28,409
社区成员
发帖
与我相关
我的任务
分享请高手帮我看看。我这段代码里有漏洞吗..我扫描时老是提醒Exist XSS
<%
dim keyword
keyword=trim(request("keyword"))
if instr(keyword,";") or instr(keyword,"and") or instr(keyword,"start") or instr(keyword,"select")or instr(keyword,"%") then
response.write "对不起,不能搜索!"
end if
%>
<!--#include file="../inc/conn.asp"-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>xx</title>
<META NAME="ROBOTS" content="ALL">
</head>
<body>
<!-- #include file="../inc/head.asp" -->
<%
keyword=trim(request("keyword"))
user_pro=clng(trim(request("user_pro")))
unit_type=clng(trim(request("unit_type")))
page=clng(trim(request("page")))
%>
<div class="clr"></div>
<div id="users_d">
<div id="users_d_left">
<%
dim strSql,rs
strSql="select * from [user] where "
if user_pro<>"" then strSql=strSql & " user_pro='" & user_pro & "' and"
if unit_type<>"" then strSql=strSql & " unit_type='" & unit_type & "' and"
strSql=strSql & " unit_name like '%" & keyword & "%' order by reg_time desc"
.
.
..
...
<form action="user_sch.asp" method="post" name="pageform">
<input type="hidden" name="keyword" value="<%= keyword %>" />
<input type="hidden" name="user_pro" value="<%= user_pro %>" />
<input type="hidden" name="page" />
共有[<b><%= totalrec %></b>]条记录,<%= page %>/<%= rs.pageCount %>页。
.
.
.
.
.
</form>
<%
else
response.Write "<br><br><br><br><br> <font color=red>对不起,没有搜索到您要 </font><font color=#000000><b>"&keyword&"</b></font> <font color=red>的资料,请重新填写关键词!<br><br><br><br></font>"
end if
%>
dim keyword
keyword=trim(request("keyword"))
if instr(keyword,";") or instr(keyword,"and") or instr(keyword,"start") or instr(keyword,"select")or instr(keyword,"%") then
response.write "对不起,不能搜索!"
end if
%>
<!--#include file="../inc/conn.asp"-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>xx</title>
<META NAME="ROBOTS" content="ALL">
</head>
<body>
<!-- #include file="../inc/head.asp" -->
<%
keyword=trim(request("keyword"))
user_pro=clng(trim(request("user_pro")))
unit_type=clng(trim(request("unit_type")))
page=clng(trim(request("page")))
%>
<div class="clr"></div>
<div id="users_d">
<div id="users_d_left">
<%
dim strSql,rs
strSql="select * from [user] where "
if user_pro<>"" then strSql=strSql & " user_pro='" & user_pro & "' and"
if unit_type<>"" then strSql=strSql & " unit_type='" & unit_type & "' and"
strSql=strSql & " unit_name like '%" & keyword & "%' order by reg_time desc"
.
.
..
...
<form action="user_sch.asp" method="post" name="pageform">
<input type="hidden" name="keyword" value="<%= keyword %>" />
<input type="hidden" name="user_pro" value="<%= user_pro %>" />
<input type="hidden" name="page" />
共有[<b><%= totalrec %></b>]条记录,<%= page %>/<%= rs.pageCount %>页。
.
.
.
.
.
</form>
<%
else
response.Write "<br><br><br><br><br> <font color=red>对不起,没有搜索到您要 </font><font color=#000000><b>"&keyword&"</b></font> <font color=red>的资料,请重新填写关键词!<br><br><br><br></font>"
end if
%>
...全文
请发表友善的回复…
发表回复
同城同梦 2008-12-08
- 打赏
- 举报
[Quote=引用 2 楼 littlelam 的回复:]
if instr(keyword,";") or instr(keyword,"and") or instr(keyword,"start") or instr(keyword,"select")or instr(keyword,"%") then
这句无实际意义
[/Quote]
谢谢.
if instr(keyword,";") or instr(keyword,"and") or instr(keyword,"start") or instr(keyword,"select")or instr(keyword,"%") then
这句无实际意义
[/Quote]
谢谢.
qap22 2008-12-08
- 打赏
- 举报
ding
littlelam 2008-12-08
- 打赏
- 举报
if instr(keyword,";") or instr(keyword,"and") or instr(keyword,"start") or instr(keyword,"select")or instr(keyword,"%") then
这句无实际意义
这句无实际意义
littlelam 2008-12-08
- 打赏
- 举报
trim(request("keyword")) ==>>
Replace(trim(request("keyword")),"'","''")
Replace(trim(request("keyword")),"'","''")
