("SERVER_PORT"))
strTemp = strTemp & CheckStr(Request.ServerVariables("URL"))
lenstrTemp=len(strTemp)+1
if instr(left(linkfile,lenstrTemp),"?")>0 then
if blockPage = 1 Then
Response.Write "<span disabled>前10页</span> "
Else
Response.Write("<a href=" & LinkFile & "&page="&blockPage-10&">前10页</a> ")
End If
i=1
Do Until i > 10 or blockPage > n
If blockPage=int(gopage) Then
Response.Write("<font color=#FF0000><b>"&blockPage&"</b></font>")
Else
Response.Write(" <a href=" & LinkFile & "&page="&blockPage&">"&blockPage&"</a> ")
End If
blockPage=blockPage+1
i = i + 1
Loop
if blockPage > totalpage Then
Response.Write " <span disabled>后10页"
Else
Response.Write(" <a href=" & LinkFile & "&page="&blockPage&">后10页</a><span disabled>")
End If
response.write" 直接到第 "
response.write"<select onchange=if(this.options[this.selectedIndex].value!=''){location=this.options[this.selectedIndex].value;}>"
for i=1 to totalpage
response.write"<option value='" & LinkFile & "&page=" & i & "'"
if i=gopage then response.write"selected"
response.write">"&i&"</option>"
next
response.write"</select>"
response.write" 页<Br><Br>"
else
if blockPage = 1 Then
Response.Write "<span disabled>【←前10页</span> "
Else
Response.Write("<span disabled>【</span><a href=" & LinkFile & "?page="&blockPage-10&">←前10页</a> ")
End If
i=1
Do Until i > 10 or blockPage > n
If blockPage=int(gopage) Then
Response.Write("<font color=#FF0000>[<b>"&blockPage&"</b>]</font>")
Else
Response.Write(" <a href=" & LinkFile & "?page="&blockPage&">["&blockPage&"]</a> ")
End If
blockPage=blockPage+1
i = i + 1
Loop
if blockPage > totalpage Then
Response.Write " <span disabled>后10页→】"
Else
Response.Write(" <a href=" & LinkFile & "?page="&blockPage&">后10页→</a><span disabled>】")
End If
response.write" 直接到第 "
response.write"<select onchange=if(this.options[this.selectedIndex].value!=''){location=this.options[this.selectedIndex].value;}>"
for i=1 to totalpage
response.write"<option value='" & LinkFile & "?page=" & i & "'"
if i=gopage then response.write"selected"
response.write">"&i&"</option>"
next
response.write"</select>"
response.write" 页<Br><Br>"
End If
Startinfo=((gopage-1)*msg_per_page)+1
Endinfo=gopage*msg_per_page
if Endinfo>totalrec then Endinfo=totalrec
Response.Write(" 共 "&totalrec&" 条信息 当前显示第 "&Startinfo&" - "&Endinfo&" 条 每页 "&msg_per_page&" 条信息 共 "&n&" 页")
end if
End Function
'判断文件类型是否合格
Function CheckFileExt(FileExt)
Dim ForumUpload,i
ForumUpload="gif,jpg,bmp,jpeg,png"
ForumUpload=Split(ForumUpload,",")
CheckFileExt=False
For i=0 to UBound(ForumUpload)
If LCase(FileExt)=Lcase(Trim(ForumUpload(i))) Then
CheckFileExt=True
Exit Function
End If
Next
End Function
'格式后缀
Function FixName(UpFileExt)
If IsEmpty(UpFileExt) Then Exit Function
FixName = Lcase(UpFileExt)
FixName = Replace(FixName,Chr(0),"")
FixName = Replace(FixName,".","")
FixName = Replace(FixName,"asp","")
FixName = Replace(FixName,"asa","")
FixName = Replace(FixName,"aspx","")
FixName = Replace(FixName,"cer","")
FixName = Replace(FixName,"cdx","")
FixName = Replace(FixName,"htr","")
End Function
'文件Content-Type判断
Function CheckFileType(FileType)
CheckFileType = False
If Left(Cstr(Lcase(Trim(FileType))),6)="image/" Then CheckFileType = True
End Function
%>
说明:
这里的代码都是一些很常用的函数
函数都是以function开始
以end function结束
可以把一个或一些常用函数单独保存为一个ASP文件如function.asp
在某个页面调用,比如在留言本页面调用
比如留言本页面有个表单获取用户名 那么获取之后加一个过滤就是这样
<!--#include file="function.asp"-->
<%
username=Request.Form("username")'不加过滤
username=Replace_Text(Request.Form("username"))'加过滤
过滤主要有以下用处:
一,防止SQL注入
二,过滤用户提交的非法脚本或HTML代码或跨站脚本.
