<% '------------------sql zhuru '-----------防注入代码---------------- '--------定义部份------------------ 'Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr '自定义需要过滤的字串,用 "|||" 分隔 Fy_In = "'|||;|||and|||exec|||insert|||select|||delete|||update|||count|||*|||%|||chr|||mid|||master|||truncate|||char|||declare" '---------------------------------- Fy_Inf = split(Fy_In,"|||") '--------POST部份------------------ If Request.Form<>"" Then For Each Fy_Post In Request.Form For Fy_Xh=0 To Ubound(Fy_Inf) If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then response.redirect "http://www.it168.com" End If Next Next End If '---------------------------------- '--------GET部份------------------- If Request.QueryString<>"" Then For Each Fy_Get In Request.QueryString For Fy_Xh=0 To Ubound(Fy_Inf) If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then response.redirect "http://www.it168.com" End If Next Next End If ''''''''''-----------sql end %> <% '-----设置文字颜色----- txtcolor = "#003366" '-----文字颜色结束----- Set fs = server.createobject("scripting.filesystemobject") filename = server.mappath("txt/marquee_hz.txt") Set txt = fs.opentextfile(filename,1) txtcontent = txt.readall txt.close Set fs = Nothing txtcontent = Replace(Replace(Replace(txtcontent,Chr(10),""),Chr(13),""),Chr(34),"\"&chr(34)) txtcontent = Replace(Replace(txtcontent,"",""),"","") 'txtcontent = Replace(txtcontent,"color='#ffffff'","color='"&txtcolor&"'") txtcontent = Split(txtcontent," | ") %>