比如说有styledesc这个字段,数据要求的是50位,char形,可不可以只限制他50位,其它的不限制,
输入什么字符都可以的.只要是char形,只要数据库允许就行
这样,安全写入数据库操作,正常读出并显示在不同的场合,应用.
应该是怎样做呢?
下面是我总结的几点.非常有可能不对,请指正.
如果对用户的输入是可以任意字符,(除了某字段特定的输入限制条件,如输入长度,输入类型==).
就是输入尽可能不作限制.
对一字符串str,他输出的方向有以下几种:
1.输出至html中,function fn_chk_to_html(str)
2.输出至script中(如javascript),function fn_chk_to_script(str)
3.输出至sql语句中,而且这条sql语句是用两个单引括起字符串str的.
function fn_chk_to_sql_mark(str)
4.输出至sql语句中,而且这条sql语句是没有用单引括起str的.function fn_chk_to_sql_go(str)
5.输出至url .function fn_chk_to_url(str)
<%function fn_chk_to_html(str)
如<input text=”<%=request(“styledesc”)%>”>的情况下
if isnull(str) then
chksql = “”
exit function
end if
str = trim(str)
str = replace(str, chr(0), “”,1,-1,1)
str = replace(str, “”””, “"”,1,-1,1)
str = replace(str, “”, “'”,1,-1,1)
str = replace(str, “<“,”<”,1,-1,1)
str = replace(str, “>”,”>”,1,-1,1)
str = replace(str, vbcrlf, “<br>”,1,-1,1)
fn_chk_to_html = str
end function
%>
<%function fn_chk_to_script(str)
如 response.write “<script>alert(“&request(“styledesc”)&”);</script>”的情况下
if isnull(str) then
chksql = “”
exit function
end if
str = trim(str)
str = replace(str, “\”, “\\”,1,-1,1)
str = replace(str, “”””, “\”””,1,-1,1)
str = replace(str, “”, “\”,1,-1,1)
str = replace(str,chr(13),”\n”,1,-1,1)
fn_chk_to_script = str
end function
%>
<%
function fn_chk_to_sql_mark(str)
如 sql=”select * from style where styledesc like “&request(“styledesc”)&””的情况下
if isnull(str) then
chksql = “”
exit function
end if
str = trim(str)
str = replace(str, “”, “”,1,-1,1)
fn_chk_to_sql_mark = str
end function
%>
<%function fn_chk_to_sql_go(str)
如sql = “select * from “&request(“table”)的情况下.??
if isnull(str) then
chksql = “”
exit function
end if
str = trim(str)
str = replace(str, chr(0), “”,1,-1,1)
str = replace(str, “”””, “"”,1,-1,1)
str = replace(str, “”, “'”,1,-1,1)
str = replace(str, “<“,”<”,1,-1,1)
str = replace(str, “>”,”>”,1,-1,1)
str = replace(str, “[“, “[”,1,-1,1)
str = replace(str, “]”, “]”,1,-1,1)
str = replace(str, “\”, “\”,1,-1,1)
str = replace(str, “*”, “*”,1,-1,1)
str = replace(str, “%”, “%”,1,-1,1)
str = replace(str, “;”, “;”,1,-1,1)
str = replace(str, vbcrlf, “<br>”,1,-1,1)
str = replace(str, “–“, “--”)
fn_chk_to_sql_go = str
end function
%>
<%function fn_chk_to_url(str)
如 str=”<img src=showimg.asp?id=”&request(“id”)&”>”的情况下
if isnull(str) then
chksql = “”
exit function
end if
str = trim(str)
str = server.urlencode(str)
fn_chk_to_sql_mark = str
end function
%>