写个函数,能防范大部分sql注入漏洞 Function SafeRequest(ParaName,ParaType)
Function SafeRequest(ParaName,ParaType)
'--- 传入参数 ---
'ParaName:参数名称-字符型
'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "参数" & ParaName & "必须为数字型!"
Response.end
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
SafeRequest=ParaValue
End function
=========================================================
<%
'*******************************************************************
'取得IP地址
'*******************************************************************
Function Userip()
Dim GetClientIP
'如果客户端用了***************,则应该用ServerVariables("HTTP_X_FORWARDED_FOR")方法
GetClientIP = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If GetClientIP = "" or isnull(GetClientIP) or isempty(GetClientIP) Then
'如果客户端没用代理,应该用Request.ServerVariables("REMOTE_ADDR")方法
GetClientIP = Request.ServerVariables("REMOTE_ADDR")
end if
Userip = GetClientIP
End function
'*******************************************************************
' 弹出对话框
'*******************************************************************
Sub alert(message)
message = replace(message,"'","\'")
Response.Write ("<script>alert('" & message & "')</script>")
End Sub
'*******************************************************************
' 返回上一页,一般用在判断信息提交是否完全之后
'*******************************************************************
Sub GoBack()
Response.write ("<script>history.go(-1)</script>")
End Sub
'*******************************************************************
' 重定向另外的连接
'*******************************************************************
Sub Go(url)
Response.write ("<script>location.href('" & url & "')</script>")
End Sub
'*******************************************************************
' 指定秒数重定向另外的连接
'*******************************************************************
sub GoPage(url,s)
s=s*1000
Response.Write "<SCRIPT LANGUAGE=JavaScript>"
Response.Write "window.setTimeout("&chr(34)&"window.navigate('"&url&"')"&chr(34)&","&s&")"
Response.Write "</script>"
end sub
'*******************************************************************
' 判断数字是否整形
'*******************************************************************
function isInteger(para)
on error resume next
dim str
dim l,i
if isNUll(para) then
isInteger=false
exit function
end if
str=cstr(para)
if trim(str)="" then
isInteger=false
exit function
end if
l=len(str)
for i=1 to l
if mid(str,i,1)>"9" or mid(str,i,1)<"0" then
isInteger=false
exit function
end if
next
isInteger=true
if err.number<>0 then err.clear
end function
'*******************************************************************
' 获得文件扩展名
'*******************************************************************
function GetExtend(filename)
dim tmp
if filename<>"" then
tmp=mid(filename,instrrev(filename,".")+1,len(filename)-instrrev(filename,"."))
tmp=LCase(tmp)
if instr(1,tmp,"asp")>0 or instr(1,tmp,"php")>0 or instr(1,tmp,"php3")>0 or instr(1,tmp,"aspx")>0 then
getextend="txt"
else
getextend=tmp
end if
else
getextend=""
end if
end function
' *----------------------------------------------------------------------------
' * 函数:CheckIn
' * 描述:检测参数是否有SQL危险字符
' * 参数:str要检测的数据
' * 返回:FALSE:安全 TRUE:不安全
' * 作者:
' * 日期:
' *----------------------------------------------------------------------------
function CheckIn(str)
if instr(1,str,chr(39))>0 or instr(1,str,chr(34))>0 or instr(1,str,chr(59))>0 then
CheckIn=true
else
CheckIn=false
end if
end function
' *----------------------------------------------------------------------------
' * 函数:HTMLEncode
' * 描述:过滤HTML代码
' * 参数:--
' * 返回:--
' * 作者:
' * 日期:
' *----------------------------------------------------------------------------
function HTMLEncode(fString)
if not isnull(fString) then
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
fString = Replace(fString, CHR(32), " ")
fString = Replace(fString, CHR(9), " ")
fString = Replace(fString, CHR(34), """)
