default.asp

只显示在第一个文件中出现而未在第二个文件中出现的行；

<!--#include file="Md5.asp"-->
<%
'防SQL注入
squery=lcase(Request.ServerVariables("QUERY_STRING"))
sURL=lcase(Request.ServerVariables("HTTP_HOST"))
allquery=squery+sURL
If InStr(allquery,"%20")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"$")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"<")<>0 or InStr(allquery,">")<>0 or InStr(allquery,"--")<>0 or InStr(allquery,"sp_")<>0 or InStr(allquery,"xp_")<>0 or InStr(allquery,"exec")<>0 or InStr(allquery,"\")<>0 or InStr(allquery,"delete")<>0 or InStr(allquery,"dir")<>0 or InStr(allquery,"exe")<>0 or InStr(allquery,"select")<>0 or InStr(allquery,"Update")<>0 or InStr(allquery,"cmd")<>0 or InStr(allquery,"*")<>0 or InStr(allquery,"^")<>0 or InStr(allquery,"(")<>0 or InStr(allquery,")")<>0 or InStr(allquery,"+")<>0 or InStr(allquery,"copy")<>0 or InStr(allquery,"format")<>0 or not(isnumeric(request("id"))) then
	Response.Write"<meta http-equiv='refresh' content='1;URL=/'>"
	Response.End
End If

'数据库连接
On Error Resume Next
filename=Request.ServerVariables("URL")
dbpath="#Date.mdb"'数据库连接地址
Set conn=Server.CreateObject("adodb.connection")
db="provider = Microsoft.Jet.OLEDB.4.0;Data Source ="&server.mappath(dbpath)
conn.open db

'过滤代码
function HTMLEncode(fString)
If not isnull(fString) then
    fString = replace(fString, ">", "&gt;")
    fString = replace(fString, "<", "&lt;")
    fString = Replace(fString, CHR(32), "&nbsp;")
    fString = Replace(fString, CHR(9), "&nbsp;")
    fString = Replace(fString, CHR(34), "&quot;")
    fString = Replace(fString, CHR(39), "&#39;")
    fString = Replace(fString, CHR(13), "")
    fString = Replace(fString, CHR(10) & CHR(10), "</p><p> ")
    fString = Replace(fString, CHR(10), "<br> ")
    HTMLEncode = fString
End If
End function

function UHTMLEncode(fString)
If not isnull(fString) then
	fString = Replace(fString, "&nbsp;", CHR(32))
	fString = Replace(fString, "&nbsp;", CHR(9))
	fString = Replace(fString, "&quot;", CHR(34))
	fString = Replace(fString, "&#39;", CHR(39))
	fString = Replace(fString, "", CHR(13))
	fString = Replace(fString, "</p><p> ", CHR(10) & CHR(10))
	fString = Replace(fString, "<br> ", CHR(10))
	HTMLEncode2 = fString
End If
End function

function checkadmin()
	If session("Admin")="" then
		Response.redirect filename&"?action=login"
		Response.End
	End If
End function

