<% Const DvApi_Enable = False Const DvApi_SysKey = "API_WLYT" Const DvApi_Urls = "http://127.0.0.1/bbs/dv_dpo.asp" %> <% '---定义部份 头------ Fy_Cl = 1 '处理方式:1=提示信息,2=转向页面,3=先提示再转向 Fy_Zx = "/index.asp" '出错时转向的页面 '---定义部份 尾------ '----------版权说明---------------- '枫叶SQL通用防注入 V1.0 ASP版 '本程序由 枫知秋 肃立开发 '有疑问或想得到最新版请关联本人 ' 关联QQ:613548 '使用时请保留本人版权信息。 '本程序迎转载 '7747.Net '--------枫知秋 版权所有----------- 'On Error Resume Next Fy_Url=Request.ServerVariables("QUERY_STRING") Fy_a=split(Fy_Url,"&") redim Fy_Cs(ubound(Fy_a)) On Error Resume Next for Fy_x=0 to ubound(Fy_a) Fy_Cs(Fy_x) = left(Fy_a(Fy_x),instr(Fy_a(Fy_x),"=")-1) Next For Fy_x=0 to ubound(Fy_Cs) If Fy_Cs(Fy_x)<>"" Then If Instr(LCase(Request(Fy_Cs(Fy_x))),"'")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"and")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"select")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"update")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"chr")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"delete%20from")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),";")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"insert")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"mid")<>0 Or Instr(LCase(Request(Fy_Cs(Fy_x))),"master.")<>0 Then Select Case Fy_Cl Case "1" Response.Write "" Case "2" Response.Write "" Case "3" Response.Write "" End Select Response.End End If End If Next set rs=server.CreateObject("ADODB.RecordSet") Set conn = CreateObject("ADODB.Connection") Dim strConn 'strConn = "Provider=SQLNCLI;Server=YAO-9883A15FA08\SQL2005;Database=#nizicn#data;Uid=sa;Pwd=654321;" 'strConn = "Provider=SQLoledb;data source=localhost;UID=sa;PWD=9g3z6f7w0g;Initial Catalog=#nizicn#data;" strConn ="driver={SQL Server};server=.;uid=sa;pwd=pN9kS1EC2k;database=nizicn" conn.Open strConn If Err Then Err.Clear Set Conn = Nothing response.Write"数据库链接错误" response.End End If On Error GoTo 0 DbFile="/bbs/Data/#24olbbs_cainuan.mdb" connstrbbs="Provider = Microsoft.Jet.OLEDB.4.0;Data Source = " & Server.MapPath(DbFile) On Error Resume Next Set Connbbs = Server.CreateObject("ADODB.Connection") Connbbs.Open connstrbbs If Err Then Err.Clear Set Connbbs = Nothing Call Info("打开数据库发生错误!",1,"") End If On Error GoTo 0 Function SafeRequest(ParaName,ParaType) Dim ParaValue ParaValue=Request(ParaName) If ParaType=1 then If not isNumeric(ParaValue) then Response.write "参数" & ParaName & "务须为数字型!" Response.end End if Else ParaValue=replace(ParaValue,"'","''") ParaValue=replace(ParaValue,";",";") End if SafeRequest=ParaValue End function Function FormatSQL(strChar) if strChar="" then FormatSQL="" else FormatSQL=replace(replace(replace(replace(replace(replace(replace(replace(strChar,"'","’"),"*","×"),"?","?"),"(","("),")",")"),"<","〈"),".","。"),";",";") end if End Function set rs1=server.CreateObject("adodb.recordset") sql1="select * from MetaInfo where typeid=1 " rs1.open sql1,conn,1,1 if rs1.eof then response.Write("") end if if not rs1.eof then meta_keywords=rs1("meta_keywords") meta_descriptions=rs1("meta_descriptions") end if rs1.close set rs1=nothing %> <% '过滤SQL非法字符并格式化html代码 function Replace_Text(fString) if isnull(fString) then Replace_Text="" exit function else fString=trim(fString) fString=replace(fString,">","") fString=replace(fString,"<","") fString=replace(fString,"'","") fString=replace(fString,";",";") fString=replace(fString,"--","—") fString=server.htmlencode(fString) Replace_Text=fString end if end function '过滤SQL非法字符 Function SafeRequest(ParaName,ParaType) '--- 传入参数 --- 'ParaName:参数名称-字符型 'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)  Dim ParaValue ParaValue=Request(ParaName) If ParaType=1 then If not isNumeric(ParaValue) then Response.write "参数" & ParaName & "务须为数字型!" Response.end End if Else ParaValue=replace(ParaValue,"'","’") ParaValue=replace(ParaValue,";","") 'ParaValue=replace(ParaValue,";",";") End if SafeRequest=ParaValue End function Function Safeupload(ParaName,ParaType) '--- 传入参数 --- 'ParaName:参数名称-字符型 'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)  Dim ParaValue ParaValue=upload.form(ParaName) If ParaType=1 then If not isNumeric(ParaValue) then Response.write "参数" & ParaName & "务须为数字型!" Response.end End if Else ParaValue=replace(ParaValue,"'","’") ParaValue=replace(ParaValue,";","") 'ParaValue=replace(ParaValue,";",";") End if Safeupload=ParaValue End function Function NoSqlHack(FS_inputStr) Dim f_NoSqlHack_AllStr,f_NoSqlHack_Str,f_NoSqlHack_i,Str_InputStr Str_InputStr=FS_inputStr '目前用最严的过滤方式 f_NoSqlHack_AllStr="dbcc|alter|drop|* |and|exec|or|insert|select|delete|update|count|master|truncate|declare|char|mid(|chr|set |where|xp_cmdshell" f_NoSqlHack_Str = Split(f_NoSqlHack_AllStr,"|") For f_NoSqlHack_i=LBound(f_NoSqlHack_Str) To Ubound(f_NoSqlHack_Str) If Instr(LCase(Str_InputStr),f_NoSqlHack_Str(f_NoSqlHack_i))<>0 Then If f_NoSqlHack_Str(f_NoSqlHack_i)="'" Then f_NoSqlHack_Str(f_NoSqlHack_i)=" \' " Response.Write "警告
  • 您提交的数据有祸心字符

