Ewebeditor and fckeditork Editor single quote filter

Source: Internet
Author: User
Tags add filter object chr count end insert sql

Ewebeditor and fckeditork,90% sites are using these two editors as product or content of the description part of the editing window, recently, a customer's foreign trade site is almost finished, because of customer product classification, so that customers themselves in the background to add products, but the customer reflects, When adding a product in the background, the product is not added to the database if the product description is too complex.

At that time, we also very depressed, this is going on, we personally test the background to add any product or text can be successful, but he did not, in the site search related such as "ewebeditor can not add to the database", seems to have found a little answer, Because Ewebeditor itself does not filter single quotes, it causes problems that cannot be added to the database. As a result, we replaced the editor fckeditork, but still not, that is ewebeditor and Fckeditork brought about by the imperfect? Why a simple single quotation mark can not be added to the database, think of here, we think of the analysis of the incoming code, we are using Sql=insert into product (title,content) VALUES (' "&request (" Title ") &" ', ' "&request (" Content ") &" '), so we find the content of the client's copy into the editor, and found that the content contains single quotes, the original, It is because the customer submits the contents of the editor with single quotes that cause our SQL statement to change, which is equivalent to sql=insert into product (title,content) VALUES (' content ', ' content ') into Sql=insert into product (title,content) VALUES (' content ', ' content '), we can see, because this content is a single quotation mark, the SQL statement occurred in the serious writing error, but we also strange, since he was wrong, Why doesn't the SQL statement give you a bad hint? Unexpectedly also will prompt the operation to succeed, thought here, we thought that 2003 years, the universal small hacker likes to use ' or ' = ' The Backstage intrusion law, is to use the SQL execution, does not filter the single quotation mark the bug, causes the SQL how executes, The results are back to true, hehe, did not think, the original thought to write the program as far as possible figure a simple and clear, is also a mistake ah. Well, the problem has been found, after all, before the SQL warehousing, we have to filter the fields and then pass the value, it will not be such a problem, the following is a very perfect SQL security filter function, we can take it directly to the call.

Function HTMLEncode (STR)
If Isnull (STR) Then
HTMLEncode = ""
Exit Function
End If
STR = Replace (STR,CHR (0), "", 1,-1, 1)
str = Replace (str, "" "," "", 1,-1, 1)
str = Replace (str, "<", "<", 1,-1, 1)
str = Replace (str, ">", ">", 1,-1, 1)
str = Replace (str, "script", "script", 1,-1, 0)
str = Replace (str, "script", "script", 1,-1, 0)
str = Replace (str, "script", "script", 1,-1, 0)
str = Replace (str, "script", "script", 1,-1, 1)
str = Replace (str, "Object", "Object", 1,-1, 0)
str = Replace (str, "Object", "Object", 1,-1, 0)
str = Replace (str, "Object", "Object", 1,-1, 0)
str = Replace (str, "Object", "Object", 1,-1, 1)
str = Replace (str, applet, applet, 1,-1, 0)
str = Replace (str, applet, applet, 1,-1, 0)
str = Replace (str, applet, applet, 1,-1, 0)
str = Replace (str, applet, applet, 1,-1, 1)
str = Replace (str, "[", "[")
str = Replace (str, "]", "]")
str = Replace (str, "" "", "", 1,-1, 1)
str = Replace (str, "=", "=", 1,-1, 1)
str = Replace (str, "'", "" ", 1,-1, 1)
str = Replace (str, "select", "select", 1,-1, 1)
str = Replace (str, "Execute", "execute", 1,-1, 1)
str = Replace (str, "exec", "exec", 1,-1, 1)
str = Replace (str, "join", "join", 1,-1, 1)
str = Replace (str, "union", "union", 1,-1, 1)
str = Replace (str, "where", "where", 1,-1, 1)
str = Replace (str, INSERT, INSERT, 1,-1, 1)
str = Replace (str, "delete", "delete", 1,-1, 1)
str = Replace (str, "Update", "Update", 1,-1, 1)
str = Replace (str, "like", "like", 1,-1, 1)
str = Replace (str, "Drop", "drop", 1,-1, 1)
str = Replace (str, "create", "create", 1,-1, 1)
str = Replace (str, "rename", "Rename", 1,-1, 1)
str = Replace (str, "Count", "Count", 1,-1, 1)
str = Replace (str, "CHR", "Chr", 1,-1, 1)
str = Replace (str, "Mid", "mid", 1,-1, 1)
str = Replace (str, "truncate", "truncate", 1,-1, 1)
str = Replace (str, "nchar", "nchar", 1,-1, 1)
str = Replace (str, "char", "char", 1,-1, 1)
str = Replace (str, "ALTER", "Alter", 1,-1, 1)
str = Replace (str, "cast", "cast", 1,-1, 1)
str = Replace (str, "exists", "exists", 1,-1, 1)
STR = Replace (STR,CHR), <br>, 1,-1, 1)
HTMLEncode = Replace (Str, "'", "" ", 1,-1, 1)
End Function

Article starting: http://www.seohf.com/seonews/view654.html If you need to reprint, please indicate the source.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.