1Response.expires=0
1
2'取出表单值 并进行VALUE处理
3userID=replace(trim(request("userID"))," ","")
4passID=replace(trim(request("passID")),"'","")
5passID=replace(passID," ","")
6'验证用户名与密码是否为空
7if userID="" or passID="" then
8response.write "
<script language="javascript">alert('用户名或密码为空!');history.go(-1)</script>
1"
2response.end
3end if
4
5sql="select * from v_登录 where 人员类别=0 and 身份证号='"&userID&"' and pwd='"&passID&"'"
6rs.open sql,conn,1,1
7if rs.eof or rs.bof then
8response.write "
<script language="javascript">alert('用户名或密码不正确,请重新填写!');history.go(-1)</script>
1"
2response.end
3else
4response.redirect "main.asp"
5response.end
6end if
7set rs=nothing
8set conn=nothing
---------------------------------------------------------------
to saimen2002(赛门)
不安全因素确实存在;请修改如下:
function sqlencode(strs) ' 新增函数,用于处理单引号,防止利用单引号来非法访问
sqlencode = replace(strs,"'","''")
end function
'修改如下:
sql="select * from v_登录 where 人员类别=0 and 身份证号='"&sqlencode(userID)&"' and pwd='"&sqlencode(passID)&"'"
---------------------------------------------------------------
呵呵 这样才叫安全
if len(request.form("pass"))<>len(rs("pass")) then "error!"
replace("request("user")","'","")
replace("request("user")","","")
replace("request("pass")","'","")
replace("request("pass")","","")
select user from tab where userid=clng(userid)
select pass from tab where pass=pass
用饭桶兄的sqlencode也是个好办法 用以上再出现问题 我负责
不出现问题就给我分~
---------------------------------------------------------------
直接检验不安全,以下代码是我为公司做的带点夸张手法的密码检验源程序的一部分,希望能抛砖引玉,其中SECURITY为表名
1 dim username,password,IPinfo,action,logondate
2username=request.form("username")
3password=request.form("password")
4
5..... '连结数据库的代码略
6conn=....
7........
8
9if username="" then
10response.write ("您未输入用户名!")
11response.end
12elseif password="" then
13response.write ("请输入密码!")
14response.end
15elseif instr(1,username,"<>")>1 or instr(1,username,"'")>1 or instr(1,password,"<>")>1 or instr(1,password,"'")>1 then
16
17IPinfo = Request.servervariables("REMOTE_ADDR")
18logondate =Cstr(now())
19
20action="IP地址"& ipinfo & "的用户企图以用户名为" & username & "密码" & password & " 登录系统!已被系统拒绝登录一次!时间:"& logondate
21
22response.write ("
<br/>
<b><font color="red">系统警告!</font></b>
<br/>
1")
2response.Write ("----------------------------------------------------------------------
<br/>
<br/>
1")
2response.Write ("提示:请不要尝试或企图以非法用户的身份进入系统!
<br/>
<br/>
1IP :" & IPinfo & "
<br/>
<br/>
1时间:" & logondate & "
<br/>
<br/>
1")
2response.write ("行为:企图以用户名为
<b><font color="red">" & username & "</font></b>
1密码
<font color="red"><b>"& password &" </b></font>
1登录系统!
<br/>
<br/>
1")
2response.write ("处理:系统已拒绝您的非法登录!
<br/>
<br/>
1")
2response.Write ("
<br/>
1您的IP地址和行为已被我们记录!")
2
3username=replace(username,"'","~")
4password=replace(password,"'","~")
5action=replace(action,"'","~")
6
7sql="Insert Into SECURITY (ipinfo,logondate,username,password,action) Values('"& ipinfo &"','"& logondate &"','"& username &"', '"& password &"','"& action & "')"
8Set rs=conn.Execute( sql )
9
10
11........
12
13
---------------------------------------------------------------
加一段过滤程序吧!
1
2'function entercheck(str)
3dim dist
4dim i
5dist=""
6for i = 1 to len(str)
7if mid(str,i,1)<>"'" and mid(str,i,1)<>"%" and ucase(mid(str,i,6))<>"SCRIPT" then
8dist=dist+mid(str,i,1)
9end if
10next
11dist=replace(dist,"<","<")
12dist=replace(dist,">",">")
13dist=replace(dist,"'","''")
14entercheck=dist
15end function
16
17
用它对输入的数据进行过滤,另外也要对用户注册时候输入的口令进行编辑,代码如下:
1
2function mistake(preString)
3Dim texts
4Dim seed
5Dim i,length
6prestring = trim(preString)
7length = len(preString)
8seed = length
9Randomize(length)
10texts = ""
11for i = 1 to length
12seed = int(94*rnd(-asc(mid(preString,i,1))-seed*asc(right(prestring,1)))+32)
13texts = texts & chr(seed) & chr(int(94*rnd(-seed)+32))
14next
15dim dist
16dist=""
17for i = 1 to len(texts)
18if asc(mid(texts,i,1))>64 and asc(mid(texts,i,1))<123 then
19dist=dist+mid(texts,i,1)
20end if
21next
22mistake = dist
23end function
我 通常都是这样做的