第一点
我们打个比方,你原有的SQL语句是
sql = "select * from news where id = " & request("id")
如果正常提交的id=1,那么SQL就是
sql = "select * from news where id = 1"
但如果用户非法提交了id=1;exec master..xp_cmdshell 'format c: >nul'
则你的语句就成了
sql = "select * from news where id = 1;exec master..xp_cmdshell 'format d: >nul'"
在权限允许的情况下,可以格式化你的D盘.
所以,我们要对用户提交的参数进行过滤.但其实如果你的参数是数字型,只判断用户提交的是否数字即可,如果是字符型,只过滤单引号即可,没那么复杂.
第二点,我要说的是,假如你有一个留言本,用户提交了<script>window.location='http://www.ss.cn';</script>等类似代码,可以直接跳转到恶意网站,或者使用<meta>标签等,所以要进行必要的过滤,或者直接过滤html代码.
function changechr(str)
changechr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"<br>")," "," ")
changechr=replace(replace(replace(replace(changechr,"[sayyes]","<div align=center><img src="),"","<b>"),"[red]","<font color=CC0000>"),"[big]","<font size=7>")
changechr=replace(replace(replace(replace(changechr,"[/sayyes]","></img></div>"),"","</b>"),"[/red]","</font>"),"[/big]","</font>")
end function
'过滤SQL非法字符并格式化html代码
function Replace_Text(fString)
if isnull(fString) then
Replace_Text=""
exit function
else
fString=trim(fString)
fString=replace(fString,"'","''")
fString=replace(fString,";",";")
fString=replace(fString,"--","—")
fString=server.htmlencode(fString)
Replace_Text=fString
end if
end function
'会员发布的各种信息过滤
'Function Replace_Text(fString)
'If Not IsNull(fString) Then
'fString = trim(fString)
'fString = replace(fString, ";", ";") '分号过滤
'fString = replace(fString, "--", "——") '--过滤
'fString = replace(fString, "%20", "") '特殊字符过滤
'fString = replace(fString, "==", "") '==过滤
'fString = replace(fString, ">", ">")
'fString = replace(fString, "<", "<")
'fString = Replace(fString, CHR(32), " ") '
'fString = Replace(fString, CHR(9), " ") '
'fString = Replace(fString, CHR(34), """)
'fString = Replace(fString, CHR(39), "'") '单引号过滤
'fString = Replace(fString, CHR(13), "")
'fString = Replace(fString, CHR(10) & CHR(10), "</P><P> ")
'fString = Replace(fString, CHR(10), "<BR> ")
'Replace_Text = fString
'End If
'End Function
'过滤SQL非法字符
Function checkStr(Chkstr)
dim Str:Str=Chkstr
if isnull(Str) then
checkStr = ""
exit Function
else
Str=replace(Str,"'","")
Str=replace(Str,";","")
Str=replace(Str,"--","")
checkStr=Str
end if
End Function
'检测传递的参数是否为数字型
Function Chkrequest(Para)
Chkrequest=False
If Not (IsNull(Para) or Trim(Para)="" or Not IsNumeric(Para)) Then
Chkrequest=True
End If
End Function
'检测传递的参数是否为日期型
Function Chkrequestdate(Para)
Chkrequestdate=False
If Not (IsNull(Para) or Trim(Para)="" or Not IsDate(Para)) Then
Chkrequestdate=True
End If
End Function
'得到当前页面的地址
Function GetUrl()
On Error Resume Next
Dim strTemp
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & CheckStr(Request.ServerVariables("SERVER_NAME"))
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & CheckStr(Request.ServerVariables("SERVER_PORT"))
strTemp = strTemp & CheckStr(Request.ServerVariables("URL"))
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & CheckStr(Trim(Request.QueryString))
GetUrl = strTemp
End Function
'Function CheckReferer() '检查用户是否在浏览器里输入了本页的地址
' Dim sReferer, Icheck
' CheckReferer = True
' sReferer = Request.ServerVariables("HTTP_REFERER")
' ServerIP = Request.ServerVariables("LOCAL_ADDR")
' Icheck = InStr(sReferer, "ServerIP")
' If Icheck = 0 Then
' CheckReferer = False
' End If
'End Function
'日期格式化
Function FormatDate(DT,tp)
dim Y,M,D
Y=Year(DT)
M=month(DT)
D=Day(DT)
if M<10 then M="0"&M
