Security | data | database | display | security
For example, there is a styledesc this field, the data requires 50-bit, char, can only limit his 50-bit, other unrestricted,
You can enter any character. As long as it's char, it's OK as long as the database allows it.
In this way, the safe write to the database operation, normal read out and display in different occasions, the application.
How should it be done?
Here are some of the points I have summed up. Very likely wrong, please correct me.
If the input to the user can be any character (except for a specific input restriction for a field, such as input length, input type = =).
is to input as much as possible without restriction.
For a string of STR, he outputs the following kinds of directions:
1. Output to HTML, Function fn_chk_to_html (STR)
2. Output to script (e.g. JavaScript), Function Fn_chk_to_script (STR)
3. Output to the SQL statement, and this SQL statement is used to enclose the string str with ' two single quotes.
Function Fn_chk_to_sql_mark (STR)
4. Output to SQL statements, and this SQL statement does not enclose Str in a single quote. Function Fn_chk_to_sql_go (str)
5. Output to URL. Function Fn_chk_to_url (STR)
<%function fn_chk_to_html (Str)
' such as <input text= ' <%=request ("Styledesc")%> ">
if Isnull (str) Then
Chksql = "
Exit Function
end If
str = Trim (str)
str = Re Place (str, CHR (0), "", 1,-1,1)
str = replace (str, "" ",", "", 1,-1,1)
str = replace (str, "", "", 1,-1,1)
str = replace (str, "<", "<", 1,-1,1)
str = replace (str, ">", ">", 1,-1,1)
str = Replace (str, VBCRLF, "<br>", 1,-1,1)
fn_chk_to_html = str
End Function
%>
<%function fn_chk_to_script (Str)
' Like Response.Write ' <script>alert (' &request ' Styledesc) & "');</script>
if Isnull (Str) Then
Chksql ="
Exit Function
end If
str = Trim (str)
&NBSP;STR = replace (str, "\", "\ \", 1,-1,1)
str = replace (str, "" "", "\" ", 1,-1,1) BR>&NBSP;STR = replace (Str, "'", "\", 1,-1,1)
str = replace (STR,CHR, \ n, 1,-1,1)
fn_chk_to_ Script = Str
End Function
%>
<%
Function Fn_chk_to_sql_mark (Str)
' like sql= ' select * from Style where Styledesc like ' &request ("Styledesc") & "'"
if Isnull (Str) Then
Chksql = ""
Exit Function
end If
str = Trim (str)
str = Replace (str, "'", "'", 1,-1,1)
fn_chk_ To_sql_mark = Str
End Function
%>
<%function Fn_chk_to_sql_go (STR)
"such as SQL =" SELECT * from "&request (" table ").
If Isnull (STR) Then
Chksql = ""
Exit Function
End If
str = Trim (str)
str = Replace (str, CHR (0), "", 1,-1,1)
str = Replace (str, "" "", "", 1,-1,1)
str = Replace (str, "'", "'", 1,-1,1)
str = Replace (str, "<", "<", 1,-1,1)
str = Replace (str, ">", ">", 1,-1,1)
str = Replace (str, "[", "[", 1,-1,1)
str = Replace (str, "]", "]", 1,-1,1)
str = Replace (str, "\", "\", 1,-1,1)
str = Replace (str, "*", "*", 1,-1,1)
str = Replace (str, "%", "%", 1,-1,1)
str = Replace (str, ";", ";", 1,-1,1)
str = Replace (str, VBCRLF, "<br>", 1,-1,1)
str = Replace (str, "--", "--")
Fn_chk_to_sql_go = Str
End Function
%>
<%function Fn_chk_to_url (STR)
' such as str= ' If Isnull (STR) Then
Chksql = ""
Exit Function
End If
str = Trim (str)
STR = Server. UrlEncode (STR)
Fn_chk_to_sql_mark = Str
End Function
%>