数据库被写入问题(有可能是注入)?
先看代码:dim ErrorAction
ErrorAction=true
dim M_Name,M_Password,M_Password1,M_Question,M_Answer,M_Company,M_Tel,M_Fax,M_Mobile,M_Address,M_Zip,M_Contact,prov,city,M_Website,M_Email,M_CompAttribute,M_TradeName,M_mainProducts,M_AnnualRevenue,M_EmployeerNum,checkcode
M_Name=FormatSQL(trim(request("M_Name")))
checkcode=trim(request.Form("checkcode"))
M_Password=FormatSQL(trim(request("M_Password")))
M_Question=FormatSQL(trim(request("M_Question")))
M_Answer=FormatSQL(trim(request("M_Answer")))
M_Company=FormatSQL(trim(request("M_Company")))
M_Tel=FormatSQL(trim(request("M_Tel")))
M_Fax=FormatSQL(trim(request("M_Fax")))
M_Mobile=FormatSQL(trim(request("M_Mobile")))
M_Address=FormatSQL(trim(request("M_Address")))
M_Zip=FormatSQL(trim(request("M_Zip")))
M_Contact=FormatSQL(trim(request("M_Contact")))
prov=FormatSQL(trim(request("prov")))
city=FormatSQL(trim(request("city")))
M_Website=FormatSQL(trim(request("M_Website")))
M_Email=FormatSQL((trim(request("M_Email"))))
M_CompAttribute=FormatSQL(trim(request("M_CompAttribute")))
M_TradeName=FormatSQL(trim(request("M_TradeName")))
M_mainProducts=FormatSQL(trim(request("M_mainProducts")))
M_AnnualRevenue=FormatSQL(trim(request("M_AnnualRevenue")))
M_EmployeerNum=FormatSQL(trim(request("M_EmployeerNum")))
M_Sex=FormatSQL(trim(request.Form("M_Sex")))
M_zhiwei=FormatSQL(trim(request.Form("M_Zhiwei")))
if M_Name="" then
Response.Write "<Script Language=JavaScript>alert('\n提示您:\n\n用户名不能为空!');history.back(-1)</Script>"
Response.end
end if
if checkcode="" then
Response.Write "<Script Language=JavaScript>alert('\n提示您:\n\n验证码不能为空!');history.back(-1)</Script>"
Response.end
end if
if checkcode<>Session("GetCode") then
Response.Write "<Script Language=JavaScript>alert('\n提示您:\n\n验证码输入不正确!');history.back(-1)</Script>"
Response.end
end if
if M_Company="" then
Response.Write "<Script Language=JavaScript>alert('\n中国照明信息网提示您:\n\n公司名称不能为空!');history.back(-1)</Script>"
Response.end
end if
dim rs,sql
set rs=server.CreateObject("adodb.recordset")
sql="select * from member_login where M_Name='"&M_Name&"'"
rs.open sql,conn,3,3
if rs.eof then
rs.addnew
rs("M_Name")=M_Name
rs("M_Password")=md5(M_Password)
rs("M_Question")=M_Question
rs("M_Answer")=M_Answer
rs("M_Company")=M_Company
rs("M_Tel")=M_Tel
rs("M_Fax")=M_Fax
rs("M_Mobile")=M_Mobile
rs("M_Address")=M_Address
rs("M_Zip")=M_Zip
rs("M_Contact")=M_Contact
rs("M_LiveProv")=prov
rs("M_LiveCity")=city
rs("M_Website")=M_Website
rs("M_Email")=M_Email
rs("M_CompAttribute")=M_CompAttribute
rs("M_TradeName")=M_TradeName
rs("M_mainProducts")=M_mainProducts
rs("M_AnnualRevenue")=M_AnnualRevenue
rs("M_EmployeerNum")=M_EmployeerNum
rs("M_Type")=M_Type
rs("M_Sex")=M_Sex
rs("M_zhiwei")=M_zhiwei
rs.update
rs.close
set rs=nothing
'*************************************
'过滤特殊字符
'*************************************
Function FormatSQL(ChkStr)
Dim Str:Str=ChkStr
If IsNull(Str) Then
FormatSQL = ""
Exit Function
End If
Str = Replace(Str, "&", "&")
Str = Replace(Str,"'","'")
Str = Replace(Str,"""",""")
Dim re
Set re=new RegExp
re.IgnoreCase =True
re.Global=True
re.Pattern="(w)(here)"
Str = re.replace(Str,"$1here")
re.Pattern="(s)(elect)"
Str = re.replace(Str,"$1elect")
re.Pattern="(i)(nsert)"
Str = re.replace(Str,"$1nsert")
re.Pattern="(c)(reate)"
Str = re.replace(Str,"$1reate")
re.Pattern="(d)(rop)"
Str = re.replace(Str,"$1rop")
re.Pattern="(a)(lter)"
Str = re.replace(Str,"$1lter")
re.Pattern="(d)(elete)"
Str = re.replace(Str,"$1elete")
re.Pattern="(u)(pdate)"
Str = re.replace(Str,"$1pdate")
re.Pattern="(\s)(or)"
Str = re.replace(Str,"$1or")
Set re=Nothing
FormatSQL=Str
End Function
%>
放到服务器后,后台数据库总是被写入很多条信息。甚至30秒内会有一次。