if D<10 then D="0"&D
select case tp
case 1 FormatDate=Y&"年"&M&"月"&D&"日"
case 2 FormatDate=Y&"-"&M&"-"&D
end select
End Function
'不允许外部提交数据的选择
Function ChkPost()
dim HTTP_REFERER,SERVER_NAME
dim server_v1,server_v2
chkpost=false
SERVER_NAME=CheckStr(Request.ServerVariables("SERVER_NAME"))
HTTP_REFERER=CheckStr(Request.ServerVariables("HTTP_REFERER"))
server_v1=Cstr(HTTP_REFERER)
server_v2=Cstr(SERVER_NAME)
if mid(server_v1,8,len(server_v2))<>server_v2 then
chkpost=false
else
chkpost=true
end if
End Function
'构造上传图片文件名随机数
function MakedownName()
dim fname
fname = now()
fname = replace(fname,"-","")
fname = replace(fname," ","")
fname = replace(fname,":","")
fname = replace(fname,"PM","")
fname = replace(fname,"AM","")
fname = replace(fname,"上午","")
fname = replace(fname,"下午","")
fname = int(fname) + int((10-1+1)*Rnd + 1)
MakedownName=fname
end function
'Email检测
function IsValidEmail(email)
dim names, name, i, c
IsValidEmail = true
names = Split(email, "@")
if UBound(names) <> 1 then
IsValidEmail = false
exit function
end if
for each name in names
if Len(name) <= 0 then
IsValidEmail = false
exit function
end if
for i = 1 to Len(name)
c = Lcase(Mid(name, i, 1))
if InStr("abcdefghijklmnopqrstuvwxyz_-.", c) <= 0 and not IsNumeric(c) then
IsValidEmail = false
exit function
end if
next
if Left(name, 1) = "." or Right(name, 1) = "." then
IsValidEmail = false
exit function
end if
next
if InStr(names(1), ".") <= 0 then
IsValidEmail = false
exit function
end if
i = Len(names(1)) - InStrRev(names(1), ".")
if i <> 2 and i <> 3 then
IsValidEmail = false
exit function
end if
if InStr(email, "..") > 0 then
IsValidEmail = false
end if
end function
'Jmail邮件发送
Function SendJmail(Email,Topic,MailBody)
Dim JMail
on error resume next
Set JMail = Server.CreateObject("JMail.SMTPMail")
JMail.LazySend = true
JMail.silent = true
JMail.Charset = "gb2312"
JMail.ContentType = "text/html"
JMail.Sender = "wemaster@alibaba.info" '我们网站自己的邮箱
JMail.ReplyTo = "wemaster@alibaba.info" '我们网站自己的邮箱
JMail.SenderName = "阿里爸爸邮件发送"
JMail.Subject = Topic
JMail.SimpleLayout = true
JMail.Body = MailBody
JMail.Priority = 3
JMail.AddRecipient Email
JMail.AddHeader "Originating-IP", GBL_IPAddress
If JMail.Execute() = false Then
SendJmail = 0
Else
SendJmail = 1
End If
JMail.Close
Set JMail = Nothing
End Function
'分页
Function listPages(LinkFile)
if not (rs.eof and rs.bof) then
gopage=currentpage
totalpage=n
blockPage=Int((gopage-1)/10)*10+1
' if instr(linkfile,"?page=")>0 or instr(linkfile,"&page=")>0 then
' pos=instr(linkfile,"page=")-2
' linkfile=left(linkfile,pos)
' end if
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & CheckStr(Request.ServerVariables("SERVER_NAME"))
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & CheckStr(Request.ServerVariables("SERVER_PORT"))
strTemp = strTemp & CheckStr(Request.ServerVariables("URL"))
lenstrTemp=len(strTemp)+1
if instr(left(linkfile,lenstrTemp),"?")>0 then
if blockPage = 1 Then
Response.Write "<span disabled>【←前10页</span> "
Else
Response.Write("<span disabled>【</span><a href=" & LinkFile & "&page="&blockPage-10&">←前10页</a> ")
End If
i=1
Do Until i > 10 or blockPage > n
If blockPage=int(gopage) Then
Response.Write("<font color=#FF0000>[<b>"&blockPage&"</b>]</font>")
Else
Response.Write(" <a href=" & LinkFile & "&page="&blockPage&">["&blockPage&"]</a> ")
End If
blockPage=blockPage+1
