论坛交流
首页办公自动化| 网页制作| 平面设计| 动画制作| 数据库开发| 程序设计| 全部视频教程
应用视频: Windows | Word2007 | Excel2007 | PowerPoint2007 | Dreamweaver 8 | Fireworks 8 | Flash 8 | Photoshop cs | CorelDraw 12
编程视频: C语言视频教程 | HTML | Div+Css布局 | Javascript | Access数据库 | Asp | Sql Server数据库Asp.net  | Flash AS
当前位置 > 文字教程 > Asp教程
Tag:入门,文摘,实例,技巧,iis,表单,对象,上传,数据库,记录集,session,cookies,存储过程,注入,分页,安全,优化,xmlhttp,fso,jmail,application,防盗链,stream,组件,md5,乱码,缓存,加密,验证码,算法,ubb,正则表达式,水印,,日志,压缩,url重写,控件,函数,破解,触发器,socket,ADO,初学,聊天室,留言本,视频教程

Ewebeditor和fckeditork编辑器单引号过滤

文章类别:Asp | 发表日期:2010-4-12 9:19:43

    Ewebeditor及fckeditork,90%的网站都是采用这两种编辑器作为产品或者内容的说明部分的编辑窗口,近日,一客户的外贸站点基本上快完工了,因客户产品分类多,故而让客户自己在后台添加产品,但是客户反映,在后台添加产品时,如果产品说明内容太过复杂的话,产品怎么也添加不入数据库中。

    当时,我们也好生郁闷,这到底怎么回事,我们亲自测试后台添加任意的产品或者文字都能成功,偏偏他就不行,在网站搜索了相关的如“Ewebeditor 不能添加到数据库”,似乎找到了一点答案,因Ewebeditor自身没对单引号过滤,导致了添加不到数据库的问题。于是乎,我们把编辑器换成了fckeditork,可是还是不行,那是Ewebeditor及fckeditork自带的不完善导致的吗?为什么一个简单的单引号会引发不能添加到数据库呢,想到这里,我们想到了分析下入库代码,我们采用的是SQL=insert into product(title,content) values(' " &request("title")& "' ,' "&request("content")& " ' )的写法,于是我们找到客户当时COPY进编辑器里的内容,发现,果然这内容中包括有单引号,原来,正是由于客户提交到编辑器里的内容中含有单引号,导致我们的SQL语句变化了,相当于原来是SQL=insert into product(title,content) values('内容' ,'内容' )变成了SQL=insert into product(title,content) values(' 内容' ,' 内容'' ),我们细看就知道,就因为这content里多了个单引号,SQL语句发生的严重的写法错误,但是,我们也奇怪,既然他写法错误,为什么SQL语句不给出错误提示呢,竟然也会提示操作成功,想到这里,我们想到了2003年那几年,普遍的小黑客喜欢用的' or' =' or' 的后台入侵法,是乎正是利用了SQL执行时,没过滤单引号的BUG,导致SQL怎么执行,结果都返回真,呵呵,没想到,原以为写程序尽量图个简单明了,也是个错啊。好了,问题找到了,以后,凡是SQL入库前,我们都把字段过滤后再传值,就不会再出这样的问题了,下面是一个非常完善的SQL安全过滤函数,大家直接拿去就可以调用了。

Function HTMLEncode(Str)
 If Isnull(Str) Then
     HTMLEncode = ""
     Exit Function
 End If
 Str = Replace(Str,Chr(0),"", 1, -1, 1)
 Str = Replace(Str, """", """, 1, -1, 1)
 Str = Replace(Str,"<","&lt;", 1, -1, 1)
 Str = Replace(Str,">","&gt;", 1, -1, 1)
 Str = Replace(Str, "script", "&#115;cript", 1, -1, 0)
 Str = Replace(Str, "SCRIPT", "&#083;CRIPT", 1, -1, 0)
 Str = Replace(Str, "Script", "&#083;cript", 1, -1, 0)
 Str = Replace(Str, "script", "&#083;cript", 1, -1, 1)
 Str = Replace(Str, "object", "&#111;bject", 1, -1, 0)
 Str = Replace(Str, "OBJECT", "&#079;BJECT", 1, -1, 0)
 Str = Replace(Str, "Object", "&#079;bject", 1, -1, 0)
 Str = Replace(Str, "object", "&#079;bject", 1, -1, 1)
 Str = Replace(Str, "applet", "&#097;pplet", 1, -1, 0)
 Str = Replace(Str, "APPLET", "&#065;PPLET", 1, -1, 0)
 Str = Replace(Str, "Applet", "&#065;pplet", 1, -1, 0)
 Str = Replace(Str, "applet", "&#065;pplet", 1, -1, 1)
 Str = Replace(Str, "[", "&#091;")
 Str = Replace(Str, "]", "&#093;")
 Str = Replace(Str, """", "", 1, -1, 1)
 Str = Replace(Str, "=", "&#061;", 1, -1, 1)
 Str = Replace(Str, "'", "''", 1, -1, 1)
 Str = Replace(Str, "select", "sel&#101;ct", 1, -1, 1)
 Str = Replace(Str, "execute", "&#101xecute", 1, -1, 1)
 Str = Replace(Str, "exec", "&#101xec", 1, -1, 1)
 Str = Replace(Str, "join", "jo&#105;n", 1, -1, 1)
 Str = Replace(Str, "union", "un&#105;on", 1, -1, 1)
 Str = Replace(Str, "where", "wh&#101;re", 1, -1, 1)
 Str = Replace(Str, "insert", "ins&#101;rt", 1, -1, 1)
 Str = Replace(Str, "delete", "del&#101;te", 1, -1, 1)
 Str = Replace(Str, "update", "up&#100;ate", 1, -1, 1)
 Str = Replace(Str, "like", "lik&#101;", 1, -1, 1)
 Str = Replace(Str, "drop", "dro&#112;", 1, -1, 1)
 Str = Replace(Str, "create", "cr&#101;ate", 1, -1, 1)
 Str = Replace(Str, "rename", "ren&#097;me", 1, -1, 1)
 Str = Replace(Str, "count", "co&#117;nt", 1, -1, 1)
 Str = Replace(Str, "chr", "c&#104;r", 1, -1, 1)
 Str = Replace(Str, "mid", "m&#105;d", 1, -1, 1)
 Str = Replace(Str, "truncate", "trunc&#097;te", 1, -1, 1)
 Str = Replace(Str, "nchar", "nch&#097;r", 1, -1, 1)
 Str = Replace(Str, "char", "ch&#097;r", 1, -1, 1)
 Str = Replace(Str, "alter", "alt&#101;r", 1, -1, 1)
 Str = Replace(Str, "cast", "ca&#115;t", 1, -1, 1)
 Str = Replace(Str, "exists", "e&#120;ists", 1, -1, 1)
 Str = Replace(Str,Chr(13),"<br>", 1, -1, 1)
 HTMLEncode = Replace(Str,"'","''", 1, -1, 1)
End Function

 

 

视频教程列表
文章教程搜索
 
Asp推荐教程
Asp热门教程
看全部视频教程
购买方式/价格
购买视频教程: 咨询客服
tel:15972130058