fString = Replace(fString, CHR(39), "'")
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "</P><P> ")
fString = Replace(fString, CHR(10), "<BR> ")
HTMLEncode = fString
end if
end function
' *----------------------------------------------------------------------------
' * 函数:HTMLcode
' * 描述:过滤表单字符
' * 参数:--
' * 返回:--
' * 作者:
' * 日期:
' *----------------------------------------------------------------------------
function HTMLcode(fString)
if not isnull(fString) then
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "</P><P>")
fString = Replace(fString, CHR(34), "")
fString = Replace(fString, CHR(10), "<BR>")
HTMLcode = fString
end if
end function
' *----------------------------------------------------------------------------
' * 函数:HTMLREM
' * 描述:解决过滤
' * 参数:--
' * 返回:--
' * 作者:
' * 日期:
' *----------------------------------------------------------------------------
function HTMLREM(fString)
if not isnull(fString) then
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "")
fString = Replace(fString, CHR(10), "")
fString=ReplaceSpace(fString)
fString=HTMLEncode(fString)
HTMLREM = fString
end if
end function
' *----------------------------------------------------------------------------
' * 函数:ReplaceSpace
' * 描述:替换所有相连空格为单空格
' * 参数:--
' * 返回:--
' * 作者:
' * 日期:
' *----------------------------------------------------------------------------
function ReplaceSpace(content)
content=trim(content)
if content="" then
replacespace=""
else
while not instr(1,content," ")=0
content=Replace(content," "," ")
wend
replacespace=content
end if
end function
rem 将字串处理成sql中语句的一部分之搜索条件
function StrToSql_or(content,field)
content=trim(content)
if content="" then
strtosql_or=""
else
' and
strtosql_or=field & " like '%" & replace(content," ","%' or " & field & " like '%") & "%'"
end if
end function
rem 将字串处理成sql中语句的一部分之搜索日期
function StrToSql_Date(searchdate,field)
searchdate=clng(searchdate)
select case searchdate
case 0
StrToSql_Date=""
case 1
StrToSql_Date=field & " between '" & dateadd("ww",-1,date()) & "' and '" & date() & "'"
case 2
StrToSql_Date=field & " between '" & dateadd("m",-1,date()) & "' and '" & date() & "'"
case 3
StrToSql_Date=field & " between '" & dateadd("q",-1,date()) & "' and '" & date() & "'"
case 4
StrToSql_Date=field & " between '" & dateadd("yyyy",-1,date()) & "' and '" & date() & "'"
end select
end function
function StrToSql_Date2(field)
dim date_Previous,date_next
date_previous=dateadd("d",-(Weekday(date(),2)-1),(date() & " 1:00:00"))
date_next=dateadd("d",(7-Weekday(date(),2)),(date() & " 23:59:59"))
StrToSql_Date2=field & " between '" & date_previous & "' and '" & date_next & "'"
end function
rem 字符截断
function Strfix(content,n)
content=trim(content)
if len(content)>n then
Strfix=left(content,n) & "..."
else
Strfix=content
end if
end function
rem 字符串处理-截断(新闻)
function StrNewfix(content)
content=trim(content)
if len(content)>27 then
strnewfix=left(content,27) & "..."
else
strnewfix=content
end if
end function
%>
==========================================================
'@转换日期为星期几函数
'@idate为标准日期格式
'@itype为0时表示英文星期几,否则为中文
function showweek(idate,itype)
if itype <> 0 then itype = 1 '//防止误输出错
dim inum,nday
inum = weekday(idate)
if itype = 0 then
select case inum
case 1
nday = "Sunday"
case 2
nday = "Monday"
case 3
nday = "Tuesday"
case 4
nday = "Wednesday"
case 5
nday = "Thursday"
case 6
nday = "Friday"
case 7
nday = "Saturday"
end select
else
select case inum
case 1
nday = "星期天"
case 2
nday = "星期一"
case 3
nday = "星期二"
case 4
nday = "星期三"
case 5
nday = "星期四"
case 6
nday = "星期五"
case 7
nday = "星期六"
end select
end if
'//OUTPUT
showweek = nday
end function
'//*************************************************************
'@分页列表函数
'@参数说明:TotalReCount:记录总数
'@page:当前页码,pagesize:分页大小,url:页面地址
function PageList(TotalReCount,page,pagesize,url)
dim startPage,endPage,ipage,totalPage
'//判断链接文件后参数个数
if inStr(1,url,"?") = 0 then
url = url & "?"
