<% '防SQL注入 squery=lcase(Request.ServerVariables("QUERY_STRING")) sURL=lcase(Request.ServerVariables("HTTP_HOST")) allquery=squery+sURL If InStr(allquery,"%20")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"$")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"<")<>0 or InStr(allquery,">")<>0 or InStr(allquery,"--")<>0 or InStr(allquery,"sp_")<>0 or InStr(allquery,"xp_")<>0 or InStr(allquery,"exec")<>0 or InStr(allquery,"\")<>0 or InStr(allquery,"delete")<>0 or InStr(allquery,"dir")<>0 or InStr(allquery,"exe")<>0 or InStr(allquery,"select")<>0 or InStr(allquery,"Update")<>0 or InStr(allquery,"cmd")<>0 or InStr(allquery,"*")<>0 or InStr(allquery,"^")<>0 or InStr(allquery,"(")<>0 or InStr(allquery,")")<>0 or InStr(allquery,"+")<>0 or InStr(allquery,"copy")<>0 or InStr(allquery,"format")<>0 or not(isnumeric(request("id"))) then Response.redirect "/" Response.End End If '数据库连接 dim conn,connstr on error resume next connstr="DBQ="+server.mappath("#Date.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};" '数据库连接地址 Set conn=server.createobject("ADODB.CONNECTION") conn.open connstr '过滤代码 Function htmlencode(fString) If not isnull(fString) then fString = replace(fString, ">", ">") fString = replace(fString, "<", "<") fString = Replace(fString, CHR(32), " ") fString = Replace(fString, CHR(9), " ") fString = Replace(fString, CHR(34), """) fString = Replace(fString, CHR(39), "'") fString = Replace(fString, CHR(13), "") fString = Replace(fString, CHR(10) & CHR(10), "

") fString = Replace(fString, CHR(10), "
") htmlencode = fString End If End Function Function uhtmlencode(fString) If not isnull(fString) then fString = Replace(fString, " ", CHR(32)) fString = Replace(fString, " ", CHR(9)) fString = Replace(fString, """, CHR(34)) fString = Replace(fString, "'", CHR(39)) fString = Replace(fString, "", CHR(13)) fString = Replace(fString, "

", CHR(10) & CHR(10)) fString = Replace(fString, "
", CHR(10)) uhtmlencode = fString End If End Function '判断是否登陆 Function checkadmin() If session("Admin")="" then Response.redirect "?action=login" Response.End End If End Function '获取浏览器action action=Request.Querystring("action") '获取浏览器id id=Request.Querystring("id") 'id是否为空 If id<>"" and not isnumeric(id) then Response.Write "" Response.End End If %> 合作留言:上海欣车汇汽车租赁『租车电话:021-34530922』专业婚庆租车,商务租车提供商

合作留言:

<% Select Case action '删除留言调用 Case "del" checkadmin If id="" then Response.Write "" Response.End End If conn.execute("DELETE FROM [book] WHERE id="&id) Response.Write "" Response.End '添加留言调用 Case "add" '判断是否外部提交 dim From_url,Serv_url From_url = Cstr(Request.ServerVariables("HTTP_Referer")) Serv_url = Cstr(Request.ServerVariables("Server_Name")) If mid(From_url,8,len(Serv_url)) <> Serv_url Then Response.Write "" Response.End Else Name=htmlencode(request.form("Name")) Qq=htmlencode(request.form("Qq")) Sj=htmlencode(request.form("Sj")) Mail=htmlencode(request.form("Mail")) Info=htmlencode(request.form("Info")) Set mRs= Server.CreateObject("adodb.recordSet") mRs.open "Select * from book", conn, 1, 3 mRs.addnew mRs("Name") = Name mRs("Mail") = Mail mRs("Qq") = Qq mRs("Sj") = Sj mRs("Info") = Info mRs("time") = now() mRs.update mRs.close Set mRs = nothing Response.Write "" Response.End End If '回复留言调用 Case "Reply" checkadmin If id="" then Response.Write "" Response.End End If Reply=htmlencode(request.form("Reply")) Name=htmlencode(request.form("Name")) Qq=htmlencode(request.form("Qq")) Sj=htmlencode(request.form("Sj")) Mail=htmlencode(request.form("Mail")) Info=htmlencode(uhtmlencode(request.form("Info"))) Set mRs=Server.CreateObject("adodb.recordSet") Sql="Select * from Book where Id="&Request("Id") mRs.open Sql,conn,1,3 mRs("Name")=Name mRs("Qq")= Qq mRs("Sj")= Sj mRs("Mail")= Mail mRs("Info")= Info mRs("Reply")= Reply mRs.update mRs.close Set mRs=nothing Response.Write "" Response.End '修改管理员密码调用 Case "modpassed" checkadmin User=htmlencode(request.form("User")) oldpass=md5(request.form("oldpass")) newpass=md5(request.form("newpass")) newpass2=md5(request.form("confirm")) Sub Checkpass(password) Set mRs=conn.execute("SELECT * FROM [Admin] WHERE user='"&session("Admin")&"' AND pass='"&password&"'") If mRs.eof then Response.Write "" Response.End End If End Sub '修改管理员资料判断 Checkpass oldpass conn.execute("update [Admin] Set pass='"&newpass&"',User='"&User&"' WHERE user='"&session("Admin")&"'") session.Contents.Remove("Admin") Response.Write "" response.End '退出后台调用 Case "logout" session.Contents.Remove("Admin") Response.Write "" Response.End '登陆后台调用 Case "logincheck" User=htmlencode(request.form("User")) password=md5(request.form("password")) Function CheckLogin(User,password) Set mRs=conn.execute("SELECT * FROM [admin] WHERE user='"&User&"' AND pass='"&password&"'") If not mRs.eof then session("admin")=mRs("user") Response.Write "" Response.End Else Response.Write "" Response.End End If End Function CheckLogin User,password '登陆页面 Case "login" %>

