Ewebeditor and fckeditork editor filter single quotes
We used the writing method of SQL=insert into product(title,content) values(' &request(title)& ' ,' &request(content)& ' ), so we found the content that the customer COPYed into the editor at that time, and found that, Sure enough, this content contains single quotes. It turns out that it was precisely because the content submitted by the customer to the editor contained single quotes that our SQL statement changed, which is equivalent to SQL=insert into product(title,content) values. ('content' ,'content') becomes SQL=insert into product(title,content) values('content','content''). If we look closely, we will know that just because there is an extra single quotation mark in the content, the SQL statement occurs. There is a serious writing error. However, we are also surprised that since it is written incorrectly, why does the SQL statement not give an error message, but also prompts that the operation is successful? Thinking of this, we think of the common little hackers in the years of 2003. Like to use 'or' =' or' The background intrusion method seems to take advantage of the bug that single quotes are not filtered when SQL is executed. As a result, no matter how SQL is executed, the result returns true. Haha, I didn’t expect that. I thought that writing the program should be as simple and clear as possible, which is also a mistake. ah. Okay, the problem has been found. In the future, before all SQL is entered into the database, we will filter the fields before passing the value, so that this problem will no longer occur. Below is a very complete SQL security filtering function. You can just use it. It's ready to be called.
Function HTMLEncode(Str)
If Isnull(Str) Then
HTMLEncode =
Exit Function
End If
Str = Replace(Str,Chr(0),, 1, -1, 1)
Str = Replace(Str, , ", 1, -1, 1)
Str = Replace(Str,<,<, 1, -1, 1)
Str = Replace(Str,>,>, 1, -1, 1)
Str = Replace(Str, script, script, 1, -1, 0)
Str = Replace(Str, SCRIPT, SCRIPT, 1, -1, 0)
Str = Replace(Str, Script, Script, 1, -1, 0)
Str = Replace(Str, script, Script, 1, -1, 1)
Str = Replace(Str, object, object, 1, -1, 0)
Str = Replace(Str, OBJECT, OBJECT, 1, -1, 0)
Str = Replace(Str, Object, Oobject, 1, -1, 0)
Str = Replace(Str, object, object, 1, -1, 1)
Str = Replace(Str, applet, applet, 1, -1, 0)
Str = Replace(Str, APPLET, APPLET, 1, -1, 0)
Str = Replace(Str, Applet, Applet, 1, -1, 0)
Str = Replace(Str, applet, Applet, 1, -1, 1)
Str = Replace(Str, [, [)
Str = Replace(Str, ], ])
Str = Replace(Str, , , 1, -1, 1)
Str = Replace(Str, =, =, 1, -1, 1)
Str = Replace(Str, ', '', 1, -1, 1)
Str = Replace(Str, select, sel'ct, 1, -1, 1)
Str = Replace(Str, execute, execute, 1, -1, 1)
Str = Replace(Str, exec, exec, 1, -1, 1)
Str = Replace(Str, join, join, 1, -1, 1)
Str = Replace(Str, union, union, 1, -1, 1)
Str = Replace(Str, where, wh're, 1, -1, 1)
Str = Replace(Str, insert, insert, 1, -1, 1)
Str = Replace(Str, delete, del'te, 1, -1, 1)
Str = Replace(Str, update, update, 1, -1, 1)
Str = Replace(Str, like, like, 1, -1, 1)
Str = Replace(Str, drop, drop, 1, -1, 1)
Str = Replace(Str, create, create, 1, -1, 1)
Str = Replace(Str, rename, ren'me, 1, -1, 1)
Str = Replace(Str, count, count, 1, -1, 1)
Str = Replace(Str, chr, chr, 1, -1, 1)
Str = Replace(Str, mid, mid, 1, -1, 1)
Str = Replace(Str, truncate, trunc'te, 1, -1, 1)
Str = Replace(Str, nchar, nch'r, 1, -1, 1)
Str = Replace(Str, char, ch'r, 1, -1, 1)
Str = Replace(Str, alter, alter, 1, -1, 1)
Str = Replace(Str, cast, ca't, 1, -1, 1)
Str = Replace(Str, exists, exists, 1, -1, 1)
Str = Replace(Str,Chr(13), , 1, -1, 1)
HTMLEncode = Replace(Str,','', 1, -1, 1)
End Function