product.asp

易和阳光购物商城 v1.3 | 功能简介 增加了防注入文件

<!--#include file="Include/Iheeo_Conn.asp"-->
<!--#include file="Include/Iheeo_config.asp"-->
<%if IsNumeric(request.QueryString("Iheeoid"))=False then
response.write("<script>alert(""非法访问!"");location.href=""index.asp"";</script>")
response.end
end if
dim id
Iheeoid=request.QueryString("Iheeoid")
if not isinteger(Iheeoid) then
response.write"<script>alert(""非法访问!"");location.href=""index.asp"";</script>"
end if%>
<%dim bookid,action
bookid=request.QueryString("Iheeoid")
action=request.QueryString("action")
if action="save" then
set rs=server.CreateObject("adodb.recordset")
rs.open "select * from BJX_pinglun",conn,1,3
rs.addnew
rs("bookid")=bookid
rs("pingji")=request("pingji")
rs("pinglunname")=HTMLEncode2(trim(request("pinglunname")))
rs("pingluntitle")=HTMLEncode2(trim(request("pingluntitle")))
rs("pingluncontent")=HTMLEncode2(trim(request("pingluncontent")))
rs("ip")=Request.servervariables("REMOTE_ADDR")
rs("pinglundate")=now()
rs("shenhe")=1
rs.update
rs.close
set rs=nothing
set rs=server.CreateObject("adodb.recordset")
rs.open "select * from BJX_goods where bookid="&bookid,conn,1,3
rs("pingji")=rs("pingji")+1
rs("pingjizong")=rs("pingjizong")+request("pingji")
rs.update
rs.close
set rs=nothing
response.Write "<script language=javascript>alert('您的评论已成功提交！');history.go(-1);</script>"
response.End
end if
%><%set rs=server.createobject("adodb.recordset")
rs.open "select * from BJX_goods where bookid="&request("Iheeoid"),conn,1,3
if rs.recordcount=0 then 
%>商品已不存在<%
else
rs("liulancount")=rs("liulancount")+1
rs.update
if request.Cookies("bjx")("username")<>"" then 
set rs_s=server.CreateObject("adodb.recordset")
rs_s.open "select * from bjx_User where username='"&request.Cookies("bjx")("username")&"'",conn,1,1
t_userid=rs_s("userid")
rs_s.close
		    set rs_s=server.createobject("adodb.recordset")
		    rs_s.open "select * from BJX_history where bookid="&request("Iheeoid")&" and username='"&request.Cookies("bjx")("username")&"' and lx=1",conn,1,3
		    if rs_s.recordcount>0 then 
			rs_s("ltime")=now()
			rs_s("userid")=t_userid
			rs_s.update
			rs_s.close
			set rs_s=nothing
		    else
		    	rs_s.close
		    	set rs_s=server.createobject("adodb.recordset")
		    	rs_s.open "select * from BJX_history where username='"&request.Cookies("bjx")("username")&"' and lx=1 order by ltime",conn,1,3
		    	if rs_s.recordcount>=4 then
		    	    rs_s.delete
		    	    rs_s.update
		    	end if
		    	rs_s.addnew
		    	    rs_s("username")=request.Cookies("bjx")("username")
		    	    rs_s("bookid")=Iheeoid
		    	    rs_s("bookname")=rs("bookname")
			    rs_s("userid")=t_userid
		    	    rs_s("lx")=1
		    	    rs_s("ltime")=now()
		        rs_s.update
			rs_s.close
			set rs_s=nothing
			end if
			end if
			%>
<html><head><title><%=rs("bookname")%> <%=rs("bookad")%> - <%=webname%></title>
<meta name="keywords" content="<%=rs("keywords")%>">
<meta name="description" content="<%=rs("description")%>">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<link href="images/css.css" rel="stylesheet" type="text/css">
<style type="text/css">
<!--
.style1 {color: #FF0000}
.css03 {FONT-SIZE: 12px; LINE-HEIGHT: 130%}
-->
</style>
</head>
<script language="JavaScript">
	
