UC知道asp中如何过滤到单引号 高手帮我看看那错了
来源:百度知道 编辑:UC知道 时间:2024/05/18 11:03:21
<%
if request("action")="do" then
users=Replace(Request("user"), "'", "")
psw=Replace(Request("psw"), "'", "")
set rs=server.CreateObject("adodb.recordset")
sql="select * from admin where users='"&users&"'and pwd='"&pwd&"'"
rs.open sql,conn,1,1
if not rs.eof then
session("admin")=rs("users")
conn.close
set conn=nothing
response.Redirect("List.asp")
rs.close
set rs=nothing
else
response.Write("<div align='center'>用户名或密码错误请重新填写</div>")
end if
end if
%>
if request("action")="do" then
users=Replace(Request("user"), "'", "")
psw=Replace(Request("psw"), "'", "")
set rs=server.CreateObject("adodb.recordset")
sql="select * from admin where users='"&users&"'and pwd='"&pwd&"'"
rs.open sql,conn,1,1
if not rs.eof then
session("admin")=rs("users")
conn.close
set conn=nothing
response.Redirect("List.asp")
rs.close
set rs=nothing
else
response.Write("<div align='center'>用户名或密码错误请重新填写</div>")
end if
end if
%>
sql="select * from admin where users='"&users&"'and pwd='"&pwd&"'"
and前边的单引号后边应该加个空格:
sql="select * from admin where users='"& users &"' and pwd='"& pwd &"'"
过滤单引号的话,将一个单引号替换为两个
sql="select * from admin where users='"& replace(users,"'","''") &"' and pwd='"& replace(pwd,"'","''") &"'"
tStr=Replace(tStr, "'", "")
这样子过滤掉tStr里的单引号
所以你写的程序没有错误
Replace(request.Form("user"), "'", "''") 照这个改一下