28,390
社区成员
发帖
与我相关
我的任务
分享
function killn(byval s1) '过滤数值型参数
if not isnumeric(s1) then
killn=0
else
if s1<0 or s1>2147483647 then
killn=0
else
killn=clng(s1)
end if
end if
end function
function killc(byval s1) '过滤货币型参数
if not isnumeric(s1) then
killc=0
else
killc=formatnumber(s1,2,-1,0,0)
end if
end function
function killw(byval s1) '过滤字符型参数
if len(s1)=0 then
killw=""
else
killw=trim(replace(s1,"'",""))
end if
end function
function killbad(byval s1) '过滤所有危险字符,包括跨站脚本
If len(s1) = 0 then
killbad=""
else
killbad = trim(replace(replace(replace(replace
(replace(replace(replace(replace(s1,Chr(10), "<br>"),
Chr(34), """), ">", ">"), "<", "<"), "&", "&"),
chr(39),"'"),chr(32)," "),chr(13),""))
end if
end function
<%
id=request.Form("id")
userName=request.Form("userName")
pwd=request.Form("pwd")
sex=request.Form("sex")
if sex="" or isNull(sex) then
sex=null
end if
ip="127.0.0.1"
'//添加
if id="" then
Set Cmd = Server.CreateObject("ADODB.Command")
SQL = "InSert Into Member(userName,pwd,sex) Values(?,?,?)"
With Cmd
.ActiveConnection = Conn
.CommandType = 1
.CommandText =SQL
.Prepared = True
.Parameters(0).Value = userName
.Parameters(1).Value = pwd
.Parameters(2).Value = sex
.Execute
End With
Set Cmd = Nothing
end if
'//编辑
if id<>"" and userName<>"" and pwd<>"" then
SQL="update Member set userName=?,Pwd=?,IP=? where id="&id
Set Cmd = Server.CreateObject("ADODB.Command")
With Cmd
.ActiveConnection = Conn
.CommandType = 1
.CommandText =SQL
.Prepared = True
.Parameters(0).Value = userName
.Parameters(1).Value = pwd
.Parameters(2).Value = ip
.Execute
End With
Set Cmd = Nothing
end if
if err then
response.Write(0)
else
response.Write(1)
end if
%>
用这种方法写添加和修改的方法,可以防注吗?没有用到过滤.忽略数据库链接程序.假设数据库是已经连好的状态下写的添加和更新语句.
谢谢.请大神们给点参考.
再次感谢.