这样的登录程序代码安全吗?欢迎讨论!

1Response.expires=0
1   
2'取出表单值 并进行VALUE处理   
3userID=replace(trim(request("userID"))," ","")   
4passID=replace(trim(request("passID")),"'","")   
5passID=replace(passID," ","")   
6'验证用户名与密码是否为空   
7if userID="" or passID="" then   
8response.write "

<script language="javascript">alert('用户名或密码为空!');history.go(-1)</script>

1"   
2response.end   
3end if   
4  
5sql="select * from v_登录 where 人员类别=0 and 身份证号='"&userID&"' and pwd='"&passID&"'"   
6rs.open sql,conn,1,1   
7if rs.eof or rs.bof then   
8response.write "

<script language="javascript">alert('用户名或密码不正确,请重新填写!');history.go(-1)</script>

1"   
2response.end   
3else   
4response.redirect "main.asp"   
5response.end   
6end if   
7set rs=nothing   
8set conn=nothing   

---------------------------------------------------------------

to saimen2002(赛门)

不安全因素确实存在;请修改如下:

function sqlencode(strs) ' 新增函数,用于处理单引号,防止利用单引号来非法访问
sqlencode = replace(strs,"'","''")
end function

'修改如下:
sql="select * from v_登录 where 人员类别=0 and 身份证号='"&sqlencode(userID)&"' and pwd='"&sqlencode(passID)&"'"

---------------------------------------------------------------

呵呵 这样才叫安全
if len(request.form("pass"))<>len(rs("pass")) then "error!"
replace("request("user")","'","")
replace("request("user")","","")
replace("request("pass")","'","")
replace("request("pass")","","")
select user from tab where userid=clng(userid)
select pass from tab where pass=pass

用饭桶兄的sqlencode也是个好办法 用以上再出现问题 我负责
不出现问题就给我分~

---------------------------------------------------------------

直接检验不安全,以下代码是我为公司做的带点夸张手法的密码检验源程序的一部分,希望能抛砖引玉,其中SECURITY为表名

 1 dim username,password,IPinfo,action,logondate   
 2username=request.form("username")   
 3password=request.form("password")   
 4  
 5..... '连结数据库的代码略   
 6conn=....   
 7........   
 8  
 9if username="" then   
10response.write ("您未输入用户名!")   
11response.end   
12elseif password="" then   
13response.write ("请输入密码!")   
14response.end   
15elseif instr(1,username,"<>")>1 or instr(1,username,"'")>1 or instr(1,password,"<>")>1 or instr(1,password,"'")>1 then   
16  
17IPinfo = Request.servervariables("REMOTE_ADDR")   
18logondate =Cstr(now())   
19  
20action="IP地址"& ipinfo & "的用户企图以用户名为" & username & "密码" & password & " 登录系统!已被系统拒绝登录一次!时间:"& logondate   
21  
22response.write ("

<br/>

<b><font color="red">系统警告!</font></b>

<br/>

1")   
2response.Write ("----------------------------------------------------------------------

<br/>

<br/>

1")   
2response.Write ("提示:请不要尝试或企图以非法用户的身份进入系统!

<br/>

<br/>

1IP :" & IPinfo & "

<br/>

<br/>

1时间:" & logondate & "

<br/>

<br/>

1")   
2response.write ("行为:企图以用户名为

<b><font color="red">" &amp; username &amp; "</font></b>

1密码

<font color="red"><b>"&amp; password &amp;" </b></font>

1登录系统!

<br/>

<br/>

1")   
2response.write ("处理:系统已拒绝您的非法登录!

<br/>

<br/>

1")   
2response.Write ("

<br/>

 1您的IP地址和行为已被我们记录!")   
 2  
 3username=replace(username,"'","~")   
 4password=replace(password,"'","~")   
 5action=replace(action,"'","~")   
 6  
 7sql="Insert Into SECURITY (ipinfo,logondate,username,password,action) Values('"& ipinfo &"','"& logondate &"','"& username &"', '"& password &"','"& action & "')"   
 8Set rs=conn.Execute( sql )   
 9  
10  
11........   
12  
13  

---------------------------------------------------------------

加一段过滤程序吧!

 1   
 2'function entercheck(str)   
 3dim dist   
 4dim i   
 5dist=""   
 6for i = 1 to len(str)   
 7if mid(str,i,1)<>"'" and mid(str,i,1)<>"%" and ucase(mid(str,i,6))<>"SCRIPT" then   
 8dist=dist+mid(str,i,1)   
 9end if   
10next   
11dist=replace(dist,"<","<")   
12dist=replace(dist,">",">")   
13dist=replace(dist,"'","''")   
14entercheck=dist   
15end function   
16  
17  

用它对输入的数据进行过滤,另外也要对用户注册时候输入的口令进行编辑,代码如下:

 1   
 2function mistake(preString)   
 3Dim texts   
 4Dim seed   
 5Dim i,length   
 6prestring = trim(preString)   
 7length = len(preString)   
 8seed = length   
 9Randomize(length)   
10texts = ""   
11for i = 1 to length   
12seed = int(94*rnd(-asc(mid(preString,i,1))-seed*asc(right(prestring,1)))+32)   
13texts = texts & chr(seed) & chr(int(94*rnd(-seed)+32))   
14next   
15dim dist   
16dist=""   
17for i = 1 to len(texts)   
18if asc(mid(texts,i,1))>64 and asc(mid(texts,i,1))<123 then   
19dist=dist+mid(texts,i,1)   
20end if   
21next   
22mistake = dist   
23end function   

我 通常都是这样做的

Published At
Categories with Web编程
comments powered by Disqus