<%@ LANGUAGE = VBScript.Encode %> <% dim my_conn set my_conn=server.createobject("adodb.connection") my_conn.Open "dsn=zhzxdsn;uid=;pwd=;" if len(Request.ServerVariables("query_string"))>17 then Response.write "" response.end end if ''''''''################################ '''''''################################ '''''''以下控制脚本后所带的参数是否含有字符select和from if instr(lcase(Request.ServerVariables("query_string")),"select")>0 or instr(lcase(Request.ServerVariables("query_string")),"from")>0 then Response.write "" response.end end if On Error Resume Next ID_Num=Request.QueryString("T_Id") ID_Num=Lcase(ID_Num) ID_Num=replace(ID_Num,"!","") ID_Num=replace(ID_Num,"@","") ID_Num=replace(ID_Num,"#","") ID_Num=replace(ID_Num,"$","") ID_Num=replace(ID_Num,"%","") ID_Num=replace(ID_Num,"^","") ID_Num=replace(ID_Num,"&","") ID_Num=replace(ID_Num,"*","") ID_Num=replace(ID_Num,"(","") ID_Num=replace(ID_Num,")","") ID_Num=replace(ID_Num,"-","") ID_Num=replace(ID_Num,"_","") ID_Num=replace(ID_Num,"=","") ID_Num=replace(ID_Num,"+","") ID_Num=replace(ID_Num,"|","") ID_Num=replace(ID_Num,"\","") ID_Num=replace(ID_Num,"/","") ID_Num=replace(ID_Num,"?","") ID_Num=replace(ID_Num,"<","") ID_Num=replace(ID_Num,">","") ID_Num=replace(ID_Num,",","") ID_Num=replace(ID_Num,".","") ID_Num=replace(ID_Num,"~","") ID_Num=replace(ID_Num,"`","") ID_Num=replace(ID_Num,"'","") ID_Num=replace(ID_Num,":","") ID_Num=replace(ID_Num,";","") ID_Num=replace(ID_Num,"select","") ID_Num=replace(ID_Num,"update","") ID_Num=replace(ID_Num,"delete","") ID_Num=replace(ID_Num,"append","") ID_Num=replace(ID_Num,"insert","") ID_Num=replace(ID_Num,"and","") ID_Num=replace(ID_Num,"or","") ID_Num=replace(ID_Num,"chr","") ID_Num=replace(ID_Num,"char","") ID_Num=replace(ID_Num,"asc","") ID_Num=replace(ID_Num,"mid","") ID_Num=replace(ID_Num,"len","") ID_Num=replace(ID_Num,"left","") ID_Num=replace(ID_Num,"is","") ID_Num=replace(ID_Num,"not","") ID_Num=replace(ID_Num,"shell","") ID_Num=replace(ID_Num,"net","") ID_Num=replace(ID_Num,"user","") ID_Num=replace(ID_Num,"use","") ID_Num=replace(ID_Num,"sql","") ID_Num=replace(ID_Num,"master","") ID_Num=replace(ID_Num,"backup","") ID_Num=replace(ID_Num,"exec","") ID_Num=replace(ID_Num,"add","") ID_Num=replace(ID_Num,"drop","") ID_Num=replace(ID_Num,"top","") ID_Num=replace(ID_Num,"from","") ID_Num=replace(ID_Num,"where","") ID_Num=replace(ID_Num,"name","") ID_Num=replace(ID_Num,"get","") ID_Num=replace(ID_Num,"post","") ID_Num=replace(ID_Num,"in","") If ID_Num="" then Response.write("

该信息不存在或您使用了非法方式访问

") Response.write "

返回

" Response.end() end if '#######本程序用来显示学生学科竞赛的详细内容 Function FormatStr(String) '将String内的回车换成
on Error resume next String = Replace(String, CHR(13)&chr(10), "
") ' String = Replace(String, CHR(10) & CHR(10), "

") ' String = Replace(String, CHR(10), "
") FormatStr = String End Function strsql="SELECT * FROM student where T_id=" & ID_Num set rs=my_conn.Execute (StrSql) if rs.eof or rs.bof then '###没有信息 Response.write "" ' Response.write("

该信息不存在或您使用了非法方式访问

") ' Response.write "

返回

" set rs=nothing my_conn.close set my_conn=nothing response.end end if %> 镇海中学学科竞赛荣誉榜
<% '###以下显示获奖图片 if trim(rs("T_photo"))<>"" then '####有图片的一律在student\ %> <%end if%>
<%=rs("T_year")%> 年<%=rs("T_name")%><%=rs("T_Subject")%>中获<%=trim(rs("T_dengji"))%> <%if rs("T_dengji1")<>"其他" then response.Write(rs("T_dengji1"))%> 荣誉
 
  <%=FormatStr(rs("T_Message"))%>


<% rs.close set rs=nothing my_conn.Close set my_conn = nothing response.end %>