<%
dim fx,fstr
for each fx in request.QueryString()
fstr=request.QueryString(fx)
fstr=replace(fstr,"%27","'")
if instr(fstr,"'")>0 or instr(fstr,"select ")>0 or instr(fstr,"net user")>0 or instr(fstr,"xp_cmdshell")>0 or instr(fstr,"/add")>0 or instr(fstr,"exec master.dbo.xp_cmdshell")>0 or instr(fstr,"net localgroup administrators")>0 or instr(fstr,"%")>0 or instr(fstr,"delete")>0 or Instr(fstr,"insert 20")>0 or Instr(fstr,"delete from")>0 or Instr(fstr,"count(")>0 or Instr(fstr,"drop table")>0 or Instr(fstr,"update ")>0 or Instr(fstr,"truncate ")>0 or Instr(fstr,"asc(")>0 or Instr(fstr,"mid(")>0 or Instr(fstr,"char(")>0 or Instr(fstr,":")>0 or Instr(fstr," or ")>0 or Instr(fstr," and ")>0then
response.Write("<script>alert('请不要输入特殊字符!');window.close()</script>")
response.End()
end if
next
for each fx in request.Form()
fstr=request.Form(fx)
fstr=replace(fstr,"%27","'")
fstr=replace(fstr,"'","‘")
if instr(fstr,"select%20")>0 or instr(fstr,"net%20user")>0 or instr(fstr,"xp_cmdshell")>0 or instr(fstr,"/add")>0 or instr(fstr,"exec%20master.dbo.xp_cmdshell")>0 or instr(fstr,"net%20localgroup%20administrators")>0 or instr(fstr,"delete")>0 or Instr(fstr,"insert%20")>0 or Instr(fstr,"delete%20from")>0 or Instr(fstr,"count(")>0 or Instr(fstr,"drop%20table")>0 or Instr(fstr,"update%20")>0 or Instr(fstr,"truncate%20")>0 or Instr(fstr,"asc(")>0 or Instr(fstr,"mid(")>0 or Instr(fstr,"char(")>0 or Instr(fstr,"%20or%20")>0 then
response.Write("<script>alert('请不要输入特殊字符!');window.close()</script>")
response.End()
end if
next
dim conn
dim connstr
'on error resume next
connstr="DBQ="+server.mappath("\guanli\data\system.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};"
set conn=server.createobject("ADODB.CONNECTION")
conn.open connstr
dim nowtime
nowtime=now()
sj=cstr(year(nowtime))+"年"+right("0"+cstr(month(nowtime)),2)+"月"+right("0"+cstr(day(nowtime)),2)+"日"
'#########################################################################
function m_id(m_id_t)
set m_id_rs=conn.execute("select top 1 id from "&m_id_t&" order by id desc")
if m_id_rs.eof then
m_id=1
else
m_id=m_id_rs("id")+1
end if
m_id_rs.close
set m_id_rs=nothing
end function
'#########################################################################
function sqlstr(sql_str)
sqlstr=replace(sql_str,"'","''")
end function
function subname(subname_name)
subname_name=sqlstr(subname_name)
set rs=conn.execute("Select id from class where cname='"&subname_name&"' and cwar=1")
if rs.eof then
rs.close
set rs=nothing
response.write "<script language=javascript>alert('请不要恶心访问本站');</script>请不要恶意访问本网站"
response.end
else
subname=rs(0)
rs.close
set rs=nothing
end if
end function
function namesub(namesub_1)
set rs=conn.execute("Select cname from class where id="&namesub_1)
namesub=rs(0)
rs.close
set rs=nothing
end function
function isnumber(isnumber_id)
if isnumeric(isnumber_id)=true then
isnumber=isnumber_id
else
response.write "<script language=javascript>alert('请不要恶心访问本站');</script>请不要恶意访问本网站"
response.end
end if
end function
function furl(furl_name,furl_url)
furl_id=subname(furl_name)
furl="<a href="&furl_url&"="&furl_id&">"&furl_name&"</a>"
end function
function logsys(xx)
set rs=server.createobject("adodb.recordset")
sql="select * from history"
rs.open sql,conn,1,3
rs.addnew
rs("hdate")=now()
rs("htext")=xx
rs("happly")=request.cookies("aname")
rs("address")=ips()
rs.update
rs.close
set rs=nothing
end function
function ips()
userip = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If userip = "" Then userip = Request.ServerVariables("REMOTE_ADDR")
ips=userip
end function
strurl=Request.ServerVariables("URL")
Strurl=split(strurl,"/")
i=UBound(strurl,1)
filename=strurl(i) 'Final 文件名
%>
<%
dim MM_oConn_STRING, db_STRING, strDatabaseType
'******************************************
'*** Microsoft Access ****
'******************************************
strDatabaseType = "msaccess"
db_STRING = Server.MapPath("/databases/caifuw.mdb")
MM_oConn_STRING = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & db_STRING
%>
<%
Dim ConnStr
Dim DataBaseFilePath
DataBaseFilePath="/nbarticle/Depot/NBArticle.asp"
ConnStr="Provider = Microsoft.Jet.OLEDB.4.0;Data Source =" & Server.MapPath(DataBaseFilePath)
Const sCacheName="NB412426174"
Const SystemFolder="/nbarticle/"
%>