非法字符是黑客攻击的常见手段
最常见的就是利用SQl语句
select * from usertable where user='xxx' and psw='xxx'将xxx写成 ' or '1'='1
所以单引号是十分危险的符号,另外%,@,#,都是可能被利用的字符
最常见的就是利用SQl语句
select * from usertable where user='xxx' and psw='xxx'将xxx写成 ' or '1'='1
所以单引号是十分危险的符号,另外%,@,#,都是可能被利用的字符
把&,%,<,>,[,],{,},,,.全部replace掉
/// 将用户输入的字符串转换为可换行、替换Html编码、保护数据库的安全方便代码。
/// </summary>
/// <param name="inputString">用户输入字符串</param>
public static string ConvertInputText(string inputString)
{
StringBuilder retVal = new StringBuilder(); // check incoming parameters for null or blank string
if ((inputString != null) && (inputString != String.Empty))
{
//convert some harmful symbols incase the regular
//expression validators are changed
for (int i = 0; i < inputString.Length; i++)
{
switch (inputString[i])
{
case '\'':
retVal.Append("''");
break;
case '"':
retVal.Append(""");
break;
case '<':
retVal.Append("<");
break;
case '>':
retVal.Append(">");
break;
default:
retVal.Append(inputString[i]);
break;
}
} // 替换换行符为Html换行符
retVal.Replace("\n", "<br/>");
retVal.Replace("\r", "<br/>");
} return retVal.ToString();
} /// <summary>
/// 将由InputText格式安全编码的字串还原,可以用在编辑更新文本框里
/// </summary>
/// <param name="outputString">曾由InputText编码的待还原字串</param>
public static string ConvertOutputText(string outputString)
{
StringBuilder retVal = new StringBuilder(outputString); // check incoming parameters for null or blank string
if ((outputString != null) && (outputString != String.Empty))
{
// 替换Html换行符为文本换行符
retVal.Replace("<br/>", "\n");
retVal.Replace("<br/>", "\r"); retVal.Replace(""", "\"");
retVal.Replace("<", "<");
retVal.Replace(">", ">");
} return retVal.ToString();
}
if mid(From_url,8,len(Serv_url)) <> Serv_url then
response.write "非法链接!" '防止盗链
response.end
end if