Ewebeditor及fckeditork單引號問題的解決方法

更新時間：2010年04月05日 23:46:52 作者：

為什么一個簡單的單引號會引發(fā)不能添加到數(shù)據(jù)庫呢，想到這里，我們想到了分析下入庫代碼并找出了原因，下面是解決方法。

Ewebeditor及fckeditor，90%的網(wǎng)站都是采用這兩種編輯器作為產(chǎn)品或者內(nèi)容的說明部分的編輯窗口，近日，一客戶的外貿(mào)站點基本上快完工了，因客戶產(chǎn)品分類多，故而讓客戶自己在后臺添加產(chǎn)品，但是客戶反映，在后臺添加產(chǎn)品時，如果產(chǎn)品說明內(nèi)容太過復雜的話，產(chǎn)品怎么也添加不入數(shù)據(jù)庫中。
當時，我們也好生郁悶，這到底怎么回事，我們親自測試后臺添加任意的產(chǎn)品或者文字都能成功，偏偏他就不行，在網(wǎng)站搜索了相關的如“Ewebeditor 不能添加到數(shù)據(jù)庫”，似乎找到了一點答案，因Ewebeditor自身沒對單引號過濾，導致了添加不到數(shù)據(jù)庫的問題。于是乎，我們把編輯器換成了fckeditor，可是還是不行，那是Ewebeditor及fckeditor自帶的不完善導致的嗎？為什么一個簡單的單引號會引發(fā)不能添加到數(shù)據(jù)庫呢，想到這里，我們想到了分析下入庫代碼，我們采用的是SQL=insert into product(title,content) values(' " &request("title")& "' ,' "&request("content")& " ' )的寫法，于是我們找到客戶當時COPY進編輯器里的內(nèi)容，發(fā)現(xiàn)，果然這內(nèi)容中包括有單引號，原來，正是由于客戶提交到編輯器里的內(nèi)容中含有單引號，導致我們的SQL語句變化了，相當于原來是SQL=insert into product(title,content) values('內(nèi)容' ,'內(nèi)容' )變成了SQL=insert into product(title,content) values(' 內(nèi)容' ,' 內(nèi)容'' ) ,我們細看就知道，就因為這content里多了個單引號，SQL語句發(fā)生的嚴重的寫法錯誤，但是，我們也奇怪，既然他寫法錯誤，為什么SQL語句不給出錯誤提示呢，竟然也會提示操作成功，想到這里，我們想到了2003年那幾年，普遍的小黑客喜歡用的'or'='or'的后臺入侵法，是乎正是利用了SQL執(zhí)行時，沒過濾單引號的BUG，導致SQL怎么執(zhí)行，結果都返回真，呵呵，沒想到，原以為寫程序盡量圖個簡單明了，也是個錯啊。好了，問題找到了，以后，凡是SQL入庫前，我們都把字段過濾后再傳值，就不會再出這樣的問題了，下面是一個非常完善的SQL安全過濾函數(shù)，大家直接拿去就可以調用了。

復制代碼代碼如下:

 
Function HTMLEncode(Str) 
If Isnull(Str) Then 
HTMLEncode = "" 
Exit Function 
End If 
Str = Replace(Str,Chr(0),"", 1, -1, 1) 
Str = Replace(Str, """", "&quot;", 1, -1, 1) 
Str = Replace(Str,"<","&lt;", 1, -1, 1) 
Str = Replace(Str,">","&gt;", 1, -1, 1) 
Str = Replace(Str, "script", "&#115;cript", 1, -1, 0) 
Str = Replace(Str, "SCRIPT", "&#083;CRIPT", 1, -1, 0) 
Str = Replace(Str, "Script", "&#083;cript", 1, -1, 0) 
Str = Replace(Str, "script", "&#083;cript", 1, -1, 1) 
Str = Replace(Str, "object", "&#111;bject", 1, -1, 0) 
Str = Replace(Str, "OBJECT", "&#079;BJECT", 1, -1, 0) 
Str = Replace(Str, "Object", "&#079;bject", 1, -1, 0) 
Str = Replace(Str, "object", "&#079;bject", 1, -1, 1) 
Str = Replace(Str, "applet", "&#097;pplet", 1, -1, 0) 
Str = Replace(Str, "APPLET", "&#065;PPLET", 1, -1, 0) 
Str = Replace(Str, "Applet", "&#065;pplet", 1, -1, 0) 
Str = Replace(Str, "applet", "&#065;pplet", 1, -1, 1) 
Str = Replace(Str, "[", "&#091;") 
Str = Replace(Str, "]", "&#093;") 
Str = Replace(Str, """", "", 1, -1, 1) 
Str = Replace(Str, "=", "&#061;", 1, -1, 1) 
Str = Replace(Str, "'", "''", 1, -1, 1) 
Str = Replace(Str, "select", "sel&#101;ct", 1, -1, 1) 
Str = Replace(Str, "execute", "&#101xecute", 1, -1, 1) 
Str = Replace(Str, "exec", "&#101xec", 1, -1, 1) 
Str = Replace(Str, "join", "jo&#105;n", 1, -1, 1) 
Str = Replace(Str, "union", "un&#105;on", 1, -1, 1) 
Str = Replace(Str, "where", "wh&#101;re", 1, -1, 1) 
Str = Replace(Str, "insert", "ins&#101;rt", 1, -1, 1) 
Str = Replace(Str, "delete", "del&#101;te", 1, -1, 1) 
Str = Replace(Str, "update", "up&#100;ate", 1, -1, 1) 
Str = Replace(Str, "like", "lik&#101;", 1, -1, 1) 
Str = Replace(Str, "drop", "dro&#112;", 1, -1, 1) 
Str = Replace(Str, "create", "cr&#101;ate", 1, -1, 1) 
Str = Replace(Str, "rename", "ren&#097;me", 1, -1, 1) 
Str = Replace(Str, "count", "co&#117;nt", 1, -1, 1) 
Str = Replace(Str, "chr", "c&#104;r", 1, -1, 1) 
Str = Replace(Str, "mid", "m&#105;d", 1, -1, 1) 
Str = Replace(Str, "truncate", "trunc&#097;te", 1, -1, 1) 
Str = Replace(Str, "nchar", "nch&#097;r", 1, -1, 1) 
Str = Replace(Str, "char", "ch&#097;r", 1, -1, 1) 
Str = Replace(Str, "alter", "alt&#101;r", 1, -1, 1) 
Str = Replace(Str, "cast", "ca&#115;t", 1, -1, 1) 
Str = Replace(Str, "exists", "e&#120;ists", 1, -1, 1) 
Str = Replace(Str,Chr(13),"<br>", 1, -1, 1) 
HTMLEncode = Replace(Str,"'","''", 1, -1, 1) 
End Function 