请高手帮我看看。我这段代码里有漏洞吗..我扫描时老是提醒Exist XSS

同城同梦 2008-12-08 11:11:54

<%
dim keyword
keyword=trim(request("keyword"))
if instr(keyword,";") or instr(keyword,"and") or instr(keyword,"start") or instr(keyword,"select")or instr(keyword,"%") then
response.write "对不起，不能搜索!"
end if
%>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>xx</title>
<META NAME="ROBOTS" content="ALL">
</head>
<body>

<%
keyword=trim(request("keyword"))
user_pro=clng(trim(request("user_pro")))
unit_type=clng(trim(request("unit_type")))
page=clng(trim(request("page")))
%>
<div class="clr"></div>
<div id="users_d">
<div id="users_d_left">
<%
dim strSql,rs
strSql="select * from [user] where "
if user_pro<>"" then strSql=strSql & " user_pro='" & user_pro & "' and"
if unit_type<>"" then strSql=strSql & " unit_type='" & unit_type & "' and"
strSql=strSql & " unit_name like '%" & keyword & "%' order by reg_time desc"
.
.
..
...

<form action="user_sch.asp" method="post" name="pageform">
<input type="hidden" name="keyword" value="<%= keyword %>" />
<input type="hidden" name="user_pro" value="<%= user_pro %>" />
<input type="hidden" name="page" />
共有[<b><%= totalrec %></b>]条记录，<%= page %>/<%= rs.pageCount %>页。
.
.
.
.
.
</form>
<%
else
response.Write "<br><br><br><br><br> <font color=red>对不起，没有搜索到您要 </font><font color=#000000><b>"&keyword&"</b></font> <font color=red>的资料，请重新填写关键词！<br><br><br><br></font>"
end if
%>

...全文

68 4 打赏收藏转发到动态举报

写回复

用AI写文章

4 条回复

切换为时间正序

请发表友善的回复…

发表回复

同城同梦 2008-12-08

打赏
举报

[Quote=引用 2 楼 littlelam 的回复:]
if instr(keyword,";") or instr(keyword,"and") or instr(keyword,"start") or instr(keyword,"select")or instr(keyword,"%") then
这句无实际意义
[/Quote]
谢谢.

qap22 2008-12-08