̳(dvbbs8.2.0)ͲXSS©

[̳(dvbbs8.2.0)ͲXSS© ȫ]Ӱ汾dvbbs 8.2.0°汾ֱڶ̳µ³

©ļ
1.bokemanage.asp&bokepostings.asp

2.BokeSearch.asp ©ԭһ
ļɾ

©λã
bokepostings.aspԼ270вִ
###########################################
P_Catid = Request.Form("Catid")
P_Lock = DvBoke.CheckNumeric(Request.Form("Lock"))
P_Best = DvBoke.CheckNumeric(Request.Form("Best"))
P_PostContent = CheckAlipay()
If P_PostContent = "" Then P_PostContent = DvBoke.Checkstr(Request.Form("PostContent"))
P_PostTitleNote = DvBoke.Checkstr(Request.Form("PostTitleNote")) //
PostID = DvBoke.CheckNumeric(Request.Form("PostID"))
RootID = DvBoke.CheckNumeric(Request.Form("RootID"))
P_Weather = DvBoke.CheckNumeric(Request.Form("Weather"))

###########################################
bokemanage.aspļĲִԼ290

###########################################

P_Lock = DvBoke.CheckNumeric(Request.Form("Lock"))
P_Best = DvBoke.CheckNumeric(Request.Form("Best"))
P_PostContent = CheckAlipay()
If P_PostContent = "" Then P_PostContent = DvBoke.Checkstr(Request.Form("PostContent"))
P_PostTitleNote = DvBoke.Checkstr(Request.Form("PostTitleNote")) //
PostID = DvBoke.CheckNumeric(Request.Form("PostID"))

###########################################

checkstr()еĴ

###########################################

Public Function Checkstr(Str)
If Isnull(Str) Then             

CheckStr = ""
Exit Function 
End If
Str = Replace(Str,Chr(0),"")          

CheckStr = Replace(Str,"''","''''")        //"滻''
End Function

###########################################

BokeSearch.asp еĲִ

###########################################

SelType = DvBoke.CheckNumeric(Request("Sel"))
KeyWord = DvBoke.Checkstr(Request("KeyWord")) // ͬcheckstr()
DYear = DvBoke.CheckNumeric(Request("DY"))
DMonth = DvBoke.CheckNumeric(Request("DM"))

........

If KeyWord<>"" Then
Select Case SelType
Case 2 ''
    SqlStr = SqlStr &" and Content like ''%"&KeyWord&"%''"
Case 1 ''
    SqlStr = SqlStr &" and UserName like ''%"&KeyWord&"%''"
Case Else ''
    SqlStr = SqlStr &" and Title like ''%"&KeyWord&"%''"
End Select

ƹ''˾Ϳע............