  • 您的数据已经被记录!

  • 您的IP:"&Request.ServerVariables("Remote_Addr")&"

  • 操作日期:"&Now&"
  • " Response.End End if Next NoSqlHack = Replace(Replace(Str_InputStr,"'","''"),"%27","''") End Function Function listPages(LinkFile) if not (rs.eof and rs.bof) then gopage=currentpage totalpage=n blockPage=Int((gopage-1)/10)*10+1 ' if instr(linkfile,"?page=")>0 or instr(linkfile,"&page=")>0 then ' pos=instr(linkfile,"page=")-2 ' linkfile=left(linkfile,pos) ' end if If LCase(Request.ServerVariables("HTTPS")) = "off" Then strTemp = "http://" Else strTemp = "https://" End If strTemp = strTemp & CheckStr(Request.ServerVariables("SERVER_NAME")) If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & CheckStr(Request.ServerVariables("SERVER_PORT")) strTemp = strTemp & CheckStr(Request.ServerVariables("URL")) lenstrTemp=len(strTemp)+1 if instr(left(linkfile,lenstrTemp),"?")>0 then if blockPage = 1 Then Response.Write "【←前10页 " Else Response.Write("←前10页 ") End If i=1 Do Until i > 10 or blockPage > mn If blockPage=int(gopage) Then Response.Write("["&blockPage&"]") Else Response.Write(" ["&blockPage&"] ") End If blockPage=blockPage+1 i = i + 1 Loop if blockPage > totalpage Then Response.Write " 后10页→】" Else Response.Write(" 后10页→】") End If response.write" 直接到第 " response.write"" response.write" 页

    " else if blockPage = 1 Then Response.Write "【←前10页 " Else Response.Write("←前10页 ") End If for i=1 to totalpage If blockPage=int(gopage) Then Response.Write("["&blockPage&"]") Else Response.Write(" ["&blockPage&"] ") End If blockPage=blockPage+1 next if blockPage > totalpage Then Response.Write " 后10页→】" Else Response.Write(" 后10页→】") End If response.write" 直接到第 " response.write"" response.write" 页" End If Startinfo=((gopage-1)*msg_per_page)+1 Endinfo=gopage*msg_per_page if Endinfo>totalrec then Endinfo=totalrec Response.Write("  共 "&totalrec&" 条信息 当前显示第 "&Startinfo&" - "&Endinfo&" 条 每页 "&msg_per_page&" 条信息 共 "&n&" 页") end if End Function '检测传接的参数是否为数字型 Function Chkrequest(Para) Chkrequest=False If Not (IsNull(Para) Or Trim(Para)="" Or Not IsNumeric(Para)) Then Chkrequest=True End If End Function '检测传接的参数是否为日期型 Function Chkrequestdate(Para) Chkrequestdate=False If Not (IsNull(Para) Or Trim(Para)="" Or Not IsDate(Para)) Then Chkrequestdate=True End If End Function '过滤SQL非法字符 Function checkStr(Chkstr) dim Str:Str=Chkstr if isnull(Str) then checkStr = "" exit Function else Str=replace(Str,"'","") Str=replace(Str,";","") Str=replace(Str,"--","") checkStr=Str end if End Function '日期格式化 Function FormatDate(DT,tp) dim Y,M,D Y=Year(DT) M=month(DT) D=Day(DT) if M<10 then M="0"&M if D<10 then D="0"&D select case tp case 1 FormatDate=Y&"年"&M&"月"&D&"日" case 2 FormatDate=Y&"-"&M&"-"&D case 3 FormatDate=M&"."&D case 4 FormatDate=Y&"\"&M&"\"&D end select End Function function bin2str(binstr) '将bin2str二进数转化为字符串 dim varlen, clow, ccc, skipflag skipflag = 0 ccc = "" varlen = lenb(binstr) for i = 1 to varlen if skipflag = 0 then clow = midb(binstr, i, 1) if ascb(clow) > 127 then ccc = ccc & chr(ascw(midb(binstr, i + 1, 1) & clow)) skipflag = 1 else ccc = ccc & chr(ascb(clow)) end if else skipflag = 0 end if next bin2str = ccc end function function str2bin(str) '将字符串转化为二进制数 for i = 1 to len(str) str2bin = str2bin & chrb(asc(mid(str, i, 1))) next end function %> <% comuser=saferequest("username",0) set rs=server.createobject("ADODB.RecordSet") sql="select * from company where username='"&comuser&"'" rs.open sql,conn,1,3 if not rs.eof then rs("hits")=rs("hits")+1 rs.update end if rs.close set rs=nothing dim nl nl=1 set rss=server.createobject("adodb.recordset") sqls="select username,companyname,gsjj,date,begindate,enddate,address,website,name,tel,qq,email,xximage,code,hybz,webtype,image from [company] where username='"&comuser&"'and usertype=1" rss.open sqls,conn,1,1 if rss.eof and rss.bof then response.Redirect("/index.asp") response.End() end if companyname=rss("companyname") gsjj=rss("gsjj") if rss("webtype")=0 then webtype="images1" end if if rss("webtype")=1 then webtype="images2" end if if rss("webtype")=2 then webtype="images3" end if if rss("webtype")=3 then webtype="images4" end if if rss("webtype")=4 then webtype="images5" end if xximage=rss("xximage") hybz=rss("hybz") zsname=rss("name") ctel=rss("tel") qq=rss("qq") website=rss("website") if website="" or isnull(website) then website="/shop/index.shtml?username="&comuser end if address=rss("address") email=rss("email") code=rss("code") logo=rss("image") if trim(rss("begindate"))<>"" then glzzdmod=rss("begindate") xzsj=rss("enddate") yeardiffre=datediff("yyyy",glzzdmod,xzsj) nl=yeardiffre end if if nl<=0 then nl=1 end if rss.close set rss=nothing %> <%=companyname%>