	<!--
	
	function OpenNews() 
	{
			window.name = "news"
			win = window.open('','newswin','left=110,width=600,height=420,scrollbars=1');
	}
	//-->
</script>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" >
<!--#include file="Include/Iheeo_head.asp"-->
<TABLE cellSpacing=0 cellPadding=0 width="970" align=center border=0>
  <TBODY>
    <TR>
      <TD class=b vAlign=top align=left><table width="970" align="center" border="0" cellspacing="5" cellpadding="3" bordercolor="#CCCCCC">
        <tr>
          <td width="200" valign="top" bordercolor="#FFFFFF" bgcolor="#FFFFFF"><!--#include file="Include/Iheeo_history.asp"--><TABLE cellSpacing=0 cellPadding=0 border=0><TR><TD height=5></TD></TR></TABLE><!--#include file="Include/Iheeo_gouwucheinfo.asp"--><TABLE cellSpacing=0 cellPadding=0 border=0><TR><TD height=5></TD></TR></TABLE><TABLE cellSpacing=0 cellPadding=0 border=0><TR><TD><script type="text/javascript"><!--
google_ad_client = "pub-3074014307908403";
/* 商城源代码商品页 */
google_ad_slot = "6674509854";
google_ad_width = 200;
google_ad_height = 200;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></TD></TR></TABLE><TABLE cellSpacing=0 cellPadding=0 border=0><TR><TD height=5></TD></TR></TABLE><!--#include file="Include/Iheeo_xiaoshouinfo.asp"--></td>
          <td valign="top" align="center">
        <table width="100%" border="0" cellspacing="5" cellpadding="3" class="wenbenkuang" bgcolor="#D9D9D9">
          <tr>
            <td class="table-shangxia" bgcolor="#ffffff" height="35"><img src="images/menu_06.gif" width="41" height="33" align="absmiddle"> <a href=index.asp><%=webname%></a> >>
                <%set rs2=server.createobject("adodb.recordset")
									rs2.open "select * FROM BJX_class1 where anclassid="&rs("anclassid"),conn,1,1
									if rs2.recordcount>0 then
									response.write "<a href=Class_view.asp?lx=big&anid="&rs2("anclassid")&" targer=_blank>"&rs2("anclass")&"</a> >> "
									end if
									rs2.close
									set rs2=server.createobject("adodb.recordset")
									rs2.open "select * FROM BJX_class2 where nclassid="&rs("nclassid"),conn,1,1
									if rs2.recordcount>0 then
									response.write "<a href=Class_view.asp?lx=small&anid="&rs2("anclassid")&"&nid="&rs2("nclassid")&" targer=_blank>"&rs2("nclass")
									end if
									rs2.close
									set rs2=nothing%>
            </td>
          </tr>
          <tr>
            <td bgcolor="#FFFFFF">
			<div align="left">
			<table border="0" width="100%" id="table1" cellpadding="5" cellspacing="3">
				<tr>
					<td width="230" bgcolor="#F3F4F0"><%if rs("zhuang")="" then 
response.write "<img src=images/emptybook.gif width=200 border=0>"
else%><a href="<%=trim(rs("zhuang"))%>" ><img src="<%=trim(rs("zhuang"))%>" width=240 border=0 alt="点击浏览商品大图" height="240"></a><%end if%></td>
					<td rowspan="2" valign="top">
					<table border="0" width="100%" id="table2" cellpadding="2" cellspacing="1">
						<tr>
							<td><font color="#ff6600" size="3"><strong><%=rs("bookname")%></strong></font> <%=rs("bookad")%></td>
						</tr>
						<tr>
							<td height="25"><font color="#838383">商品编号：<%=rs("bookid")%></font></td>
						</tr>
						<tr>
							<td height="25">市场价：&yen;<s><%=formatnumber(rs("shichangjia"),2,true)%>元</s>/<%=rs("bookchuban")%></td>
						</tr>
						<tr>
							<td height="25"><%if request.Cookies("bjx")("reglx")="2" then
response.write ""&websname&"VIP价：<b><font color=#93393A style=font-size: 11pt>&yen;"&formatnumber(rs("vipjia"),2,true)&"元</font></b>为您节省<b><font color=#FF0000>"&rs("shichangjia")-rs("vipjia")&"元</font></b>（相当于<b><font color=#FF0000>"&FormatNumber(Round(rs("vipjia")/rs("shichangjia")*1000),2)/100&" 折</font></b>）"
else
response.write ""&websname&"会员价：<b><font color=#93393A style=font-size: 11pt>&yen;"&formatnumber(rs("huiyuanjia"),2,true)&"元</font></b>为您节省<b><font color=#FF0000>"&rs("shichangjia")-rs("huiyuanjia")&"元</font></b>（相当于<b><font color=#FF0000>"&FormatNumber(Round(rs("dazhe")*1000),2)/100&" 折</font></b>）"
end if%></td>
						</tr>
						<tr>
							<td><hr noshade color="#F3F4F0"></td>
						</tr>
						<tr>
							<td height="25">本商品由 <%=webname%> 销售与配送 配送费用</td>
						</tr><tr><td><%
if rs("kucun")>0 then
%><a href="buy.asp?id=<%=rs("bookid")%>&action=add" target="_blank" ><img border="0" src="image/buy.gif"></a>　<%end if%><a href="shoucang.asp?id=<%=rs("bookid")%>&action=add" target="_blank" ><img src="image/favorites.gif" border=0></a></td>
						</tr>