请教一段程序代码的修改方法,在线等!急!!!!!!!!!
namespace Speed.WebApp.Site.Pages{
using System;
using System.Collections;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using Speed.Strings;
/// <summary>
/// Search : 文章搜索(高级搜索和一般搜索)。
/// </summary>
public class Search : basePage
{
protected Panel SearchPanel, ResultPanel;
protected Label label;
protected Repeater Repeater1;
private void Page_Load(object sender, System.EventArgs e)
{
initPage();
string where = Request.QueryString["where"];
string keyword =Server.HtmlEncode(Request.QueryString["keword"]);
string cid = Request.QueryString["cid"];
string beginDate= Request.QueryString["beginDate"];
string endDate = Request.QueryString["endDate"];
if( Object.Equals(where, null) &&
Object.Equals(keyword, null) &&
Object.Equals(cid, null) &&
Object.Equals(beginDate, null) &&
Object.Equals(endDate, null) )
{
SearchPanel.Visible = true;
}
else
{
ResultPanel.Visible = true;
// 路径参数集合
string strParames = "";
// 检索条件语句
string strCondition = "";
if( !Object.Equals(where, null) )
{
if( strCondition != "" ) strCondition += "AND ";
strParames += "where=" + where + "&";
if( !Object.Equals(keyword, null) ) strParames += "keyword=" + keyword + "&";
switch( where )
{
case "title" :
strCondition += "title LIKE '%" + keyword + "%' ";
break;
case "content" :
strCondition += "TextContent LIKE '%" + keyword + "%' ";
break;
case "author" :
strCondition += "author LIKE '%" + keyword + "%' ";
break;
case "userid" :
strCondition += "addUserid LIKE '%" + keyword + "%' ";
break;
default :
strCondition += "(title LIKE '%" + keyword + "%' OR TextContent LIKE '%" + keyword + "%') ";
break;
}
}
if( user.CheckValiable(cid) )
{
string ChildCollection = ci[cid, "ChildCollection"];
if( ChildCollection != "" )
{
if( strCondition != "" ) strCondition += "AND ";
strParames += "cid=" + cid + "&";
strCondition += "classid IN (" + ChildCollection + ") ";
}
}
if( user.CheckValiable(beginDate) )
{
if( strCondition != "" ) strCondition += "AND ";
strParames += "beginDate=" + beginDate + "&";
strCondition += "Addtime >= #" + beginDate + "# ";
}
if( user.CheckValiable(endDate) )
{
if( strCondition != "" ) strCondition += "AND ";
strParames += "endDate=" + endDate + "&";
strCondition += "Addtime <= #" + endDate + "# ";
}
if( user.CheckValiable(Request.QueryString["pagesize"]) )
{
strParames += "pagesize=" + bind.PageSize + "&";
}
if( strCondition != "" ) strCondition = " WHERE " + strCondition;
dp.CommandText = String.Format(cmd["Article", "SEARCH_INDEX"], strCondition);
DataTable dt = dp.DataTableSQL();
bind.totalRecord = dt.Rows.Count;
if( bind.totalRecord > 0 )
{
string indexStr = user.GetIndexStr(dt, bind.PageIndex, bind.PageSize);
dp.CommandText = string.Format(cmd["Article", "SEARCH"], indexStr);
DataTable Dt = dp.DataTableSQL();
Repeater1.DataSource = Dt.DefaultView;
Repeater1.DataBind();
label.Text = base.GetSplitPageString("/Speed/Index/Search.aspx?" + strParames + "");
}
else
{
label.Text = "本次检索没有您想要的文章,请更换检索条件再试!"; label.ForeColor = Color.Red;
}
label.Visible = true;
dt.Clear();
}
}
#region Web 窗体设计器生成的代码
override protected void OnInit(EventArgs e)
{
//
// CODEGEN: 该调用是 ASP.NET Web 窗体设计器所必需的。
//
InitializeComponent();
base.OnInit(e);
}
/// <summary>
/// 设计器支持所需的方法 - 不要使用代码编辑器
/// 修改此方法的内容。
/// </summary>
private void InitializeComponent()
{
this.Load += new System.EventHandler(this.Page_Load);
}
#endregion
void initPage()
{
SearchPanel.Visible = false;
ResultPanel.Visible = false;
label.Visible = false;
}
protected string ReplaceString(string str, string color)
{
if( user.CheckValiable(Request.QueryString["keyword"]) )
{
return str.Replace(Request.QueryString["keyword"], "<font color=" + color + ">" + Request.QueryString["keyword"] + "</font>");
}
else
{
return str;
}
}
}
}
现在我的问题是:想过对keword(是用来进行搜索输入文字内容)进行过滤,防止<script>脚本的执行,形成跨站攻击!
我的解决方法:string keyword =Server.HtmlEncode(Request.QueryString["keword"]);加:Server.HtmlEncode过滤参数编译成功,但是整个网站程序无法运行!现在想问问高人如何解决这个问题,怎样改?小弟:qq:22602028 如果大吓愿意帮忙的可以留个qq号码,多谢!可以把实际网站中研究! --------------------编程问答-------------------- 补充这是*.cs文件类型,必需要编译才能有效 --------------------编程问答-------------------- 现在便宜通过,网站也能运行了。但是<script>脚本还是要运行,球助高人!~
补充:.NET技术 , ASP.NET