else
url = url & "&"
end if
'//得到总页数
totalPage = TotalReCount \ pagesize
if TotalRecount mod pagesize <> 0 then totalPage = Cint(TotalRecount\pagesize+1)
startPage = 1
endPage = totalPage
if page > 10 then startPage = page - 4
if totalPage < 10 then
endPage = totalPage
else
if page =< 10 then
endPage = 10
else
endPage = page + 4
if endPage > totalPage then endPage = totalPage
end if
end if%>
共有:<%=TotalReCount%> <%=pagesize%>页
<%if page>1 then%>
<a href="<%=url%>page=1"><font face="webdings">9</font></a>
<a href="<%=url%>page=<%=page-1%>"><font face="webdings">7</font></a>
<%end if%>
<%for ipage = startPage to endPage
if ipage <> page then%>
<a href=""><%=ipage%></a>
<%else
response.write i&" "
end if
next%>
<%if (totalPage-page)>4 then%>
<a href="<%=url%>page=<%=page+1%>"><font face="webdings">8</font></a>
<a href="<%=url%>page=<%=totalPage%>"><font face="webdings">:</font></a>
<%end if
end function
'//*************************************************************
'//检测组件是否安装函数
Function IsObjInstalled(strClassString)
On Error Resume Next
IsObjInstalled = False
Err = 0
Dim xTestObj
Set xTestObj = Server.CreateObject(strClassString)
If 0 = Err Then IsObjInstalled = True
Set xTestObj = Nothing
Err = 0
End Function
'//*************************************************************
Function SafeRequest(ParaName,ParaType) '防止SQL注入攻击代码
'--- 传入参数 ---//例: SafeRequest("username",0)或SafeRequest("id",1)
'ParaName:参数名称-字符型
'ParaType:参数类型-数字型(1表示参数是数字,0表示参数为字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
'Response.write "<script language=javascript>alert('参数" & ParaName & "必须为数字型!');</script>"
Response.write "<script language=javascript>window.history.back();</script>"
Response.end
elseif ParaValue < 1 then
ParaValue = 1
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
SafeRequest=ParaValue
End function
'//*************************************************************
'//HTML解码函数
Function HTMLDecode(fString)
If Not IsNull(fString) Then
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
fString = Replace(fString, " ", CHR(32)) '
fString = Replace(fString, " ", CHR(9)) '
fString = Replace(fString, """, CHR(34)) '双引号过滤
'fString = Replace(fString, CHR(39), "'") '单引号过滤
'fString = Replace(fString, ,"" CHR(13))
fString = Replace(fString, "</p><p>", CHR(10) & CHR(10))
fString = Replace(fString, "<br>", CHR(10))
HTMLDecode = fString
End If
End Function
'//*************************************************************
'//HTML编码函数
Function HTMLEncode(fString)
If Not IsNull(fString) Then
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
fString = Replace(fString, CHR(32), " ") '
fString = Replace(fString, CHR(9), " ") '
fString = Replace(fString, CHR(34), """) '双引号过滤
'fString = Replace(fString, CHR(39), "'") '单引号过滤
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "</p><p>")
fString = Replace(fString, CHR(10), "<br>")
HTMLEncode = fString
End If
End Function
'//*************************************************************
'CFS Encode Function
Function CfsEnCode(CodeStr)
Dim CodeLen
Dim CodeSpace
Dim NewCode
dim cecr,cecb,cec
CodeLen = 30
CodeSpace = CodeLen - Len(CodeStr)
If Not CodeSpace < 1 Then
For cecr = 1 To CodeSpace
CodeStr = CodeStr & Chr(21)
Next
End If
NewCode = 1
Dim Been
For cecb = 1 To CodeLen
Been = CodeLen + Asc(Mid(CodeStr,cecb,1)) * cecb
NewCode = NewCode * Been
Next
CodeStr = NewCode
NewCode = Empty
For cec = 1 To Len(CodeStr)
NewCode = NewCode & CfsCode(Mid(CodeStr,cec,3))
Next
For cec = 20 To Len(NewCode) - 18 Step 2
CfsEnCode = CfsEnCode & Mid(NewCode,cec,1)
