用ASP写一个登陆的文件,帐号密码的验证语句如下
select * from userid where username='"&txtname&"' and userpwd='"&txtpwd&"'
其中txtname和txtpwd是表单上的两个文本控件,据说这样存在严重的安全问题,有什么比较好的加密方法吗?
---------------------------------------------------------------
1
2dim sql
3dim rs
4dim username
5dim password
6username=replace(trim(request("username")),"'","")
7password=MD5(replace(trim(Request("password")),"'",""))
8
9set rs=server.createobject("adodb.recordset")
10sql="select * from admin where password='"&password&"' and username='"&username&"'"
11' response.write ""&sql&""
12' response.end
13rs.open sql,conn,1,1
14if not(rs.bof and rs.eof) then
15if password=rs("password") then
16response.cookies("admin")=rs("username")
17response.cookies("flag")=rs("flag")
18Response.Redirect "admin.asp"
19else
20Response.Redirect "admin_login.asp"
21end if
22else
23Response.Redirect "admin_login.asp"
24end if
25rs.close
26conn.close
27set rs=nothing
28set conn=nothing
29
---------------------------------------------------------------
在执行SQL语句前,做个判断
1recode=request.Form("code")
2repass=request.Form("pass")
3for i=1 to len(recode)
4us=mid(recode,i,1)
5if us="'" or us="%" or us="<" or us=">" or us="&" then
1<script language="JavaScript">alert("用户名不允许带有以下字符:\n\n ’ % 〈 〉 &\n\n 请重新输入!");
2history.go(-1);
3</script>
1response.end
2end if
3next