ASP,安全寫入資料庫操作,正常讀出並顯示在不同的場合

安全|資料|資料庫|顯示|安全  

比如說有styledesc這個欄位,資料要求的是50位,char形,可不可以只限制他50位,其它的不限制,
輸入什麼字元都可以的.只要是char形,只要資料庫允許就行

這樣,安全寫入資料庫操作,正常讀出並顯示在不同的場合,應用.

應該是怎樣做呢?

下面是我總結的幾點.非常有可能不對,請指正.
如果對使用者的輸入是可以任一字元,(除了某欄位特定的輸入限制條件,如輸入長度,輸入類型==).
就是輸入儘可能不作限制.

對一字串str,他輸出的方向有以下幾種:
1.輸出至HTML中,Function fn_chk_to_html(Str)
2.輸出至Script中(如javascript),Function fn_chk_to_script(Str)
3.輸出至sql語句中,而且這條SQL語句是用''兩個單引括起字串Str的.
Function fn_chk_to_sql_mark(Str)
4.輸出至sql語句中,而且這條SQL語句是沒有用單引括起Str的.Function fn_chk_to_sql_go(Str)
5.輸出至URL        .Function fn_chk_to_url(Str)

<%Function fn_chk_to_html(Str)
'如<input text="<%=request("styledesc")%>">的情況下
 If Isnull(Str) Then
  ChkSql = ""
  Exit Function
 End If
 Str = trim(Str)
 Str = Replace(Str, Chr(0), "",1,-1,1)
 Str = Replace(Str, """", """,1,-1,1)
 Str = Replace(Str, "'", "'",1,-1,1)
 Str = Replace(Str, "<","<",1,-1,1)
 Str = Replace(Str, ">",">",1,-1,1)
 Str = Replace(Str, vbCrlf, "<br>",1,-1,1)
 fn_chk_to_html = Str
End Function
%>

<%Function fn_chk_to_script(Str)
'如 response.write "<script>alert('"&request("styledesc")&"');</script>"的情況下
 If Isnull(Str) Then
  ChkSql = ""
  Exit Function
 End If
 Str = trim(Str)
 Str = Replace(Str, "\", "\\",1,-1,1)
 Str = Replace(Str, """", "\""",1,-1,1)
 Str = Replace(Str, "'", "\'",1,-1,1)
 Str = Replace(Str,Chr(13),"\n",1,-1,1)
 fn_chk_to_script = Str
End Function
%>
<%
Function fn_chk_to_sql_mark(Str)
'如 sql="select * from style where styledesc like '"&request("styledesc")&"'"的情況下
 If Isnull(Str) Then
  ChkSql = ""
  Exit Function
 End If
 Str = trim(Str)
 Str = Replace(Str, "'", "''",1,-1,1)
 fn_chk_to_sql_mark = Str
End Function
%>

<%Function fn_chk_to_sql_go(Str)
'如sql = "select * from "&request("table")的情況下.??
 If Isnull(Str) Then
  ChkSql = ""
  Exit Function
 End If
 Str = trim(Str)
 Str = Replace(Str, Chr(0), "",1,-1,1)
 Str = Replace(Str, """", """,1,-1,1)
 Str = Replace(Str, "'", "'",1,-1,1)
 Str = Replace(Str, "<","<",1,-1,1)
 Str = Replace(Str, ">",">",1,-1,1)
 Str = Replace(Str, "[", "[",1,-1,1)
 Str = Replace(Str, "]", "]",1,-1,1)
 Str = Replace(Str, "\", "\",1,-1,1)
 Str = Replace(Str, "*", "*",1,-1,1)
 Str = Replace(Str, "%", "%",1,-1,1)
 Str = Replace(Str, ";", ";",1,-1,1)
 Str = Replace(Str, vbCrlf, "<br>",1,-1,1)
 Str = Replace(Str, "--", "--")
 fn_chk_to_sql_go = Str
 End Function
%>

<%Function fn_chk_to_url(Str)

'如 str="<img src='showimg.asp?id="&request("id")&"'>"的情況下
 If Isnull(Str) Then
  ChkSql = ""
  Exit Function
 End If
 Str = trim(Str)
 Str = server.URLEncode(Str)
 fn_chk_to_sql_mark = Str
End Function
%>