28,406
社区成员
发帖
与我相关
我的任务
分享MapPath 方法的路径参数中发现无效字符 '/' 或 '\'
<%
response.charset = "GBK"
dim Sid,ShowId
Sid = request.querystring("Sid")
ShowId = request.querystring("ShowId")
if Sid = "" or not isnumeric(Sid) then
response.write "<script>alert('非法操作');history.back();</script>"
response.end
end if
if ShowId = "" or not isnumeric(ShowId) then
response.write "<script>alert('非法操作');history.back();</script>"
response.end
end if
if request.cookies("guest")("username")="" then
response.write "<script>alert('不是会员不能进!');history.back();</script>"
response.end
end if
%>
<!--#include file="conn.asp"-->
<%
dim rs1,sql1
set rs1 = server.createobject("adodb.recordset")
sql1 = "select * from G_Photo where G_ID="&ShowId
rs1.open sql1,conn,1,1
if rs1.eof then
rs1.Close
set rs1 = nothing
call close_conn
response.write "<script>alert('不存在此目录');history.back();</script>"
response.end
end if
dim rs,sql
set rs = server.createobject("adodb.recordset")
sql = "select * from G_Photo1 where G_ID="&Sid
rs.open sql,conn,1,1
if rs.eof then
call close_rs
call close_conn
response.write "<script>alert('不存在此目录');history.back();</script>"
response.end
end if
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<!--#include file="title.asp"-->
</head>
<body>
<!--#include file="header.asp"-->
<div id="photo">
<h1>添加图片</h1>
<div>
<form name="form1" style="padding-left:260px;padding-top:30px;" method="post" action="photo_show_add_do.asp">
<input type="hidden" value="<%=Sid%>" name="Sid" />
<dl>
<dd>图片名称:<input type="text" name="picname" /></dd>
<dd>图片路径:<input type="text" readonly="readonly" id="picdir" name="picdir" /> <a href="#" onclick="javascript:open('upfile.asp?pic1=<%=rs1("G_PhotoDir")%>&pic2=<%=rs("G_PhotoDir1")%>','upfile','width=400,height=600')">上传</a></dd>
<dd>
<input type="submit" value="添加图片" name="send" />
<label></label>
</dd>
<dd>
<input name="pic1" type="text" id="pic1" value="<%=rs1("G_PhotoDir")%>" />可以看到数据库中的目录
<input name="pic2" type="text" id="pic2" value="<%=rs("G_PhotoDir1")%>" />可以看到数据库中的目录
</dd>
</dl>
<strong></strong>
</form>
</div>
</div>
<!--#include file="footer.asp"-->
</body>
</html>
<%
call close_conn
%>
upfile.asp文件
<!--#include file="upfile.inc"-->
<script type="text/javascript">
function a(url) {
window.opener.document.form1.picdir.value=url;
}
</script>
<%
response.charset = "GBK"
dim picdir
picdir = request.querystring("picdir")
if request.querystring("menu") = "up" then
dim fileup,formpath,file,filename
pic1 = request.querystring("pic1")
pic2 = request.querystring("pic2")
'当点击了上传之后,执行上传操作
set fileup=new Upload_file '实例化一个类 fileup就是一个对象
fileup.GetDate(-1) '
formpath="upload/" & pic1 & "/" & pic2 & "/" '上传的路径
set file=fileup.file("file") '创建一个file对象,通过上面一个对象的file方法传入一个"file"参数
'这个方法能够返回你上传文件的后缀
'只允许上传指定的图片文件
if file.fileext <> "jpg" and file.fileext <> "gif" and file.fileext <> "png" and file.fileext <> "bmp" and file.fileext <> "psd" and file.fileext <> "pam" then
response.write "<script>alert('图片类型必须是jpg,gif,png,bmp这几种');window.close();</script>"
response.end
end if
'建立一个完整的路径
filename = formpath & year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now) & "." & file.fileext
file.savetofile server.mappath(filename)
set file = nothing
set fileup = nothing
response.write "<script>a('"&filename&"');</script>"
response.write "<script>alert('图片上传成功');window.close();</script>"
else
%>
<form enctype="multipart/form-data" method="post" action=upfile.asp?menu=up&picdir=<%=picdir%>>
<input type="file" name="file" size="30">
<input type="submit" value="上 传 " />
</form>
<%
end if
%>