Next
End Function
Function CfsCode(Word)
dim cc
For cc = 1 To Len(Word)
CfsCode = CfsCode & Asc(Mid(Word,cc,1))
Next
CfsCode = Hex(CfsCode)
End Function
'//*************************************************************
'//转换中文货币大小写
function CLMoney(thenumber)
dim Money,i,String1,String2,length,checkp'定义变量
dim one(),onestr()'定义数组
String1 = "零壹贰叁肆伍陆柒捌玖"
String2 = "万仟佰拾亿仟佰拾万仟佰拾元角分厘毫"
checkp=instr(thenumber,".")'判断是否含有小数位
if checkp<>0 then
thenumber=replace(thenumber,".","")'去除小数位
end if
length=len(thenumber) '取得数据长度
redim one(length-1)'重新定义数组大小
redim onestr(length-1)'重新定义数组大小
for i=0 to length-1
one(i)=mid(thenumber,i+1,1) '循环取得每一位的数字
one(i)=mid(string1,one(i)+1,1)'循环取得数字对应的大写
if checkp=0 then
'不含有小数的数据其数字对应的单位
onestr(i)=mid(string2,14-length+i,1)
else
'含有小数的数据其数字对应的单位
onestr(i)=mid(string2,15-length+i+len(thenumber)-checkp,1)
end if
one(i)=one(i)&onestr(i)'将数字与单位组合
next
Money=replace(join(one)," ","") '取得数组中所有的元素,并连接起来
Money=replace(Money,"零元","元")
Money=replace(Money,"零万","万")
Money=replace(Money,"零亿","亿")
Money=replace(Money,"零仟","零")
Money=replace(Money,"零佰","零")
Money=replace(Money,"零拾","零")
do while not instr(Money,"零零")=0
Money=replace(Money,"零零","零")
loop
CLmoney = Money
end function
'//***********************************************************
'//IP转换成数字,限制IP时用
'@使用示例
'// userIPnum = IP2Num(Request.ServerVariables("REMOTE_ADDR"))
'// if userIPnum > IP2Num("192.168.0.0") and userIPnum <
'// IP2Num("192.168.0.255") then
'// response.write ("<center>您的IP被禁止</center>")
'// response.end
'// end if
function IP2Num(sip)
dim str1,str2,str3,str4
dim num
IP2Num=0
if isnumeric(left(sip,2)) then
str1=left(sip,instr(sip,".")-1)
sip=mid(sip,instr(sip,".")+1)
str2=left(sip,instr(sip,".")-1)
sip=mid(sip,instr(sip,".")+1)
str3=left(sip,instr(sip,".")-1)
str4=mid(sip,instr(sip,".")+1)
num=cint(str1)*256*256*256+cint(str2)*256*256+cint(str3)*256+cint(str4)-1
IP2Num = num
end if
end function
'//********************************************************
==================================================================
今天在逛论坛时发现很多人都在问有关在textarea中输入的回车在html中不能显示的问题,可能这些朋友还不知道在文本中和html中显示回车的方式是不同的,因此我找了以下两个函数供大家参考:
1.HTMLEncode函数:除了server.htmlencode的所有功能以外,还有转化回车和空格的功能,可以将textarea中输入的文本按照原样在html中显示
代码如下:
function HTMLEncode(fString)
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
fString = Replace(fString, CHR(32), " ")
fString = Replace(fString, CHR(34), """)
fString = Replace(fString, CHR(39), "'")
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "</P><P>")
fString = Replace(fString, CHR(10), "<BR>")
HTMLEncode = fString
end function
2.HTMLDecode函数:就是HTMLEncode函数的反函数,将html中的字符按照原样在textarea中显示,在修改信息时很有用代码如下:
function HTMLDecode(fString)
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
fString = Replace(fString," ",chr(32))
fString = Replace(fString,""",chr(34))
fString = Replace(fString,"'",chr(39))
fString = Replace(fString, "", CHR(13))
fString = Replace(fString, "</P><P>", CHR(10) & CHR(10))
fString = Replace(fString, "<BR>", CHR(10))
HTMLDecode = fString
end function
=======================================================================、
提交字符串替换
把换行符和空格替换一下,函数
function HTMLEncode(fString)
if not isnull(fString) then
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")fString = Replace(fString, CHR(32), " ")
fString = Replace(fString, CHR(34), """)
fString = Replace(fString, CHR(39), "'")
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "</P><P> ")
fString = Replace(fString, CHR(10), "<BR> ")
HTMLEncode = fString
end if
end function输出时只要写上HTMLEncode(rs("content"))
