conn.asp

本系统是一套开源WEB的网站管理系统

<%
dim starttime,dbpath,connstr,conn
starttime=timer()
On error Resume Next
dbpath=Server.MapPath("data/DB_MS.mdb")
connstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source="&dbpath
Set conn=Server.CreateObject("ADODB.Connection")
conn.open connstr
If err then
	Response.write("数据库链接字符出错，请检查数据库")
	err.clear
	Set conn=Nothing
End If
If ms_sqlinOpen=1 Then
On Error Resume Next
Dim MS_SQLINSTR, MS_ArrSQL,MS_Index,MS_Post
MS_SQLINSTR = "'|; |^| and |exec| insert | select |delete| update | count |*| % | chr | mid |master|truncate| char| declare"
MS_ArrSQL = Split(MS_SQLINSTR, "|")
If Request.Form <> "" Then
	For Each MS_Post In Request.Form
		For MS_Index = 0 To UBound(MS_ArrSQL)
			If InStr(1, Request.Form(MS_Post), MS_ArrSQL(MS_Index), 1) > 0 Then
				conn.execute("insert into ms_sqlin(putPar,putType,putData,operateScriptName,operateIP,operateDate) values('"&ms_post&"','Post','"&replace(Request.Form(ms_post),"'","''")&"','"&Request.ServerVariables("SCRIPT_NAME")&"','"&Request.ServerVariables("REMOTE_ADDR")&"',#"&Now()&"#)")
				Response.Write "<Script Language=""JavaScript"">alert('系统安全提示↓\n\n请不要在参数中包含非法字符！');</Script>"
				Response.Write "非法操作！系统做了如下记录↓<br/>"
				Response.Write "操作IP："&Request.ServerVariables("REMOTE_ADDR")&"<br/>"
				Response.Write "操作时间："&NOW()&"<br/>"
				Response.Write "提交类型：POST<br/>"
				Response.Write "提交参数："&MS_Post&"<br/>"
				Response.Write "提交数据："&Request.Form(MS_Post)&"<br/>"
				Response.Write "操作对象："&Request.ServerVariables("SCRIPT_NAME")
				Response.End
			End If
		Next
	Next
End If
If Request.QueryString <> "" Then
	For Each MS_Get In Request.QueryString
		For MS_Index = 0 To UBound(MS_ArrSQL)
			If InStr(1, Request.QueryString(MS_Get), MS_ArrSQL(MS_Index), 1) > 0 Then
				conn.execute("insert into ms_sqlin(putPar,putType,putData,operateScriptName,operateIP,operateDate) values('"&MS_Get&"','Get','"&replace(Request.QueryString(MS_Get),"'","''")&"','"&Request.ServerVariables("SCRIPT_NAME")&"','"&Request.ServerVariables("REMOTE_ADDR")&"',#"&Now()&"#)")
				Response.Write "<Script Language=""JavaScript"">alert('系统安全提示↓\n\n请不要在参数中包含非法字符！');</Script>"
				Response.Write "非法操作！系统做了如下记录↓<br/>"
				Response.Write "操作IP："&Request.ServerVariables("REMOTE_ADDR")&"<br/>"
				Response.Write "操作时间："&NOW()&"<br/>"
				Response.Write "提交类型：GET<br/>"
				Response.Write "提交参数："&MS_Get&"<br/>"
				Response.Write "提交数据："&Request.QueryString(MS_Get)&"<br/>"
				Response.Write "操作对象："&Request.ServerVariables("SCRIPT_NAME")
				Response.End
			End If
		Next
	Next
End If
End If
Sub closeconn()
	conn.close
	Set conn=nothing
End Sub
%>