%@ LANGUAGE = VBScript.Encode %> <% dim my_conn set my_conn=server.createobject("adodb.connection") my_conn.Open "dsn=zhzxdsn;uid=;pwd=;" if len(Request.ServerVariables("query_string"))>47 then Response.write "" response.end end if ''''''''################################ '''''''################################ '''''''以下控制脚本后所带的参数是否含有字符select和from if instr(lcase(Request.ServerVariables("query_string")),"select")>0 or instr(lcase(Request.ServerVariables("query_string")),"from")>0 then Response.write "" response.end end if 'On Error Resume Next ID_Num=Request.QueryString("T_Id") ID_Num=Lcase(ID_Num) ID_Num=replace(ID_Num,"!","") ID_Num=replace(ID_Num,"@","") ID_Num=replace(ID_Num,"#","") ID_Num=replace(ID_Num,"$","") ID_Num=replace(ID_Num,"%","") ID_Num=replace(ID_Num,"^","") ID_Num=replace(ID_Num,"&","") ID_Num=replace(ID_Num,"*","") ID_Num=replace(ID_Num,"(","") ID_Num=replace(ID_Num,")","") ID_Num=replace(ID_Num,"-","") ID_Num=replace(ID_Num,"_","") ID_Num=replace(ID_Num,"=","") ID_Num=replace(ID_Num,"+","") ID_Num=replace(ID_Num,"|","") ID_Num=replace(ID_Num,"\","") ID_Num=replace(ID_Num,"/","") ID_Num=replace(ID_Num,"?","") ID_Num=replace(ID_Num,"<","") ID_Num=replace(ID_Num,">","") ID_Num=replace(ID_Num,",","") ID_Num=replace(ID_Num,".","") ID_Num=replace(ID_Num,"~","") ID_Num=replace(ID_Num,"'","") ID_Num=replace(ID_Num,":","") ID_Num=replace(ID_Num,";","") ID_Num=replace(ID_Num,"select","") ID_Num=replace(ID_Num,"update","") ID_Num=replace(ID_Num,"delete","") ID_Num=replace(ID_Num,"append","") ID_Num=replace(ID_Num,"insert","") ID_Num=replace(ID_Num,"and","") ID_Num=replace(ID_Num,"or","") ID_Num=replace(ID_Num,"chr","") ID_Num=replace(ID_Num,"char","") ID_Num=replace(ID_Num,"asc","") ID_Num=replace(ID_Num,"mid","") ID_Num=replace(ID_Num,"len","") ID_Num=replace(ID_Num,"left","") ID_Num=replace(ID_Num,"is","") ID_Num=replace(ID_Num,"not","") ID_Num=replace(ID_Num,"shell","") ID_Num=replace(ID_Num,"net","") ID_Num=replace(ID_Num,"user","") ID_Num=replace(ID_Num,"use","") ID_Num=replace(ID_Num,"sql","") ID_Num=replace(ID_Num,"master","") ID_Num=replace(ID_Num,"backup","") ID_Num=replace(ID_Num,"exec","") ID_Num=replace(ID_Num,"add","") ID_Num=replace(ID_Num,"drop","") ID_Num=replace(ID_Num,"top","") ID_Num=replace(ID_Num,"from","") ID_Num=replace(ID_Num,"where","") ID_Num=replace(ID_Num,"name","") ID_Num=replace(ID_Num,"get","") ID_Num=replace(ID_Num,"post","") ID_Num=replace(ID_Num,"in","") If ID_Num="" then Response.write "" ' Response.write "
" Response.end() end if '#######本程序用来显示学校教师荣誉的详细内容 Function FormatStr(String) '将String内的回车换成")
' String = Replace(String, CHR(10), "
")
FormatStr = String
End Function
'''''#################################
'''###2005.01.09抵御攻击之一
''''#####以下控制脚本后所带的参数超过长度
if len(Request.ServerVariables("query_string"))>15 then
response.write "程序强行终止"
response.end
end if
''''''''################################
'''''''################################
'''''''以下控制脚本后所带的参数是否含有字符select和from
'if instr(lcase(Request.ServerVariables("query_string")),"select")>0 or instr(lcase(Request.ServerVariables("query_string")),"from")>0 then
' response.write "不受欢迎地使用"
' response.end
'end if
''''''#########################################
strsql="SELECT * FROM teacher where T_id=" & ID_Num
set rs=my_conn.Execute (StrSql)
if rs.eof or rs.bof then
'###没有信息
Response.write ""
'Response.write("
该信息不存在或您使用了非法方式访问
") 'Response.write "" set rs=nothing my_conn.close set my_conn=nothing response.end end if %><%=rs("T_year")%> 年 <%=rs("T_name")%> 获 <%=rs("T_Subject")%> |
<% '###以下显示获奖图片 if trim(rs("T_photo"))<>"" then '####有图片一律在teacher\ %> |
<%=FormatStr(rs("T_Message"))%> |