| 网站首页 | 业界新闻 | 小组 | 威客 | 人才 | 下载频道 | 博客 | 代码贴 | 在线编程 | 编程论坛
欢迎加入我们,一同切磋技术
用户名:   
 
密 码:  
共有 1215 人关注过本帖
标题:[求助]如何替换掉非法字符,我在论坛上没有搜索到就来请教了
只看楼主 加入收藏
lisir123
Rank: 1
等 级:新手上路
帖 子:215
专家分:0
注 册:2005-12-16
收藏
得分:0 

如果要过滤非法字符,非法字符那么多,并且还有大小写,有的还用chr()那么多,要替换多少呀.

我认为要判断一下是字符还是数字,如果是数字,就不怕这些非法字符,如果是字符只需限制他们的长度,不就行了

2006-01-24 09:45
redmangame
Rank: 1
等 级:新手上路
帖 子:49
专家分:0
注 册:2004-8-23
收藏
得分:0 

那个是什么 这样写对吗
<%
function con(contentTemp,length)
length=Cint(length)
contentTemp=replace(contentTemp,"'","''")
contentTemp=replace(contentTemp,chr(34),"""")
contentTemp=replace(contentTemp,"&","&amp;")
contentTemp=replace(contentTemp," ","&nbsp;&nbsp;")
contentTemp=replace(contentTemp,"<","&lt;")
contentTemp=replace(contentTemp,">","&gt;")
if len(contentTemp)>length then
contentTemp=left(contentTemp,length)
end if
com=contentTemp
end function
%>
<%
dim title,con
title=request.form("title")
con=request.form("con")
if trim(title)="" or trim(con)="" then
response.write"所填标题和内容不能为空"
else
set rs= Server.CreateObject("adodb.recordset")
sql= "select * from guestbook"
rs.open sql,conn,1,3
rs.addnew
rs("title")=title
rs("con")=con
rs.update
rs.close
set rs=nothing
conn.close
set conn=nothing
response.write("<A HREF=list.asp>返回</A>")
end if
%>


我是菜鸟
2006-01-24 21:27
redmangame
Rank: 1
等 级:新手上路
帖 子:49
专家分:0
注 册:2004-8-23
收藏
得分:0 
错误的原因是没有引用,看了几天的代码总算给发现了,哈哈


strSTR = LCase(strSTR)
strSTR = Replace(strSTR,"'","")
strSTR = Replace(strSTR,"*","")
strSTR = Replace(strSTR,"?","")
strSTR = Replace(strSTR,"(","")
strSTR = Replace(strSTR,")","")
strSTR = Replace(strSTR,"<","")
strSTR = Replace(strSTR,">","")
strSTR = Replace(strSTR,".","")
strSTR = Replace(strSTR,"and","")
strSTR = Replace(strSTR,"exec","")
strSTR = Replace(strSTR,"insert","")
strSTR = Replace(strSTR,"delete","")
strSTR = Replace(strSTR,"update","")
strSTR = Replace(strSTR,"select","")
strSTR = Replace(strSTR,"count","")
strSTR = Replace(strSTR,"master.","")
strSTR = Replace(strSTR,"%20from","")
strSTR = Replace(strSTR,";","")
strSTR = Replace(strSTR,"mid","")
strSTR = Replace(strSTR,"chr(37)","")
strSTR = Replace(strSTR,"=","")
strSTR = Replace(strSTR,"set","")

[此贴子已经被作者于2006-1-25 15:20:57编辑过]


我是菜鸟
2006-01-25 15:20
爱睡觉的鱼
Rank: 1
等 级:新手上路
帖 子:2
专家分:0
注 册:2006-1-25
收藏
得分:0 

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<%

Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr

Fy_In = "'//;//and//exec//insert//select//delete//update//count//*//%//chr//mid//master//truncate//char//declare"

%>

<%
Fy_Inf = split(Fy_In,"//")

If Request.Form<>"" Then
For Each Fy_Post In Request.Form

For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入!');</Script>"
Response.Write "<table width='400' height='20' border='0' align='center' cellpadding='0' cellspacing='0'>"
Response.Write "<tr><td width='400' height='20'>非法操作!系统做了如下记录<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作时间:"&Now&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作页面:"&Request.ServerVariables("URL")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交方式:POST<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交参数:"&Fy_Post&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交数据:"&Request.Form(Fy_Post)&"<br></td></tr></table>"
Response.End
End If
Next

Next
End If

If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString

For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then

Set Fy_db = Server.CreateObject("ADODB.Connection")
Fy_dbstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath("inc/SqlIn.mdb")
Fy_db.Open Fy_dbstr
Fy_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&Fy_Get&"','"&replace(Request.QueryString(Fy_Get),"'","''")&"')")
Fy_db.close
set Fy_db=nothing


Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入!');</Script>"
Response.Write "<table width='400' height='20' border='0' align='center' cellpadding='0' cellspacing='0'>"
Response.Write "<tr><td width='400' height='20'>非法操作!系统做了如下记录<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作时间:"&Now&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作页面:"&Request.ServerVariables("URL")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交方式:POST<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交参数:"&Fy_get&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交数据:"&Request.QueryString(Fy_get)&"<br></td></tr></table>"
Response.End
End If
Next
Next
End If

%>

2006-01-25 19:57
快速回复:[求助]如何替换掉非法字符,我在论坛上没有搜索到就来请教了
数据加载中...
 
   



关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.016867 second(s), 9 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved