模板
教程
環境
性能
功能
管理
ASP,安全寫入數據庫操作,正常讀出并顯示在不同的場合
比如說有styledesc這個字段,數據要求的是50位,char形,可不可以只限制他50位,其它的不限制,
輸入什么字符都可以的.只要是char形,只要數據庫允許就行
這樣,安全寫入數據庫操作,正常讀出并顯示在不同的場合,應用.
應該是怎樣做呢?
下面是我總結的幾點.非常有可能不對,請指正.
如果對用戶的輸入是可以任意字符,(除了某字段特定的輸入限制條件,如輸入長度,輸入類型==).
就是輸入盡可能不作限制.
對一字符串str,他輸出的方向有以下幾種:
1.輸出至HTML中,Function fn_chk_to_html(Str)
2.輸出至Script中(如javascript),Function fn_chk_to_script(Str)
3.輸出至sql語句中,而且這條SQL語句是用‘’‘’兩個單引括起字符串Str的.
Function fn_chk_to_sql_mark(Str)
4.輸出至sql語句中,而且這條SQL語句是沒有用單引括起Str的.Function fn_chk_to_sql_go(Str)
5.輸出至URL .Function fn_chk_to_url(Str)
<%Function fn_chk_to_html(Str)
‘’如<input text="<%=request("styledesc")%>">的情況下
If Isnull(Str) Then
ChkSql = ""
Exit Function
End If
Str = trim(Str)
Str = Replace(Str, Chr(0), "",1,-1,1)
Str = Replace(Str, """", """,1,-1,1)
Str = Replace(Str, "‘’", "'",1,-1,1)
Str = Replace(Str, "<","<",1,-1,1)
Str = Replace(Str, ">",">",1,-1,1)
Str = Replace(Str, vbCrlf, "<br>",1,-1,1)
fn_chk_to_html = Str
End Function
%>
<%Function fn_chk_to_script(Str)
‘’如 response.write "<script>alert(‘’"&request("styledesc")&"‘’);</script>"的情況下
If Isnull(Str) Then
ChkSql = ""
Exit Function
End If
Str = trim(Str)
Str = Replace(Str, "\", "\\",1,-1,1)
Str = Replace(Str, """", "\""",1,-1,1)
Str = Replace(Str, "‘’", "\‘’",1,-1,1)
Str = Replace(Str,Chr(13),"\n",1,-1,1)
fn_chk_to_script = Str
End Function
%>
<%
Function fn_chk_to_sql_mark(Str)
‘’如 sql="select * from style where styledesc like ‘’"&request("styledesc")&"‘’"的情況下
If Isnull(Str) Then
ChkSql = ""
Exit Function
End If
Str = trim(Str)
Str = Replace(Str, "‘’", "‘’‘’",1,-1,1)
fn_chk_to_sql_mark = Str
End Function
%>
<%Function fn_chk_to_sql_go(Str)
‘’如sql = "select * from "&request("table")的情況下.??
If Isnull(Str) Then
ChkSql = ""
Exit Function
End If
Str = trim(Str)
Str = Replace(Str, Chr(0), "",1,-1,1)
Str = Replace(Str, """", """,1,-1,1)
Str = Replace(Str, "‘’", "'",1,-1,1)
Str = Replace(Str, "<","<",1,-1,1)
Str = Replace(Str, ">",">",1,-1,1)
Str = Replace(Str, "[", "[",1,-1,1)
Str = Replace(Str, "]", "]",1,-1,1)
Str = Replace(Str, "\", "\",1,-1,1)
Str = Replace(Str, "*", "*",1,-1,1)
Str = Replace(Str, "%", "%",1,-1,1)
Str = Replace(Str, ";", ";",1,-1,1)
Str = Replace(Str, vbCrlf, "<br>",1,-1,1)
Str = Replace(Str, "--", "--")
fn_chk_to_sql_go = Str
End Function
%>
<%Function fn_chk_to_url(Str)
‘’如 str="<img src=‘’showimg.asp?id="&request("id")&"‘’>"的情況下
If Isnull(Str) Then
ChkSql = ""
Exit Function
End If
Str = trim(Str)
Str = server.URLEncode(Str)
fn_chk_to_sql_mark = Str
End Function
%>
