<%
session.CodePage=936
Response.Charset="gb2312"
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('请勿提交非法数据!');history.back(-1)</Script>"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('请勿提交非法数据!');history.back(-1)</Script>"
Response.end
end if
next
next
end if
On Error Resume Next
dim conn
dim connstr
dim db
Set conn = Server.CreateObject("ADODB.Connection")
connstr="Provider=SQLOLEDB;Data Source=(local);Initial Catalog=金点子管理系统数据库;User ID=sa;Password=sa;"
conn.Open connstr
If Err Then
err.Clear
Set Conn = Nothing
Response.Write "fuck!"
Response.End
End If
%>大哥、大姐们帮帮忙。。我看不懂,谁能解释下什么。最好每句都解释。
session.CodePage=936
Response.Charset="gb2312"
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('请勿提交非法数据!');history.back(-1)</Script>"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('请勿提交非法数据!');history.back(-1)</Script>"
Response.end
end if
next
next
end if
On Error Resume Next
dim conn
dim connstr
dim db
Set conn = Server.CreateObject("ADODB.Connection")
connstr="Provider=SQLOLEDB;Data Source=(local);Initial Catalog=金点子管理系统数据库;User ID=sa;Password=sa;"
conn.Open connstr
If Err Then
err.Clear
Set Conn = Nothing
Response.Write "fuck!"
Response.End
End If
%>大哥、大姐们帮帮忙。。我看不懂,谁能解释下什么。最好每句都解释。
连接字符串
实例:(local)--本机默认实例
数据库名:金点子管理系统数据库
连接帐户:sa
连接密码:sa用户名和密码都是sa,看着怪吓人的
set conn=server.createobject("adodb.connection")
conn.open "Provider=SQLOLEDB.1;Persist Security Info=True;User ID=sa;pwd=sa;Initial Catalog=gwbg;Data Source=(local);Connect Timeout=15"上面的语句你根据需要改其中的id=“你的数据库登陆用户名”
pwd=“你的数据库连接密码”
Initial Catalog =“你要连接的数据库名”
Data Source=“数据库的存放地址”
通过关键词过滤:|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
中用竖线分割的就是。然后判断Request.QueryString里有无这些关键字,如果有,提示语句非法,退出。
然后检查Request.Form
最后连接。
connstr="Provider=SQLOLEDB;Data Source=(local);Initial Catalog=金点子管理系统数据库;User ID=sa;Password=sa;"
就是连接字符串了。为提供程序,此处为MSSQL,一般照抄就行了。Data Source 为服务器名,(local)表本地机。Initial Catalog为连接的数据库,后为用户名和密码。