<%@ LANGUAGE=VBScript codepage ="936" %> <% Response.Expires=0 Response.ExpiresAbsolute = Now() - 1 Response.AddHeader "Pragma","No-Cache" Response.AddHeader "Cache-Control","Private" Response.CacheControl = "No-Cache" if session("TWT_ARR_ArgALL")="" then response.end TWT_ArrArg=split(session("TWT_ARR_ArgALL"),"=") name=TWT_ArrArg(0) grade=TWT_ArrArg(2) myid=TWT_ArrArg(1) id=request("id") if InStr(id,"=")<>0 or InStr(id,"`")<>0 or InStr(id,"'")<>0 or InStr(id," ")<>0 or InStr(id,"　")<>0 or InStr(id,"'")<>0 or InStr(id,chr(34))<>0 or InStr(id,"\")<>0 or InStr(id,",")<>0 or InStr(id,"<")<>0 or InStr(id,">")<>0 then Response.Redirect "../error.asp?id=120" on error resume next Set conn=Server.CreateObject("ADODB.CONNECTION") Set rs=Server.CreateObject("ADODB.RecordSet") connstr=Application("hg_connstr") conn.open connstr sql="SELECT 类型,数量,银两,攻击,防御 FROM 物品 where ID=" & id & " and 拥有者='" & name & "'" Set Rs=conn.Execute(sql) if rs.eof and rs.bof then response.write "你无此物品！" conn.close response.end end if lx2=rs(0) if lx2="物品" then Response.Write "" response.end else yin=rs(1)*rs(2)/2 gj2=rs(3) fy2=rs(4) sql="delete * from 物品 where id=" & id & "" conn.execute sql sql="update 用户 set 银两=银两+" & yin & " where 姓名='" &name& "'" conn.execute sql if lx2="装备" then sql="update 用户 set 攻击=攻击-" & gj2 & ",防御=防御-" & fy2 & " where 姓名='" &name& "'" conn.execute sql end if end if conn.close Response.Redirect "dan.asp" %>