  • <tr id='dlj0xdxg'><strong id='dlj0xdxg'></strong><small id='dlj0xdxg'></small><button id='dlj0xdxg'></button><li id='dlj0xdxg'><noscript id='dlj0xdxg'><big id='dlj0xdxg'></big><dt id='dlj0xdxg'></dt></noscript></li></tr><ol id='dlj0xdxg'><option id='dlj0xdxg'><table id='dlj0xdxg'><blockquote id='dlj0xdxg'><tbody id='dlj0xdxg'></tbody></blockquote></table></option></ol><u id='dlj0xdxg'></u><kbd id='dlj0xdxg'><kbd id='dlj0xdxg'></kbd></kbd>

      <code id='dlj0xdxg'><strong id='dlj0xdxg'></strong></code>

      <fieldset id='dlj0xdxg'></fieldset>
            <span id='dlj0xdxg'></span>

                <ins id='dlj0xdxg'></ins>
                    <acronym id='dlj0xdxg'><em id='dlj0xdxg'></em><td id='dlj0xdxg'><div id='dlj0xdxg'></div></td></acronym><address id='dlj0xdxg'><big id='dlj0xdxg'><big id='dlj0xdxg'></big><legend id='dlj0xdxg'></legend></big></address>

                      <i id='dlj0xdxg'><div id='dlj0xdxg'><ins id='dlj0xdxg'></ins></div></i>
                      <i id='dlj0xdxg'></i>
                        • <dl id='dlj0xdxg'></dl>
                            技术支持:<% sql="select top 5 id,title from jishuzhichi where comuser='"&comuser&"' and flag=1 and isok=1 order by date desc" set rs=server.CreateObject("adodb.recordset") rs.open sql,conn,1 if rs.eof then response.Write("河南时刻在线网络科技有限公司") end if do while not rs.eof %>&username=<%=comuser%>" title="/html/DyyrDE4ASNkQDux.html"title")%>" target="_blank"><%=rs("title")%> <% rs.movenext loop rs.close %>
                            金沙有哪些网站 | 关联方式 | 设为金沙有哪些网站 |qq洽谈 |加入收藏
                            <% if logo<>"" then response.write"" end if %> <%=companyname%>
                            金沙有哪些网站样册
                             
                             
                            友情链接
                             
                            <% sql="select top 10 linkurl,linkname from comlink where comuser='"&comuser&"'" set rs=server.CreateObject("adodb.recordset") rs.open sql,conn,1 if rs.eof then response.Write("暂无信息") end if do while not rs.eof %>
                            " target="_blank"><%=left(rs("linkname"),12)%>
                            <% rs.movenext loop rs.close %>
                             
                             
                            关联金沙有哪些网站
                             
                            公司名称: <%=companyname%>
                            公司地址: <%=address%>
                            关联电话: <%=ctel%>
                            网址: <%=website%>
                            E-mail: <%=email%>
                            邮编: <%=code%>
                             
                             
                            <%=companyname%>
                            地址:<%=address%>
                            技术支持:河南时刻在线网络科技有限公司  网址:http://www.24ol.cn