response.charset = "GBK"
dim Sid,ShowId
Sid = request.querystring("Sid")
ShowId = request.querystring("ShowId")
if Sid = "" or not isnumeric(Sid) then
response.write "<script>alert('非法操作');history.back();</script>"
response.end
end if
if ShowId = "" or not isnumeric(ShowId) then
response.write "<script>alert('非法操作');history.back();</script>"
response.end
end if
if request.cookies("guest")("username")="" then
response.write "<script>alert('不是会员不能进!');history.back();</script>"
response.end
end if
%>
<!--#include file="conn.asp"-->
<%
dim rs1,sql1
set rs1 = server.createobject("adodb.recordset")
sql1 = "select * from G_Photo where G_ID="&ShowId
rs1.open sql1,conn,1,1
if rs1.eof then
rs1.Close
set rs1 = nothing
call close_conn
response.write "<script>alert('不存在此目录');history.back();</script>"
response.end
end if
dim rs,sql
set rs = server.createobject("adodb.recordset")
sql = "select * from G_Photo1 where G_ID="&Sid
rs.open sql,conn,1,1
if rs.eof then
call close_rs
call close_conn
response.write "<script>alert('不存在此目录');history.back();</script>"
response.end
end if
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<!--#include file="title.asp"-->
</head>
<body>
<!--#include file="header.asp"-->
<div id="photo">
<h1>添加图片</h1>
<div>
<form name="form1" style="padding-left:260px;padding-top:30px;" method="post" action="photo_show_add_do.asp">
<input type="hidden" value="<%=Sid%>" name="Sid" />
<dl>
<dd>图片名称:<input type="text" name="picname" /></dd>
<dd>图片路径:<input type="text" readonly="readonly" id="picdir" name="picdir" /> <a href="#" onclick="javascript:open('upfile.asp?pic1=<%=rs1("G_PhotoDir")%>&pic2=<%=rs("G_PhotoDir1")%>','upfile','width=400,height=600')">上传</a></dd>
<dd>
<input type="submit" value="添加图片" name="send" />
<label></label>
</dd>
<dd>
<input name="pic1" type="text" id="pic1" value="<%=rs1("G_PhotoDir")%>" />可以看到数据库中的目录
<input name="pic2" type="text" id="pic2" value="<%=rs("G_PhotoDir1")%>" />可以看到数据库中的目录
</dd>
</dl>
<strong></strong>
</form>
</div>
</div>
<!--#include file="footer.asp"-->
</body>
</html>
<%
call close_conn
%>
upfile.asp文件
<!--#include file="upfile.inc"-->
<script type="text/javascript">
function a(url) {
window.opener.document.form1.picdir.value=url;
}
</script>
<%
response.charset = "GBK"
dim picdir
picdir = request.querystring("picdir")
if request.querystring("menu") = "up" then
dim fileup,formpath,file,filename
pic1 = request.querystring("pic1")
pic2 = request.querystring("pic2")
'当点击了上传之后,执行上传操作
set fileup=new Upload_file '实例化一个类 fileup就是一个对象
fileup.GetDate(-1) '
formpath="upload/" & pic1 & "/" & pic2 & "/" '上传的路径
set file=fileup.file("file") '创建一个file对象,通过上面一个对象的file方法传入一个"file"参数
'这个方法能够返回你上传文件的后缀
'只允许上传指定的图片文件
if file.fileext <> "jpg" and file.fileext <> "gif" and file.fileext <> "png" and file.fileext <> "bmp" and file.fileext <> "psd" and file.fileext <> "pam" then
response.write "<script>alert('图片类型必须是jpg,gif,png,bmp这几种');window.close();</script>"
response.end
end if
'建立一个完整的路径
filename = formpath & year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now) & "." & file.fileext
file.savetofile server.mappath(filename)
set file = nothing
set fileup = nothing
response.write "<script>a('"&filename&"');</script>"
response.write "<script>alert('图片上传成功');window.close();</script>"
else
%>
<form enctype="multipart/form-data" method="post" action=upfile.asp?menu=up&picdir=<%=picdir%>>
<input type="file" name="file" size="30">
<input type="submit" value="上 传 " />
</form>
<%
end if
%>
...全文
请发表友善的回复…
发表回复
不耐烦 2009-12-08
- 打赏
- 举报
输出你的filename 看看是什么样子的???
