html 过滤都什么时候过滤 - 编程论坛

#2

multiple19022008-05-14 21:35

表述不清

#3

inhe2008-05-15 11:17

回复 1# 的帖子

我加了下面这段代码之后，发布的一些脚本都显示出了，没起作用？不加倒不显示，谢谢各位高手，指点一下
function filthtml(InString)
    NewStr=Replace(InString,"'","''")
    NewStr=Replace(NewStr,"<","&lt")
    NewStr=Replace(NewStr,">","&gt")
    NewStr=Replace(NewStr,"chr(60)","<")
    NewStr=Replace(NewStr,"chr(37)",">")
    NewStr=Replace(NewStr,"""","&quot")
    NewStr=Replace(NewStr,";",";;")
    NewStr=Replace(NewStr,"--","-")
    NewStr=Replace(NewStr,"/*"," ")
    NewStr=Replace(NewStr,"%"," ")
    filthtml=NewStr
end function

#4

hmhz2008-05-15 11:45

这个只是替换了非法字符，并不是清除非法字符
清除非法字符应该这样写
function filthtml(InString)
    NewStr=Replace(InString,"'","")
    NewStr=Replace(NewStr,"<","")
    NewStr=Replace(NewStr,">","")
    NewStr=Replace(NewStr,"chr(60)","")
    NewStr=Replace(NewStr,"chr(37)","")
    NewStr=Replace(NewStr,"""","")
    NewStr=Replace(NewStr,";","")
    NewStr=Replace(NewStr,"--","")
    NewStr=Replace(NewStr,"/*","")
    NewStr=Replace(NewStr,"%","")
    filthtml=NewStr
end function

#5

heyufu2008-05-15 15:50

#6

inhe2008-05-21 14:55

回复 4# 的帖子

用上这段代码是不是就可以起到防范一些非法攻击了？
谢谢，非常感谢！

#7

live142008-05-21 21:16

是

#8

live142008-05-21 21:21

NewStr=Replace(NewStr,"<","") ------把<替换成空
这个可以防止表单写入<script>这样的东西，如果不过滤，那读出来的时候就可能输出脚本。
NewStr=Replace(InString,"'","")-----把单引号替换成空
往往很多SQL注入都需要单引号帮忙