i = i + 1
Loop
if blockPage > totalpage Then
Response.Write " <span disabled>后10页→】"
Else
Response.Write(" <a href=" & LinkFile & "&page="&blockPage&">后10页→</a><span disabled>】")
End If
response.write" 直接到第 "
response.write"<select onchange=if(this.options[this.selectedIndex].value!=''){location=this.options[this.selectedIndex].value;}>"
for i=1 to totalpage
response.write"<option value='" & LinkFile & "&page=" & i & "'"
if i=gopage then response.write"selected"
response.write">"&i&"</option>"
next
response.write"</select>"
response.write" 页<Br><Br>"
else
if blockPage = 1 Then
Response.Write "<span disabled>【←前10页</span> "
Else
Response.Write("<span disabled>【</span><a href=" & LinkFile & "?page="&blockPage-10&">←前10页</a> ")
End If
i=1
Do Until i > 10 or blockPage > n
If blockPage=int(gopage) Then
Response.Write("<font color=#FF0000>[<b>"&blockPage&"</b>]</font>")
Else
Response.Write(" <a href=" & LinkFile & "?page="&blockPage&">["&blockPage&"]</a> ")
End If
blockPage=blockPage+1
i = i + 1
Loop
if blockPage > totalpage Then
Response.Write " <span disabled>后10页→】"
Else
Response.Write(" <a href=" & LinkFile & "?page="&blockPage&">后10页→</a><span disabled>】")
End If
response.write" 直接到第 "
response.write"<select onchange=if(this.options[this.selectedIndex].value!=''){location=this.options[this.selectedIndex].value;}>"
for i=1 to totalpage
response.write"<option value='" & LinkFile & "?page=" & i & "'"
if i=gopage then response.write"selected"
response.write">"&i&"</option>"
next
response.write"</select>"
response.write" 页<Br><Br>"
End If
Startinfo=((gopage-1)*msg_per_page)+1
Endinfo=gopage*msg_per_page
if Endinfo>totalrec then Endinfo=totalrec
Response.Write(" 共 "&totalrec&" 条信息 当前显示第 "&Startinfo&" - "&Endinfo&" 条 每页 "&msg_per_page&" 条信息 共 "&n&" 页")
end if
End Function
'分页2
Function listPages2(LinkFile)
if not (rs.eof and rs.bof) then
gopage=currentpage
totalpage=n
blockPage=Int((gopage-1)/10)*10+1
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & CheckStr(Request.ServerVariables("SERVER_NAME"))
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & CheckStr(Request.ServerVariables("SERVER_PORT"))
strTemp = strTemp & CheckStr(Request.ServerVariables("URL"))
lenstrTemp=len(strTemp)+1
if instr(left(linkfile,lenstrTemp),"?")>0 then
if blockPage = 1 Then
Response.Write "<span disabled>前10页</span> "
Else
Response.Write("<a href=" & LinkFile & "&page="&blockPage-10&">前10页</a> ")
End If
i=1
Do Until i > 10 or blockPage > n
If blockPage=int(gopage) Then
Response.Write("<font color=#FF0000><b>"&blockPage&"</b></font>")
Else
Response.Write(" <a href=" & LinkFile & "&page="&blockPage&">"&blockPage&"</a> ")
End If
blockPage=blockPage+1
i = i + 1
Loop
if blockPage > totalpage Then
Response.Write " <span disabled>后10页"
Else
Response.Write(" <a href=" & LinkFile & "&page="&blockPage&">后10页</a><span disabled>")
End If
response.write" 直接到第 "
response.write"<select onchange=if(this.options[this.selectedIndex].value!=''){location=this.options[this.selectedIndex].value;}>"
for i=1 to totalpage
response.write"<option value='" & LinkFile & "&page=" & i & "'"
if i=gopage then response.write"selected"
response.write">"&i&"</option>"
next
response.write"</select>"
response.write" 页<Br><Br>"
else
if blockPage = 1 Then
Response.Write "<span disabled>【←前10页</span> "
Else