 · 管理登陆 ·
管理员:
密  码:
   



<% '修改密码页面 Case "modpass" checkadmin %>
 · 管理员帐号修改 ·
登录名: " maxlength="16" class="input">
旧密码:
新密码:
确  认:
   



<% '回复页面调用 Case "reply" checkadmin If id="" then Response.Write "" Response.End End If Set mRs=conn.execute("SELECT * FROM [book] WHERE id="&id) If mRs.eof then Response.Write "" Response.End End If %>
 · 回复合作留言 ·
联系人: " class="input">
电 话: " class="input">
手 机: " class="input">
邮 箱: " class="input">
留 言:
回复:
   



<% mRs.close Set mRs=nothing '列表页面调用 Case Else %>
  假如您是代表一家政府机构,企业,组织,俱乐部或社会团体,欲寻求一个汽车租赁公司成为您的长期合作伙伴,那么我们的业务合作项目就是专门为您而定。请留下您的需求信息,我们会马上与您联系。
 · 填写合作留言 ·
联系人:
电 话:
手 机:
邮 箱:
留 言: *
   

 · 合作留言列表 · <% If Session("admin")<>"" then Response.Write "欢迎管理员『 "&Session("admin")&" 』" Response.Write "  修改帐号" Response.Write "  退出管理" Else Response.Write"管理员登录" End If %>
<% Sql="select * from [book] order by id desc" Set mRs=Server.CreateObject("adodb.recordSet") mRs.open sql,conn,1,1 If mRs.bof and mRs.eof then Response.Write"没有任何记录" Response.End Else mRs.PageSize =6'每页记录条数 iCount=mRs.RecordCount '记录总数 iPageSize=mRs.PageSize maxpage=mRs.PageCount page=request("page") If Not IsNumeric(page) or page="" then page=1 Else page=cint(page) End If If page<1 then page=1 ElseIf page>maxpage then page=maxpage End If mRs.AbsolutePage=Page If page=maxpage then x=iCount-(maxpage-1)*iPageSize Else x=iPageSize End If End If for i=1 to mRs.pagesize %>
<% Response.Write(""&CStr(i)&"") %> 姓名为: <% =mRs("Name") %> <% =mRs("Time") %> 的合作留言: <% If Session("Admin")<>"" then Response.Write" 回复" Response.Write" 删除" End If %>
<% = mRs("Info") %> <% If mRs("reply")<>"" then Response.Write"
管理员回复:
"&mRs("Reply")&"" End If %>
<% mRs.movenext If mRs.eof then exit for next mRs.close Set mRs=nothing %>
<% call PageControl(iCount,maxpage,page,"border=0 align=center","

") Sub PageControl(iCount,pagecount,page,table_style,font_style) '生成上一页下一页链接 Dim query, a, x, temp action = "http://" & Request.ServerVariables("HTTP_HOST") & Request.ServerVariables("SCRIPT_NAME") query = Split(Request.ServerVariables("QUERY_STRING"), "&") For Each x In query a = Split(x, "=") If StrComp(a(0), "page", vbTextCompare) <> 0 Then temp = temp & a(0) & "=" & a(1) & "&" End If Next Response.Write("") Response.Write("") Response.Write("") Response.Write("
") If page<=1 then Response.Write ("首页 " ) Response.Write ("上一页 ") Else Response.Write("首页 ") Response.Write("上一页 ") End If If page>=pagecount then Response.Write ("下一页 ") Response.Write ("尾页 ") Else Response.Write("下一页 ") Response.Write("尾页 ") End If Response.Write(" 页次:" & page & "/" & pageCount & "页") Response.Write(" 共有" & iCount & "条留言") Response.Write(" 转到" & "" & "页 ") Response.Write("
") End Sub End Select conn.close Set conn=nothing %>