登陆验证的SQL语句

用ASP写一个登陆的文件,帐号密码的验证语句如下
select * from userid where username='"&txtname&"' and userpwd='"&txtpwd&"'
其中txtname和txtpwd是表单上的两个文本控件,据说这样存在严重的安全问题,有什么比较好的加密方法吗?
---------------------------------------------------------------

 1   
 2dim sql   
 3dim rs   
 4dim username   
 5dim password   
 6username=replace(trim(request("username")),"'","")   
 7password=MD5(replace(trim(Request("password")),"'",""))   
 8  
 9set rs=server.createobject("adodb.recordset")   
10sql="select * from admin where password='"&password&"' and username='"&username&"'"   
11' response.write ""&sql&""   
12' response.end   
13rs.open sql,conn,1,1   
14if not(rs.bof and rs.eof) then   
15if password=rs("password") then   
16response.cookies("admin")=rs("username")   
17response.cookies("flag")=rs("flag")   
18Response.Redirect "admin.asp"   
19else   
20Response.Redirect "admin_login.asp"   
21end if   
22else   
23Response.Redirect "admin_login.asp"   
24end if   
25rs.close   
26conn.close   
27set rs=nothing   
28set conn=nothing   
29  

---------------------------------------------------------------

在执行SQL语句前,做个判断

1recode=request.Form("code")   
2repass=request.Form("pass")   
3for i=1 to len(recode)   
4us=mid(recode,i,1)   
5if us="'" or us="%" or us="<" or us=">" or us="&" then
1<script language="JavaScript">alert("用户名不允许带有以下字符:\n\n ’ % 〈 〉 &\n\n 请重新输入!");   
2history.go(-1);   
3</script>
1response.end   
2end if   
3next
Published At
Categories with Web编程
comments powered by Disqus