Ewebeditor and fckeditork Editor single quote filter

Ewebeditor and fckeditork,90% sites are using these two editors as product or content of the description part of the editing window, recently, a customer's foreign trade site is almost finished, because of customer product classification, so that customers themselves in the background to add products, but the customer reflects, When adding a product in the background, the product is not added to the database if the product description is too complex.

At that time, we also very depressed, this is going on, we personally test the background to add any product or text can be successful, but he did not, in the site search related such as "ewebeditor can not add to the database", seems to have found a little answer, Because Ewebeditor itself does not filter single quotes, it causes problems that cannot be added to the database. As a result, we replaced the editor fckeditork, but still not, that is ewebeditor and Fckeditork brought about by the imperfect? Why a simple single quotation mark can not be added to the database, think of here, we think of the analysis of the incoming code, we are using Sql=insert into product (title,content) VALUES (' "&request (" Title ") &" ', ' "&request (" Content ") &" '), so we find the content of the client's copy into the editor, and found that the content contains single quotes, the original, It is because the customer submits the contents of the editor with single quotes that cause our SQL statement to change, which is equivalent to sql=insert into product (title,content) VALUES (' content ', ' content ') into Sql=insert into product (title,content) VALUES (' content ', ' content '), we can see, because this content is a single quotation mark, the SQL statement occurred in the serious writing error, but we also strange, since he was wrong, Why doesn't the SQL statement give you a bad hint? Unexpectedly also will prompt the operation to succeed, thought here, we thought that 2003 years, the universal small hacker likes to use ' or ' = ' The Backstage intrusion law, is to use the SQL execution, does not filter the single quotation mark the bug, causes the SQL how executes, The results are back to true, hehe, did not think, the original thought to write the program as far as possible figure a simple and clear, is also a mistake ah. Well, the problem has been found, after all, before the SQL warehousing, we have to filter the fields and then pass the value, it will not be such a problem, the following is a very perfect SQL security filter function, we can take it directly to the call.

Function HTMLEncode (STR) If Isnull (STR) Then HTMLEncode = "" Exit Function End If STR = Replace (STR,CHR (0), "", 1,-1, 1) str = Replace (str, "" "," "", 1,-1, 1) str = Replace (str, "<", "<", 1,-1, 1) str = Replace (str, ">", ">", 1,-1, 1) str = Replace (str, "script", "script", 1,-1, 0) str = Replace (str, "script", "script", 1,-1, 0) str = Replace (str, "script", "script", 1,-1, 0) str = Replace (str, "script", "script", 1,-1, 1) str = Replace (str, "Object", "Object", 1,-1, 0) str = Replace (str, "Object", "Object", 1,-1, 0) str = Replace (str, "Object", "Object", 1,-1, 0) str = Replace (str, "Object", "Object", 1,-1, 1) str = Replace (str, applet, applet, 1,-1, 0) str = Replace (str, applet, applet, 1,-1, 0) str = Replace (str, applet, applet, 1,-1, 0) str = Replace (str, applet, applet, 1,-1, 1) str = Replace (str, "[", "[") str = Replace (str, "]", "]") str = Replace (str, "" "", "", 1,-1, 1) str = Replace (str, "=", "=", 1,-1, 1) str = Replace (str, "'", "" ", 1,-1, 1) str = Replace (str, "select", "select", 1,-1, 1) str = Replace (str, "Execute", "execute", 1,-1, 1) str = Replace (str, "exec", "exec", 1,-1, 1) str = Replace (str, "join", "join", 1,-1, 1) str = Replace (str, "union", "union", 1,-1, 1) str = Replace (str, "where", "where", 1,-1, 1) str = Replace (str, INSERT, INSERT, 1,-1, 1) str = Replace (str, "delete", "delete", 1,-1, 1) str = Replace (str, "Update", "Update", 1,-1, 1) str = Replace (str, "like", "like", 1,-1, 1) str = Replace (str, "Drop", "drop", 1,-1, 1) str = Replace (str, "create", "create", 1,-1, 1) str = Replace (str, "rename", "Rename", 1,-1, 1) str = Replace (str, "Count", "Count", 1,-1, 1) str = Replace (str, "CHR", "Chr", 1,-1, 1) str = Replace (str, "Mid", "mid", 1,-1, 1) str = Replace (str, "truncate", "truncate", 1,-1, 1) str = Replace (str, "nchar", "nchar", 1,-1, 1) str = Replace (str, "char", "char", 1,-1, 1) str = Replace (str, "ALTER", "Alter", 1,-1, 1) str = Replace (str, "cast", "cast", 1,-1, 1) str = Replace (str, "exists", "exists", 1,-1, 1) STR = Replace (STR,CHR), <br>, 1,-1, 1) HTMLEncode = Replace (Str, "'", "" ", 1,-1, 1) End Function

Article starting: http://www.seohf.com/seonews/view654.html If you need to reprint, please indicate the source.