Ewebeditor and fckeditor,90% sites are using these two editors as product or content of the description part of the editing window, recently, a customer's foreign trade site is almost finished, because of customer product classification, so that customers themselves in the background to add products, but the customer reflects, When adding a product in the background, the product is not added to the database if the product description is too complex.
At that time, we also very depressed, this is going on, we personally test the background to add any product or text can be successful, but he did not, in the site search related such as "ewebeditor can not add to the database", seems to have found a little answer, Because Ewebeditor itself does not filter single quotes, it causes problems that cannot be added to the database. As a result, we replaced the editor FCKeditor, but still not, that is ewebeditor and FCKeditor brought about by the imperfect? Why a simple single quotation mark can not be added to the database, think of here, we think of the analysis of the incoming code, we are using Sql=insert into product (title,content) VALUES (' "&request (" Title ") &" ', ' "&request (" Content ") &" '), so we find the content of the client's copy into the editor, and found that the content contains single quotes, the original, It is because the customer submits the contents of the editor with single quotes that cause our SQL statement to change, which is equivalent to sql=insert into product (title,content) VALUES (' content ', ' content ') into Sql=insert into product (title,content) VALUES (' content ', ' content '), we can see, because this content is a single quotation mark, the SQL statement occurred in the serious writing error, but we also strange, since he was wrong, Why does the SQL statement not give the error hint, unexpectedly also can prompt the operation to be successful, thought here, we thought of 2003 years, the common small hacker likes to use ' or ' = ' Or ' The background intrusion method, is the use of SQL execution, did not filter single quotes bug, resulting in SQL How to execute, the results are back to true, oh, did not think, the original thought to write the program as far as possible figure a simple and clear, is also a mistake ah. Well, the problem has been found, after all, before the SQL warehousing, we have to filter the fields and then pass the value, it will not be such a problem, the following is a very perfect SQL security filter function, we can take it directly to the call.
Copy Code code as follows:
Function HTMLEncode (STR)
If Isnull (STR) Then
HTMLEncode = ""
Exit Function
End If
STR = Replace (STR,CHR (0), "", 1,-1, 1)
str = Replace (str, "" "," "", 1,-1, 1)
str = Replace (str, "<", "<", 1,-1, 1)
str = Replace (str, ">", ">", 1,-1, 1)
str = Replace (str, "script", "script", 1,-1, 0)
str = Replace (str, "script", "script", 1,-1, 0)
str = Replace (str, "script", "script", 1,-1, 0)
str = Replace (str, "script", "script", 1,-1, 1)
str = Replace (str, "Object", "Object", 1,-1, 0)
str = Replace (str, "Object", "Object", 1,-1, 0)
str = Replace (str, "Object", "Object", 1,-1, 0)
str = Replace (str, "Object", "Object", 1,-1, 1)
str = Replace (str, applet, applet, 1,-1, 0)
str = Replace (str, applet, applet, 1,-1, 0)
str = Replace (str, applet, applet, 1,-1, 0)
str = Replace (str, applet, applet, 1,-1, 1)
str = Replace (str, "[", "[")
str = Replace (str, "]", "]")
str = Replace (str, "" "", "", 1,-1, 1)
str = Replace (str, "=", "=", 1,-1, 1)
str = Replace (str, "'", "" ", 1,-1, 1)
str = Replace (str, "select", "select", 1,-1, 1)
str = Replace (str, "Execute", "execute", 1,-1, 1)
str = Replace (str, "exec", "exec", 1,-1, 1)
str = Replace (str, "join", "join", 1,-1, 1)
str = Replace (str, "union", "union", 1,-1, 1)
str = Replace (str, "where", "where", 1,-1, 1)
str = Replace (str, INSERT, INSERT, 1,-1, 1)
str = Replace (str, "delete", "delete", 1,-1, 1)
str = Replace (str, "Update", "Update", 1,-1, 1)
str = Replace (str, "like", "like", 1,-1, 1)
str = Replace (str, "Drop", "drop", 1,-1, 1)
str = Replace (str, "create", "create", 1,-1, 1)
str = Replace (str, "rename", "Rename", 1,-1, 1)
str = Replace (str, "Count", "Count", 1,-1, 1)
str = Replace (str, "CHR", "Chr", 1,-1, 1)
str = Replace (str, "Mid", "mid", 1,-1, 1)
str = Replace (str, "truncate", "truncate", 1,-1, 1)
str = Replace (str, "nchar", "nchar", 1,-1, 1)
str = Replace (str, "char", "char", 1,-1, 1)
str = Replace (str, "ALTER", "Alter", 1,-1, 1)
str = Replace (str, "cast", "cast", 1,-1, 1)
str = Replace (str, "exists", "exists", 1,-1, 1)
STR = Replace (STR,CHR), <br>, 1,-1, 1)
HTMLEncode = Replace (Str, "'", "" ", 1,-1, 1)
End Function