华东15选5不开奖

Ewebeditor及fckeditork單引號問題的解決方法

Ewebeditor及fckeditork單引號問題的解決方法,為什么一個簡單的單引號會引發不能添加到數據庫呢,想到這里,我們想到了分析下入庫代碼并找出了原因,下面是解決方法。
關鍵字:Ewebeditor、fckeditork、單引號
Ewebeditor及fckeditor,90%的網站都是采用這兩種編輯器作為產品或者內容的說明部分的編輯窗口,近日,一客戶的外貿站點基本上快完工了,因客戶產品分類多,故而讓客戶自己在后臺添加產品,但是客戶反映,在后臺添加產品時,如果產品說明內容太過復雜的話,產品怎么也添加不入數據庫中。
當時,我們也好生郁悶,這到底怎么回事,我們親自測試后臺添加任意的產品或者文字都能成功,偏偏他就不行,在網站搜索了相關的如“Ewebeditor 不能添加到數據庫”,似乎找到了一點答案,因Ewebeditor自身沒對單引號過濾,導致了添加不到數據庫的問題。于是乎,我們把編輯器換成了fckeditor,可是還是不行,那是Ewebeditor及fckeditor自帶的不完善導致的嗎?為什么一個簡單的單引號會引發不能添加到數據庫呢,想到這里,我們想到了分析下入庫代碼,我們采用的是SQL=insert into product(title,content) values(' " &request("title")& "' ,' "&request("content")& " ' )的寫法,于是我們找到客戶當時COPY進編輯器里的內容,發現,果然這內容中包括有單引號,原來,正是由于客戶提交到編輯器里的內容中含有單引號,導致我們的SQL語句變化了,相當于原來是SQL=insert into product(title,content) values('內容' ,'內容' )變成了SQL=insert into product(title,content) values(' 內容' ,' 內容'' ) ,我們細看就知道,就因為這content里多了個單引號,SQL語句發生的嚴重的寫法錯誤,但是,我們也奇怪,既然他寫法錯誤,為什么SQL語句不給出錯誤提示呢,竟然也會提示操作成功,想到這里,我們想到了2003年那幾年,普遍的小黑客喜歡用的'or'='or'的后臺入侵法,是乎正是利用了SQL執行時,沒過濾單引號的BUG,導致SQL怎么執行,結果都返回真,呵呵,沒想到,原以為寫程序盡量圖個簡單明了,也是個錯啊。好了,問題找到了,以后,凡是SQL入庫前,我們都把字段過濾后再傳值,就不會再出這樣的問題了,下面是一個非常完善的SQL安全過濾函數,大家直接拿去就可以調用了。
復制代碼 代碼如下:

Function HTMLEncode(Str)
If Isnull(Str) Then
HTMLEncode = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"", 1, -1, 1)
Str = Replace(Str, """", """, 1, -1, 1)
Str = Replace(Str,"<","<", 1, -1, 1)
Str = Replace(Str,">",">", 1, -1, 1)
Str = Replace(Str, "script", "script", 1, -1, 0)
Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0)
Str = Replace(Str, "Script", "Script", 1, -1, 0)
Str = Replace(Str, "script", "Script", 1, -1, 1)
Str = Replace(Str, "object", "object", 1, -1, 0)
Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0)
Str = Replace(Str, "Object", "Object", 1, -1, 0)
Str = Replace(Str, "object", "Object", 1, -1, 1)
Str = Replace(Str, "applet", "applet", 1, -1, 0)
Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0)
Str = Replace(Str, "Applet", "Applet", 1, -1, 0)
Str = Replace(Str, "applet", "Applet", 1, -1, 1)
Str = Replace(Str, "[", "[")
Str = Replace(Str, "]", "]")
Str = Replace(Str, """", "", 1, -1, 1)
Str = Replace(Str, "=", "=", 1, -1, 1)
Str = Replace(Str, "'", "''", 1, -1, 1)
Str = Replace(Str, "select", "select", 1, -1, 1)
Str = Replace(Str, "execute", "execute", 1, -1, 1)
Str = Replace(Str, "exec", "exec", 1, -1, 1)
Str = Replace(Str, "join", "join", 1, -1, 1)
Str = Replace(Str, "union", "union", 1, -1, 1)
Str = Replace(Str, "where", "where", 1, -1, 1)
Str = Replace(Str, "insert", "insert", 1, -1, 1)
Str = Replace(Str, "delete", "delete", 1, -1, 1)
Str = Replace(Str, "update", "update", 1, -1, 1)
Str = Replace(Str, "like", "like", 1, -1, 1)
Str = Replace(Str, "drop", "drop", 1, -1, 1)
Str = Replace(Str, "create", "create", 1, -1, 1)
Str = Replace(Str, "rename", "rename", 1, -1, 1)
Str = Replace(Str, "count", "count", 1, -1, 1)
Str = Replace(Str, "chr", "chr", 1, -1, 1)
Str = Replace(Str, "mid", "mid", 1, -1, 1)
Str = Replace(Str, "truncate", "truncate", 1, -1, 1)
Str = Replace(Str, "nchar", "nchar", 1, -1, 1)
Str = Replace(Str, "char", "char", 1, -1, 1)
Str = Replace(Str, "alter", "alter", 1, -1, 1)
Str = Replace(Str, "cast", "cast", 1, -1, 1)
Str = Replace(Str, "exists", "exists", 1, -1, 1)
Str = Replace(Str,Chr(13),"<br>", 1, -1, 1)
HTMLEncode = Replace(Str,"'","''", 1, -1, 1)
End Function
华东15选5不开奖
欢乐捕鱼人赢话费正版 排三今天最新推荐号码预测 明日篮彩推荐预测分析 分分彩 捕鱼大富翁鱼币换红包 陕西快乐10分钟横屏 历年双色球亿元大奖号码 七星彩推荐 大赢家足球比分直播 女生在杭州做什么赚钱