action=Request.Querystring("action")
id=Request.Querystring("id")
If id<>"" and not isnumeric(id) then
	Response.Write "<script>alert('非法的ID！');this.location.href='default.asp';</SCRIPT>"
	Response.End
End If
%>
<html>
<head>
<title>留言</title>
<style type="text/css">
body,td,th {
	font-size: 12px;
	color: #2E2E2E;
	line-height: 20px;
}
a:link {
	color: #2E2E2E;
	text-decoration: none;
}
a:visited {
	text-decoration: none;
	color: #2E2E2E;
}
a:hover {
	text-decoration: none;
	color: #FF6600;
	border-bottom-color: #FF6600;
}
.input {
	font-size: 12px;
	border: 1px solid #CCCCCC;
	background-color: #FFFFFF;
	width: 130px;
}
.inputb {
	font-size: 12px;
	border: 1px solid #CCCCCC;
	background-color: transparent;
	width: 30px;
}
.button {
	font-size: 12px;
	border: 1px solid #CCCCCC;
	background-color: #FFFFFF;
}
.buttonb {
	font-size: 12px;
	border: 1px solid #CCCCCC;
	background-color: transparent;
	width: 20px;
}
</style>
</head>
<body>
<%
select case action
case "del"
'删除留言调用
	checkadmin
	If id="" then
		Response.Write "<script>alert('非法操作：删除留言的ID参数不能为空！');this.location.href='default.asp';</SCRIPT>"
	    Response.End
	End If
	conn.execute("DELETE FROM [book] WHERE id="&id)
	Response.Write "<script>alert('站长辛苦了。留言删除成功！');this.location.href='default.asp';</SCRIPT>"
case "add"
'添加留言调用
	Name=htmlencode(request.form("Name"))
	Qq=htmlencode(request.form("Qq"))
	Mail=htmlencode(request.form("Mail"))
	Info=htmlencode(request.form("Info"))
	If Name="" or Qq="" or Mail="" or Info="" then
		Response.Write "<script>alert('姓名、QQ、邮箱、留言必须填写！');this.location.href='default.asp';</SCRIPT>"
	ElseIf len(Name)>16 then
		Response.Write "<script>alert('姓名不要大于16个字符！');this.location.href='default.asp';</SCRIPT>"
	ElseIf not (isNumeric(Qq) or Qq="") then
		Response.Write "<script>alert('QQ号码必须为数字！');this.location.href='default.asp';</SCRIPT>"
	ElseIf len(Qq)<5 or len(Qq)>10 then
		Response.Write "<script>alert('QQ号不要大于9个数字小于5个数字！');this.location.href='default.asp';</SCRIPT>"
	ElseIf Instr(Mail,".")<=0 or Instr(Mail,"@")<=0 then
		Response.Write "<script>alert('邮箱必须包括(@)(.)！');this.location.href='default.asp';</SCRIPT>"
	ElseIf len(Mail)>30 or len(Mail)<6 then
		Response.Write "<script>alert('邮箱请不要大于30个汉字小于6个汉字！');this.location.href='default.asp';</SCRIPT>"
	ElseIf len(Info)>400 then
		Response.Write "<script>alert('留言内容不得大于400个字符！');this.location.href='default.asp';</SCRIPT>"
	Else
	Set mRs= Server.CreateObject("adodb.recordSet")
	mRs.open "Select * from book", conn, 1, 3
	mRs.addnew
		mRs("Name") = Name
		mRs("Mail") = Mail
		mRs("Qq") = Qq
		mRs("Info") = Info
		mRs("time") = now()
	mRs.update
	mRs.close
	Set mRs = nothing
		Response.Write "<script>alert('留言添加成功，请继续关注我们！');this.location.href='default.asp';</SCRIPT>"
		Response.End
	End If

case "Reply"
'回复留言调用
	checkadmin
	Reply=trim(htmlencode(request.form("Reply")))
	If id="" then
		Response.Write "<script>alert('非法操作：删除留言的ID参数不能为空！');this.location.href='default.asp';</SCRIPT>"
		Response.End
	End If
	Name=htmlencode(request.form("Name"))
	Qq=htmlencode(request.form("Qq"))
	Mail=htmlencode(request.form("Mail"))
	Info=htmlencode(request.form("Info"))
	If Name="" or Qq="" or Mail="" or Info="" then
		Response.Write "<script>alert('姓名、QQ、留言必须填写！');this.location.href='default.asp';</SCRIPT>"
	Else
		Id=Request("Id")
		Set mRs=Server.CreateObject("adodb.recordSet")
		Sql="Select * from Book where Id="&Id
		mRs.open Sql,conn,1,3
		mRs("Name")=Request("Name")
		mRs("Qq")=Request("Qq")
		mRs("Mail")=Request("Mail")
		mRs("Info")=Request("Info")
		mRs("Reply")=Request("Reply")
		mRs.update
		mRs.close
		Set mRs=nothing
		Response.Write "<script>alert('留言回复成功！');this.location.href='default.asp';</SCRIPT>"
	End If

case "modpassed"
'修改管理员密码调用
	checkadmin
	User=htmlencode(request.form("User"))
	oldpass=md5(request.form("oldpass"))
	newpass=md5(request.form("newpass"))
	newpass2=md5(request.form("confirm"))

	sub Checkpass(password)
	Set mRs=conn.execute("SELECT * FROM [Admin] WHERE user='"&session("Admin")&"' AND pass='"&password&"'")
		If mRs.eof then
			Response.Write "<script>alert('站长是不是记错了你的旧密码？');this.location.href='"&filename&"?action=modpass';</SCRIPT>"
			Response.End
		End If
	End sub

