www.gusucode.com > CC校友录贴吧 CCBar源码程序asp编程 > inc/inc_form.asp
<%
'===================================================================
'= ASP FILENAME : /inc/inc_form.asp
'= CREATED TIME : 2006-5-3
'= LAST MODIFIED: 2006-5-3
'= VERSION INFO : CCASP Framework Ver 2.0.1 ALL RIGHTS RESERVED BY www.cclinux.com
'= DESCRIPTION : 表单/字符处理函数
'= Change Log:
'= 2006-7-20 增加表单提交中的sql注入校验
'===================================================================
'===================================================================
'= Function : HTMLEncode()
'= Time : Created At SEP,21,2003
'= Input : The String That You Want To Transfer
'= Description : Filter Some Invalid Characters Of In String
'===================================================================
Function HTMLEncode(strInStr)
If Not Isnull(strInStr) Then
strInStr = Replace(strInStr, ">", ">")
strInStr = Replace(strInStr, "<", "<")
strInStr = Replace(strInStr, CHR(32), " ")
strInStr = Replace(strInStr, CHR(9), " ")
strInStr = Replace(strInStr, CHR(34), """)
strInStr = Replace(strInStr, CHR(39), "'")
strInStr = Replace(strInStr, CHR(13), "")
strInStr = Replace(strInStr, CHR(10) & CHR(10), "</P><P> ")
strInStr = Replace(strInStr, CHR(10), "<BR> ")
'strInStr = ChkBadWords(strInStr)
HTMLEncode = strInStr
Else
HTMLEncode = ""
End If
End Function
'====================================================================
'= Function : FilterHtml(str)
'= Time : Created At SEP,21,2003
'= Input : The String That You Want To Filter
'= Description : Filter Some Invalid Characters Of In String
'====================================================================
Function FilterHtml(str)
Dim strContent
If Trim(str) = "" Or IsEmpty(str) Or IsNull(str) Then
FilterHtml = ""
Else
strContent = Replace(str,"<br>",chr(13))
strContent = Replace(strContent,"<BR>",chr(13))
strContent = Replace(strContent," "," ")
FilterHtml = strContent
End If
End Function
Function HtmlEncode2(str)
Dim result
Dim l
if isNULL(str) then
htmlencode2=""
exit function
end if
l=len(str)
result=""
Dim i
for i = 1 to l
select case mid(str,i,1)
case "<"
result=result+"<"
case ">"
result=result+">"
case chr(13)
result=result+"<br>"
case chr(34)
result=result+"""
'case chr(10)
' result=result+"<br>"
case "&"
result=result+"&"
case chr(32)
'result=result+" "
if i+1<=l and i-1>0 then
if mid(str,i+1,1)=chr(32) or mid(str,i+1,1)=chr(9) or mid(str,i-1,1)=chr(32) or mid(str,i-1,1)=chr(9) then
result=result+" "
else
result=result+" "
end if
else
result=result+" "
end if
case chr(9)
result=result+" "
case else
result=result+mid(str,i,1)
end select
next
htmlencode2 = result
End Function
Function htmlEncode3(str)
If len(str)>0 Then
htmlEncode3=Replace(Replace(Replace(str,">",">"),"<","<"),"""",""")
Else
htmlEncode3=str
End If
End Function
Function PrintTrueText(tempString)
If tempString<>"" Then
PrintTrueText=Replace(Replace(Replace(Replace(Replace(htmlEncode(tempString),VbCrLf & " ","<br>" & " "),VbCrLf,"<br>" & VbCrLf)," "," ")," "," "),chr(9)," ")
If Left(PrintTrueText,1) = chr(32) Then
PrintTrueText = " " & Mid(PrintTrueText,2)
End If
Else
PrintTrueText=""
End If
End Function
' ============================================
' 去除Html格式,用于从数据库中取出值填入输入框时
' 注意:value="?"这边一定要用双引号
' ============================================
Function inHTML(str)
Dim sTemp
sTemp = str
inHTML = ""
If IsNull(sTemp) = True Then
Exit Function
End If
sTemp = Replace(sTemp, "&", "&")
sTemp = Replace(sTemp, "<", "<")
sTemp = Replace(sTemp, ">", ">")
sTemp = Replace(sTemp, Chr(34), """)
inHTML = sTemp
End Function
'== 输入数据格式化函数
Function FmtFormData(value)
FmtFormData = Trim(value)
End Function
'== 输入表单数据赋值到Form对象
Function CnvFormData(strFormName,ByRef objFormData)
Dim arrFormName,i,strValueName
arrFormName = Split(strFormName,"|")
For i = Lbound(arrFormName) To Ubound(arrFormName)
strValueName = Right(arrFormName(i),Len(arrFormName(i))-3)
objFormData.Item(strValueName) = FmtFormData(Request.Form(arrFormName(i)))
Next
Erase arrFormName
End Function
'== 取得输入表单中的ID参数
Function GetPostIdValue(strFormName,strAddInfo,ByRef id)
Dim value
value = FmtFormData(Request(strFormName))
If DataCheck("DT_ID",value ,strAddInfo,NULL) Then
GetPostIdValue = False
Call GBL_objException.catchErr(E_DATA_PUB,strAddInfo)
Exit Function
End If
id = value
GetPostIdValue = True
End Function
'== 过滤提交表单中的不安全字符
Function ForSqlForm()
Dim fqys,errc,i,items
Dim nothis,noth
noth = "exe"
noth = noth & "|" & "net user"
noth = noth & "|" & "xp_cmdshell"
noth = noth & "|" & "/add"
noth = noth & "|" & "exec%20master.dbo.xp_cmdshell"
noth = noth & "|" & "net localgroup administrators"
'noth = noth & "|" & "select"
noth = noth & "|" & "count"
noth = noth & "|" & "asc"
noth = noth & "|" & "char"
noth = noth & "|" & "mid"
noth = noth & "|" & "execute"
'noth = noth & "|" & ":"
'noth = noth & "|" & """"
noth = noth & "|" & "insert"
noth = noth & "|" & "delete"
noth = noth & "|" & "drop"
noth = noth & "|" & "truncate"
noth = noth & "|" & "from"
noth = noth & "|" & "<%"
noth = noth & "|" & "%" & ">"
'noth = noth & "|" & " or "
errc = False
nothis = Split(noth,"|")
For i = 0 To Ubound(nothis)
For Each items In Request.Form
If Instr(Request.Form(items),nothis(i))<>0 Then
Call GBL_objException.catchErr(E_USER_PUB,"对不起,你所填写的信息含非法字符(" & nothis(i) & ")!")
ActionOver()
Response.End()
End If
Next
Next
For i = 0 To Ubound(nothis)
For Each items In Request.QueryString
If Instr(Request.Form(items),nothis(i))<>0 Then
Call GBL_objException.catchErr(E_USER_PUB,"对不起,你所填写的信息含非法字符(" & nothis(i) & ")!")
ActionOver()
Response.End()
End If
Next
Next
End Function
'====================================================================
'= Function : CheckPageSubmit()
'= Time : Created At Apr,2006-7-20
'= Input : None
'= Output : None
'= Return : true or false
'= Description : 防止外部页面数据提交
'====================================================================
Function CheckPageSubmit()
Dim strPrePage,strLocalSvr
strPrePage = Cstr(Request.ServerVariables("HTTP_REFERER"))
strLocalSvr = Cstr(Request.ServerVariables("SERVER_NAME"))
If Mid(strPrePage,8,Len(strLocalSvr)) <> strLocalSvr And strPrePage <> "" Then
CheckPageSubmit = FALSE
Else
CheckPageSubmit = TRUE
End If
End Function
%>