第一次用asp.net开发,后台登陆以及安全,大家过来看看安全不。
public partial class EduAdmin : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
Session.Clear();
}
}
protected void Button2_Click(object sender, EventArgs e)
{
TextBox1.Text = "";
TextBox2.Text = "";
}
private string ClearInputString(string inputstring, int maxlength)
{
StringBuilder sb = new StringBuilder();
if ((inputstring != null) && (inputstring != string.Empty))
{
inputstring = inputstring.Trim();
if (inputstring.Length > maxlength)
{
inputstring = inputstring.Substring(0, maxlength);
}
for (int i = 0; i < inputstring.Length; i++)
{
switch (inputstring[i])
{
case ' ': sb.Append(""); break;
case '"': sb.Append(""); break;
case '>': sb.Append(""); break;
case '<': sb.Append(""); break;
default: sb.Append(inputstring[i]); break;
}
}
sb.Replace("'", "");
}
return (sb.ToString());
}
protected void Button1_Click(object sender, EventArgs e)
{
if (Session != null)
{
JWC_Sql Exsql = new JWC_Sql();
Exsql.Open();
string coluser=TextBox1.Text.ToString();
string colpwd=FormsAuthentication.HashPasswordForStoringInConfigFile((TextBox2.Text.ToString()),"md5");
string sql = "SELECT * FROM jw_colset WHERE jw_colsetuser='" + ClearInputString(coluser,coluser.Length) + "' and jw_colsetpass ='" + ClearInputString(colpwd, colpwd.Length) + "'";
SqlCommand Comm = new SqlCommand(sql, Exsql.con);
SqlDataReader dr = Comm.ExecuteReader();
if (dr.Read())
{
Session["SetName"] = dr["jw_colsetuser"];
Session["SetCode"]=dr["jw_colsetcode"];
Response.Redirect("EduCollege/Default2.aspx");
}
TextBox1.Text = "";
TextBox2.Text = "";
}
}
private string ClearInputString(string coluser)
{
throw new Exception("The method or operation is not implemented.");
}
}
这样在后台里每一个页面page_load插入
if (Session["SetName"] == null)
{
Response.Redirect("../EduLogin.aspx");
}
就安全可以了?
有没有漏洞..