admin_conn.asp

本系统是一套开源WEB的网站管理系统

<%
'后台数据库链接字符串
Dim datapath,dbpath,dataMdb,connstr,databackup
databackup="../databackup/"'数据库文件备份路径
datapath="../data"
dataMdb="Db_ms.mdb"
On error Resume Next
dbpath=Server.MapPath(datapath&"/"&dataMdb)
connstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source="&dbpath
Set conn=Server.CreateObject("ADODB.Connection")
conn.open connstr
If err then
	Response.write("数据库链接字符出错，请检查数据库")
	err.clear
	Set conn=Nothing
End If
If ms_sqlinOpen=1 Then
On Error Resume Next
Dim MS_SQLIN, MS_ArrSQL,MS_Index,MS_Post
MS_SQLINSTR = "'|;|^|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
MS_ArrSQL = Split(MS_SQLINSTR, "|")
If Request.Form <> "" Then
	For Each MS_Post In Request.Form
		For MS_Index = 0 To UBound(MS_ArrSQL)
			If InStr(1, Request.Form(MS_Post), MS_ArrSQL(MS_Index), 1) > 0 Then
				conn.execute("insert into ms_sqlin(putPar,putType,putData,operateScriptName,operateIP,operateDate) values('"&ms_post&"','Post','"&replace(Request.Form(MS_Post),"'","''")&"','"&Request.ServerVariables("SCRIPT_NAME")&"','"&Request.ServerVariables("REMOTE_ADDR")&"',#"&Now()&"#)")
				Response.Write "<Script Language=""JavaScript"">alert('系统安全提示↓\n\n请不要在参数中包含非法字符！');</Script>"
				Response.Write "非法操作！系统做了如下记录↓<br/>"
				Response.Write "操作IP："&Request.ServerVariables("REMOTE_ADDR")&"<br/>"
				Response.Write "操作时间："&NOW()&"<br/>"
				Response.Write "提交类型：POST<br/>"
				Response.Write "提交参数："&MS_Post&"<br/>"
				Response.Write "提交数据："&Request.Form(MS_Post)&"<br/>"
				Response.Write "操作对象："&Request.ServerVariables("SCRIPT_NAME")
				Response.End
			End If
		Next
	Next
End If
If Request.QueryString <> "" Then
	For Each MS_Get In Request.QueryString
		For MS_Index = 0 To UBound(MS_ArrSQL)
			If InStr(1, Request.QueryString(MS_Get), MS_ArrSQL(MS_Index), 1) > 0 Then
				conn.execute("insert into ms_sqlin(putPar,putType,putData,operateScriptName,operateIP,operateDate) values('"&MS_Get&"','Get','"&replace(Request.QueryString(MS_Get),"'","''")&"','"&Request.ServerVariables("SCRIPT_NAME")&"','"&Request.ServerVariables("REMOTE_ADDR")&"',#"&Now()&"#)")
				Response.Write "<Script Language=""JavaScript"">alert('系统安全提示↓\n\n请不要在参数中包含非法字符！');</Script>"
				Response.Write "非法操作！系统做了如下记录↓<br/>"
				Response.Write "操作IP："&Request.ServerVariables("REMOTE_ADDR")&"<br/>"
				Response.Write "操作时间："&NOW()&"<br/>"
				Response.Write "提交类型：GET<br/>"
				Response.Write "提交参数："&MS_Get&"<br/>"
				Response.Write "提交数据："&Request.QueryString(MS_Get)&"<br/>"
				Response.Write "操作对象："&Request.ServerVariables("SCRIPT_NAME")
				Response.End
			End If
		Next
	Next
End If
End If
Sub connclose()
	conn.close
	set conn=nothing
End Sub
%>