Response.Write("<span disabled>【</span><a href=" & LinkFile & "?page="&blockPage-10&">←前10页</a> ")
End If
i=1
Do Until i > 10 or blockPage > n
If blockPage=int(gopage) Then
Response.Write("<font color=#FF0000>[<b>"&blockPage&"</b>]</font>")
Else
Response.Write(" <a href=" & LinkFile & "?page="&blockPage&">["&blockPage&"]</a> ")
End If
blockPage=blockPage+1
i = i + 1
Loop
if blockPage > totalpage Then
Response.Write " <span disabled>后10页→】"
Else
Response.Write(" <a href=" & LinkFile & "?page="&blockPage&">后10页→</a><span disabled>】")
End If
response.write" 直接到第 "
response.write"<select onchange=if(this.options[this.selectedIndex].value!=''){location=this.options[this.selectedIndex].value;}>"
for i=1 to totalpage
response.write"<option value='" & LinkFile & "?page=" & i & "'"
if i=gopage then response.write"selected"
response.write">"&i&"</option>"
next
response.write"</select>"
response.write" 页<Br><Br>"
End If
Startinfo=((gopage-1)*msg_per_page)+1
Endinfo=gopage*msg_per_page
if Endinfo>totalrec then Endinfo=totalrec
Response.Write(" 共 "&totalrec&" 条信息 当前显示第 "&Startinfo&" - "&Endinfo&" 条 每页 "&msg_per_page&" 条信息 共 "&n&" 页")
end if
End Function
'判断文件类型是否合格
Function CheckFileExt(FileExt)
Dim ForumUpload,i
ForumUpload="gif,jpg,bmp,jpeg,png"
ForumUpload=Split(ForumUpload,",")
CheckFileExt=False
For i=0 to UBound(ForumUpload)
If LCase(FileExt)=Lcase(Trim(ForumUpload(i))) Then
CheckFileExt=True
Exit Function
End If
Next
End Function
'格式后缀
Function FixName(UpFileExt)
If IsEmpty(UpFileExt) Then Exit Function
FixName = Lcase(UpFileExt)
FixName = Replace(FixName,Chr(0),"")
FixName = Replace(FixName,".","")
FixName = Replace(FixName,"asp","")
FixName = Replace(FixName,"asa","")
FixName = Replace(FixName,"aspx","")
FixName = Replace(FixName,"cer","")
FixName = Replace(FixName,"cdx","")
FixName = Replace(FixName,"htr","")
End Function
'文件Content-Type判断
Function CheckFileType(FileType)
CheckFileType = False
If Left(Cstr(Lcase(Trim(FileType))),6)="image/" Then CheckFileType = True
End Function
%>
说明:
这里的代码都是一些很常用的函数
函数都是以function开始
以end function结束
可以把一个或一些常用函数单独保存为一个ASP文件如function.asp
在某个页面调用,比如在留言本页面调用
比如留言本页面有个表单获取用户名 那么获取之后加一个过滤就是这样
<!--#include file="function.asp"-->
<%
username=Request.Form("username")'不加过滤
username=Replace_Text(Request.Form("username"))'加过滤
过滤主要有以下用处:
一,防止SQL注入
二,过滤用户提交的非法脚本或HTML代码或跨站脚本.
第一点
我们打个比方,你原有的SQL语句是
sql = "select * from news where id = " & request("id")
如果正常提交的id=1,那么SQL就是
sql = "select * from news where id = 1"
但如果用户非法提交了id=1;exec master..xp_cmdshell 'format c: >nul'
则你的语句就成了
sql = "select * from news where id = 1;exec master..xp_cmdshell 'format d: >nul'"
在权限允许的情况下,可以格式化你的D盘.
所以,我们要对用户提交的参数进行过滤.但其实如果你的参数是数字型,只判断用户提交的是否数字即可,如果是字符型,只过滤单引号即可,没那么复杂.
第二点,我要说的是,假如你有一个留言本,用户提交了<script>window.location='http://www.ss.cn';</script>等类似代码,可以直接跳转到恶意网站,或者使用<meta>标签等,所以要进行必要的过滤,或者直接过滤html代码.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 过滤SQL非法字符并格式化html代码
- ASP过滤SQL非法字符并格式化html代码(不错的功能函数集)
- ASP过滤SQL非法字符并格式化html代码
- C#(ASP.NET)正则表达式 过滤危险字符函数代码 防SQL注入 很全面的SQL关键字过滤
- asp.net 过滤SQL非法字符串方法
- asp中格式化HTML函数代码 SDCMS加强版
- 网页前台通过js非法字符过滤代码(骂人的话等等)
- asp 过滤非法字符函数
- Asp.net中如何过滤html,js,css代码
- asp 获取参数值与sql安全过滤参数函数代码
- php&nbsp;过滤非法字符&nbsp;与过滤html&nbsp;js&nbsp;c…
- ASP 非法字符过滤函数
- C# 正则表达式 过滤危险字符函数代码 防SQL注入 很全面的SQL关键字过滤
- 在线代码格式化(支持json Java js css html xml SQL等)
- ASP过滤HTML字符
- asp 过滤非法字符函数
- php 过滤特殊字符及sql防注入代码