Security | data | database | display
For example have styledesc this field, the data request is 50 bits, char shape, can limit him only 50 bits, other not limit, enter any character to be possible. As long as it's char, it's OK as long as the database allows it.
In this way, the safe write to the database operation, normal read out and display in different occasions, the application.
How should it be done?
Here are some of the points I have summed up. Very likely wrong, please correct me.
If the input to the user can be any character (except for a specific input restriction condition for a field, such as input length, input type = =). That is, enter as much as possible without restrictions.
For a string of STR, he outputs the following kinds of directions:
1. Output to HTML, Function fn_chk_to_html (STR)
2. Output to script (e.g. JavaScript), Function Fn_chk_to_script (STR)
3. Output to the SQL statement, and this SQL statement is used to enclose the string str with ' two single quotes.
Function Fn_chk_to_sql_mark (STR)
4. Output to SQL statements, and this SQL statement does not enclose Str in a single quote. Function Fn_chk_to_sql_go (str)
5. Output to URL. Function Fn_chk_to_url (STR)
<%function fn_chk_to_html (Str)
' such as <input text= ' <%=request ("Styledesc")%> ">
if Isnull (str) Then
Chksql = "
Exit Function
end If
str = Trim (str)
str = Re Place (str, CHR (0), "", 1,-1,1)
str = replace (str, "" ",", "", 1,-1,1)
str = replace (str, "", "", 1,-1,1)
str = replace (str, "<", "<", 1,-1,1)
str = replace (str, ">", ">", 1,-1,1)
str = Replace (str, VBCRLF, "<br>", 1,-1,1)
fn_chk_to_html = str
End Function
%>
<%function fn_chk_to_script (Str)
' Like Response.Write ' <script>alert (' &request ' Styledesc) & "');</script>
if Isnull (Str) Then
Chksql ="
Exit Function
end If
str = Trim (str)
&NBSP;STR = replace (str, "\", "\ \", 1,-1,1)
str = replace (str, "" "", "\" ", 1,-1,1) BR>&NBSP;STR = replace (Str, "'", "\", 1,-1,1)
str = replace (STR,CHR, \ n, 1,-1,1)
fn_chk_to_ Script = Str
End Function
%>
<%
Function Fn_chk_to_sql_mark (Str)
' like sql= ' select * from Style where Styledesc like ' &request ("Styledesc") & "'"
if Isnull (Str) Then
Chksql = ""
Exit Function
end If
str = Trim (str)
str = Replace (str, "'", "'", 1,-1,1)
fn_chk_ To_sql_mark = Str
End Function
%>
<%function Fn_chk_to_sql_go (STR)
"such as SQL =" SELECT * from "&request (" table ").
If Isnull (STR) Then
Chksql = ""
Exit Function
End If
str = Trim (str)
str = Replace (str, CHR (0), "", 1,-1,1)
str = Replace (str, "" "", "", 1,-1,1)
str = Replace (str, "'", "'", 1,-1,1)
str = Replace (str, "<", "<", 1,-1,1)
str = Replace (str, ">", ">", 1,-1,1)
str = Replace (str, "[", "[", 1,-1,1)
str = Replace (str, "]", "]", 1,-1,1)
str = Replace (str, "\", "\", 1,-1,1)
str = Replace (str, "*", "*", 1,-1,1)
str = Replace (str, "%", "%", 1,-1,1)
str = Replace (str, ";", ";", 1,-1,1)
str = Replace (str, VBCRLF, "<br>", 1,-1,1)
str = Replace (str, "--", "--")
Fn_chk_to_sql_go = Str
End Function
%>
<%function Fn_chk_to_url (STR)
' such as str= ' If Isnull (STR) Then
Chksql = ""
Exit Function
End If
str = Trim (str)
STR = Server. UrlEncode (STR)
Fn_chk_to_sql_mark = Str
End Function
%>