ASP,安全写入数据库操作,正常读出并显示在不同的场合-ASP教程,ASP应用

比如说有styledesc这个字段,数据要求的是50位,char形,可不可以只限制他50位,其它的不限制,
输入什么字符都可以的.只要是char形,只要数据库允许就行

这样,安全写入数据库操作,正常读出并显示在不同的场合,应用.

应该是怎样做呢?

下面是我总结的几点.非常有可能不对,请指正.
如果对用户的输入是可以任意字符,(除了某字段特定的输入限制条件,如输入长度,输入类型==).
就是输入尽可能不作限制.

对一字符串str,他输出的方向有以下几种:
1.输出至html中,function fn_chk_to_html(str)
2.输出至script中(如javascript),function fn_chk_to_script(str)
3.输出至sql语句中,而且这条sql语句是用两个单引括起字符串str的.
function fn_chk_to_sql_mark(str)
4.输出至sql语句中,而且这条sql语句是没有用单引括起str的.function fn_chk_to_sql_go(str)
5.输出至url        .function fn_chk_to_url(str)

<%function fn_chk_to_html(str)
如<input text=”<%=request(“styledesc”)%>”>的情况下
 if isnull(str) then
  chksql = “”
  exit function
 end if
 str = trim(str)
 str = replace(str, chr(0), “”,1,-1,1)
 str = replace(str, “”””, “&quot;”,1,-1,1)
 str = replace(str, “”, “&#039;”,1,-1,1)
 str = replace(str, “<“,”&lt;”,1,-1,1)
 str = replace(str, “>”,”&gt;”,1,-1,1)
 str = replace(str, vbcrlf, “<br>”,1,-1,1)
 fn_chk_to_html = str
end function
%>

<%function fn_chk_to_script(str)
如 response.write “<script>alert(“&request(“styledesc”)&”);</script>”的情况下
 if isnull(str) then
  chksql = “”
  exit function
 end if
 str = trim(str)
 str = replace(str, “\”, “\\”,1,-1,1)
 str = replace(str, “”””, “\”””,1,-1,1)
 str = replace(str, “”, “\”,1,-1,1)
 str = replace(str,chr(13),”\n”,1,-1,1)
 fn_chk_to_script = str
end function
%>
<%
function fn_chk_to_sql_mark(str)
如 sql=”select * from style where styledesc like “&request(“styledesc”)&””的情况下
 if isnull(str) then
  chksql = “”
  exit function
 end if
 str = trim(str)
 str = replace(str, “”, “”,1,-1,1)
 fn_chk_to_sql_mark = str
end function
%>

<%function fn_chk_to_sql_go(str)
如sql = “select * from “&request(“table”)的情况下.??
 if isnull(str) then
  chksql = “”
  exit function
 end if
 str = trim(str)
 str = replace(str, chr(0), “”,1,-1,1)
 str = replace(str, “”””, “&quot;”,1,-1,1)
 str = replace(str, “”, “&#039;”,1,-1,1)
 str = replace(str, “<“,”&lt;”,1,-1,1)
 str = replace(str, “>”,”&gt;”,1,-1,1)
 str = replace(str, “[“, “&#091;”,1,-1,1)
 str = replace(str, “]”, “&#093;”,1,-1,1)
 str = replace(str, “\”, “&#092;”,1,-1,1)
 str = replace(str, “*”, “&#042;”,1,-1,1)
 str = replace(str, “%”, “&#037;”,1,-1,1)
 str = replace(str, “;”, “&#059;”,1,-1,1)
 str = replace(str, vbcrlf, “<br>”,1,-1,1)
 str = replace(str, “–“, “&#045;&#045;”)
 fn_chk_to_sql_go = str
 end function
%>

<%function fn_chk_to_url(str)

如 str=”<img src=showimg.asp?id=”&request(“id”)&”>”的情况下
 if isnull(str) then
  chksql = “”
  exit function
 end if
 str = trim(str)
 str = server.urlencode(str)
 fn_chk_to_sql_mark = str
end function
%>