Checkpass oldpass

If newpass="" then
	Response.Write "<script>alert('新密码不能为空！');this.location.href='"&filename&"?action=modpass';</SCRIPT>"
	Response.End
End If

If newpass<>newpass2 then
	Response.Write "<script>alert('两次新密码不一致！');this.location.href='"&filename&"?action=modpass';</SCRIPT>"
	Response.End
End If

conn.execute("update [Admin] Set pass='"&newpass&"' WHERE user='"&session("Admin")&"'")
	session("Admin")=User
	Response.Write "<script>alert('站长请牢记新修改的密码丢了是很麻烦的哟！');this.location.href='default.asp';</SCRIPT>"
	response.end

case "logout"

	session.Contents.Remove("Admin")
	Response.Write "<script>alert('管理这么长时间了是该休息了（退出管理成功）');this.location.href='default.asp';</SCRIPT>"
	Response.End

case "logincheck"
'登陆后台调用
	User=htmlencode(request.form("User"))
	password=md5(request.form("password"))

function CheckLogin(User,password)
Set mRs=conn.execute("SELECT * FROM [admin] WHERE user='"&User&"' AND pass='"&password&"'")
	If not mRs.eof then
		session("admin")=mRs("user")
		Response.Write "<script>alert('又到管理留言的时间了（登录成功）！');this.location.href='default.asp';</SCRIPT>"
		Response.End
	Else
		Response.Write "<script>alert('不是本站站长请不要乱登陆。');this.location.href='"&filename&"?action=login';</SCRIPT>"
		Response.End
	End If
	End function

CheckLogin User,password
case "login"
%>
<table border="0" cellpadding="1" cellspacing="1" style="border-collapse: collapse" width="330" bgcolor="#CCCCCC" align="center">
	<tr bgcolor="F3F3F3">
		<td>
			<table border="0" cellpadding="0" style="border-collapse: collapse" width="100%">
				<tr>
					<td height="25">&nbsp;·&nbsp;管理登陆&nbsp;·</td>
				</tr>
			</table>
		</td>
	</tr>
	<tr bgcolor="F3F3F3">
		<td>
			<table border="0" cellpadding="0" style="border-collapse: collapse" width="100%">
				<form name="form1" method="post" action="<% =filename %>?action=logincheck">
				<tr>
					<td width="101" height="30" align="center">管理员：</td>
					<td width="205"><input type="text" name="User" class="input"></td>
				</tr>
				<tr>
					<td height="30" align="center">密&nbsp;&nbsp;码：</td>
					<td><input type="password" name="password" class="input"></td>
				</tr>
				<tr>
					<td height="40" colspan="2" align="center">
					<input name="Submit3" type="submit" value=" 登录 " class="button">&nbsp;&nbsp;&nbsp;&nbsp;<input name="reSet" type="reSet" value=" 重置 " class="button"></td>
				</tr>
				</form>			
			</table>
		</td>
	</tr>
</table>
<br><br><br>
<%
case "modpass"
checkadmin
%>
<table border="0" cellpadding="1" cellspacing="1" style="border-collapse: collapse" width="330" bgcolor="#CCCCCC" align="center">
	<tr bgcolor="F3F3F3">
		<td>
			<table border="0" cellpadding="0" style="border-collapse: collapse" width="100%">
				<tr>
					<td height="25">&nbsp;·&nbsp;管理员帐号修改&nbsp;·</td>
				</tr>
			</table>
		</td>
	</tr>
	<tr bgcolor="F3F3F3">
		<td>
			<table border="0" cellpadding="0" style="border-collapse: collapse" width="100%">
				<form name="form1" method="post" action="<% =filename %>?action=modpassed">
				<tr>
					<td height="25" align="center" width="120" bgcolor="#EFEFEF">登录名：</td>
					<td width="186" bgcolor="#EFEFEF"><input name="User" type="text" id="User" value="<% =session("admin") %>" size="20" maxlength="16" readonly class="input"></td></tr>
			    <tr>
			      <td height="25" align="center" width="120" bgcolor="#EFEFEF">旧密码：</td>