www.gusucode.com > CC校友录贴吧 CCBar源码程序asp编程 > inc/inc_form.asp
<% '=================================================================== '= ASP FILENAME : /inc/inc_form.asp '= CREATED TIME : 2006-5-3 '= LAST MODIFIED: 2006-5-3 '= VERSION INFO : CCASP Framework Ver 2.0.1 ALL RIGHTS RESERVED BY www.cclinux.com '= DESCRIPTION : 表单/字符处理函数 '= Change Log: '= 2006-7-20 增加表单提交中的sql注入校验 '=================================================================== '=================================================================== '= Function : HTMLEncode() '= Time : Created At SEP,21,2003 '= Input : The String That You Want To Transfer '= Description : Filter Some Invalid Characters Of In String '=================================================================== Function HTMLEncode(strInStr) If Not Isnull(strInStr) Then strInStr = Replace(strInStr, ">", ">") strInStr = Replace(strInStr, "<", "<") strInStr = Replace(strInStr, CHR(32), " ") strInStr = Replace(strInStr, CHR(9), " ") strInStr = Replace(strInStr, CHR(34), """) strInStr = Replace(strInStr, CHR(39), "'") strInStr = Replace(strInStr, CHR(13), "") strInStr = Replace(strInStr, CHR(10) & CHR(10), "</P><P> ") strInStr = Replace(strInStr, CHR(10), "<BR> ") 'strInStr = ChkBadWords(strInStr) HTMLEncode = strInStr Else HTMLEncode = "" End If End Function '==================================================================== '= Function : FilterHtml(str) '= Time : Created At SEP,21,2003 '= Input : The String That You Want To Filter '= Description : Filter Some Invalid Characters Of In String '==================================================================== Function FilterHtml(str) Dim strContent If Trim(str) = "" Or IsEmpty(str) Or IsNull(str) Then FilterHtml = "" Else strContent = Replace(str,"<br>",chr(13)) strContent = Replace(strContent,"<BR>",chr(13)) strContent = Replace(strContent," "," ") FilterHtml = strContent End If End Function Function HtmlEncode2(str) Dim result Dim l if isNULL(str) then htmlencode2="" exit function end if l=len(str) result="" Dim i for i = 1 to l select case mid(str,i,1) case "<" result=result+"<" case ">" result=result+">" case chr(13) result=result+"<br>" case chr(34) result=result+""" 'case chr(10) ' result=result+"<br>" case "&" result=result+"&" case chr(32) 'result=result+" " if i+1<=l and i-1>0 then if mid(str,i+1,1)=chr(32) or mid(str,i+1,1)=chr(9) or mid(str,i-1,1)=chr(32) or mid(str,i-1,1)=chr(9) then result=result+" " else result=result+" " end if else result=result+" " end if case chr(9) result=result+" " case else result=result+mid(str,i,1) end select next htmlencode2 = result End Function Function htmlEncode3(str) If len(str)>0 Then htmlEncode3=Replace(Replace(Replace(str,">",">"),"<","<"),"""",""") Else htmlEncode3=str End If End Function Function PrintTrueText(tempString) If tempString<>"" Then PrintTrueText=Replace(Replace(Replace(Replace(Replace(htmlEncode(tempString),VbCrLf & " ","<br>" & " "),VbCrLf,"<br>" & VbCrLf)," "," ")," "," "),chr(9)," ") If Left(PrintTrueText,1) = chr(32) Then PrintTrueText = " " & Mid(PrintTrueText,2) End If Else PrintTrueText="" End If End Function ' ============================================ ' 去除Html格式,用于从数据库中取出值填入输入框时 ' 注意:value="?"这边一定要用双引号 ' ============================================ Function inHTML(str) Dim sTemp sTemp = str inHTML = "" If IsNull(sTemp) = True Then Exit Function End If sTemp = Replace(sTemp, "&", "&") sTemp = Replace(sTemp, "<", "<") sTemp = Replace(sTemp, ">", ">") sTemp = Replace(sTemp, Chr(34), """) inHTML = sTemp End Function '== 输入数据格式化函数 Function FmtFormData(value) FmtFormData = Trim(value) End Function '== 输入表单数据赋值到Form对象 Function CnvFormData(strFormName,ByRef objFormData) Dim arrFormName,i,strValueName arrFormName = Split(strFormName,"|") For i = Lbound(arrFormName) To Ubound(arrFormName) strValueName = Right(arrFormName(i),Len(arrFormName(i))-3) objFormData.Item(strValueName) = FmtFormData(Request.Form(arrFormName(i))) Next Erase arrFormName End Function '== 取得输入表单中的ID参数 Function GetPostIdValue(strFormName,strAddInfo,ByRef id) Dim value value = FmtFormData(Request(strFormName)) If DataCheck("DT_ID",value ,strAddInfo,NULL) Then GetPostIdValue = False Call GBL_objException.catchErr(E_DATA_PUB,strAddInfo) Exit Function End If id = value GetPostIdValue = True End Function '== 过滤提交表单中的不安全字符 Function ForSqlForm() Dim fqys,errc,i,items Dim nothis,noth noth = "exe" noth = noth & "|" & "net user" noth = noth & "|" & "xp_cmdshell" noth = noth & "|" & "/add" noth = noth & "|" & "exec%20master.dbo.xp_cmdshell" noth = noth & "|" & "net localgroup administrators" 'noth = noth & "|" & "select" noth = noth & "|" & "count" noth = noth & "|" & "asc" noth = noth & "|" & "char" noth = noth & "|" & "mid" noth = noth & "|" & "execute" 'noth = noth & "|" & ":" 'noth = noth & "|" & """" noth = noth & "|" & "insert" noth = noth & "|" & "delete" noth = noth & "|" & "drop" noth = noth & "|" & "truncate" noth = noth & "|" & "from" noth = noth & "|" & "<%" noth = noth & "|" & "%" & ">" 'noth = noth & "|" & " or " errc = False nothis = Split(noth,"|") For i = 0 To Ubound(nothis) For Each items In Request.Form If Instr(Request.Form(items),nothis(i))<>0 Then Call GBL_objException.catchErr(E_USER_PUB,"对不起,你所填写的信息含非法字符(" & nothis(i) & ")!") ActionOver() Response.End() End If Next Next For i = 0 To Ubound(nothis) For Each items In Request.QueryString If Instr(Request.Form(items),nothis(i))<>0 Then Call GBL_objException.catchErr(E_USER_PUB,"对不起,你所填写的信息含非法字符(" & nothis(i) & ")!") ActionOver() Response.End() End If Next Next End Function '==================================================================== '= Function : CheckPageSubmit() '= Time : Created At Apr,2006-7-20 '= Input : None '= Output : None '= Return : true or false '= Description : 防止外部页面数据提交 '==================================================================== Function CheckPageSubmit() Dim strPrePage,strLocalSvr strPrePage = Cstr(Request.ServerVariables("HTTP_REFERER")) strLocalSvr = Cstr(Request.ServerVariables("SERVER_NAME")) If Mid(strPrePage,8,Len(strLocalSvr)) <> strLocalSvr And strPrePage <> "" Then CheckPageSubmit = FALSE Else CheckPageSubmit = TRUE End If End Function %>