[求助]如何替换掉非法字符，我在论坛上没有搜索到就来请教了 - ASP技术论坛

第 11 楼

得分:0

如果要过滤非法字符,非法字符那么多,并且还有大小写,有的还用chr()那么多,要替换多少呀.

我认为要判断一下是字符还是数字,如果是数字,就不怕这些非法字符,如果是字符只需限制他们的长度,不就行了

第 12 楼

得分:0

那个是什么这样写对吗
<%
function con(contentTemp,length)
length=Cint(length)
contentTemp=replace(contentTemp,"'","''")
contentTemp=replace(contentTemp,chr(34),"""")
contentTemp=replace(contentTemp,"&","&")
contentTemp=replace(contentTemp," ","  ")
contentTemp=replace(contentTemp,"<","<")
contentTemp=replace(contentTemp,">",">")
if len(contentTemp)>length then
contentTemp=left(contentTemp,length)
end if
com=contentTemp
end function
%>
<%
dim title,con
title=request.form("title")
con=request.form("con")
if trim(title)="" or trim(con)="" then
response.write"所填标题和内容不能为空"
else
set rs= Server.CreateObject("adodb.recordset")
sql= "select * from guestbook"
rs.open sql,conn,1,3
rs.addnew
rs("title")=title
rs("con")=con
rs.update
rs.close
set rs=nothing
conn.close
set conn=nothing
response.write("<A HREF=list.asp>返回</A>")
end if
%>

我是菜鸟

第 13 楼

得分:0

错误的原因是没有引用，看了几天的代码总算给发现了，哈哈

strSTR = LCase(strSTR)
strSTR = Replace(strSTR,"'","")
strSTR = Replace(strSTR,"*","")
strSTR = Replace(strSTR,"?","")
strSTR = Replace(strSTR,"(","")
strSTR = Replace(strSTR,")","")
strSTR = Replace(strSTR,"<","")
strSTR = Replace(strSTR,">","")
strSTR = Replace(strSTR,".","")
strSTR = Replace(strSTR,"and","")
strSTR = Replace(strSTR,"exec","")
strSTR = Replace(strSTR,"insert","")
strSTR = Replace(strSTR,"delete","")
strSTR = Replace(strSTR,"update","")
strSTR = Replace(strSTR,"select","")
strSTR = Replace(strSTR,"count","")
strSTR = Replace(strSTR,"master.","")
strSTR = Replace(strSTR,"%20from","")
strSTR = Replace(strSTR,";","")
strSTR = Replace(strSTR,"mid","")
strSTR = Replace(strSTR,"chr(37)","")
strSTR = Replace(strSTR,"=","")
strSTR = Replace(strSTR,"set","")

[此贴子已经被作者于2006-1-25 15:20:57编辑过]

我是菜鸟

第 14 楼

得分:0

Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr

Fy_In = "'//;//and//exec//insert//select//delete//update//count//*//%//chr//mid//master//truncate//char//declare"

<%
Fy_Inf = split(Fy_In,"//")

If Request.Form<>"" Then
For Each Fy_Post In Request.Form

For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入！');</Script>"
Response.Write "<table width='400' height='20' border='0' align='center' cellpadding='0' cellspacing='0'>"
Response.Write "<tr><td width='400' height='20'>非法操作！系统做了如下记录<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作ＩＰ："&Request.ServerVariables("REMOTE_ADDR")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作时间："&Now&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作页面："&Request.ServerVariables("URL")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交方式：ＰＯＳＴ<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交参数："&Fy_Post&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交数据："&Request.Form(Fy_Post)&"<br></td></tr></table>"
Response.End
End If
Next

Next
End If

If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString

For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then

Set Fy_db = Server.CreateObject("ADODB.Connection")
Fy_dbstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath("inc/SqlIn.mdb")
Fy_db.Open Fy_dbstr
Fy_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&Fy_Get&"','"&replace(Request.QueryString(Fy_Get),"'","''")&"')")
Fy_db.close
set Fy_db=nothing

Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入！');</Script>"
Response.Write "<table width='400' height='20' border='0' align='center' cellpadding='0' cellspacing='0'>"
Response.Write "<tr><td width='400' height='20'>非法操作！系统做了如下记录<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作ＩＰ："&Request.ServerVariables("REMOTE_ADDR")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作时间："&Now&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>操作页面："&Request.ServerVariables("URL")&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交方式：ＰＯＳＴ<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交参数："&Fy_get&"<br></td></tr>"
Response.Write "<tr><td width='400' height='20'>提交数据："&Request.QueryString(Fy_get)&"<br></td></tr></table>"
Response.End
End If
Next
Next
End If