set conn = Server.CreateObject("adodb.connection")
conn.Open connstr
set rs = Server.CreateObject("adodb.recordset")
gUID=GetForm("adminNick","str","")
gPWD=GetForm("adminPass","str","")
if gUID<>"" and gPWD<>"" then
if instr(gUID,"'")>0 or instr(gUID,";")>0 then
iserror=1
%>
<script language=VBS>
msgbox ("想黑我?要找对地方!我是龌龊,你也比我好不到什么地方去,你不用跳板,我告死你")
location.href = "hacker.asp"
</script>
<%
exit function
end if
if instr(gPWD,"'")>0 or instr(gPWD,";")>0 then
iserror=1
%>
<script language=VBS>
msgbox ("想黑我?要找对地方!我是龌龊,你也比我好不到什么地方去,你不用跳板,我告死你")
location.href = "hacker.asp"
</script>
<%
exit function
end if
set rs=conn.Execute("select * from user where suid='"&gUID&"' and spwd='"&gPWD&"'")
if rs.EOF then
iserror=1
%>
<script language=VBS>
msgbox ("用户名密码错误,请重新登陆")
location.href = "login.asp"
</script>
<%
else
session("admin")=true
end if
rs.CLOSE
set rs=nothing
if iserror=0 and getForm("bottom","str","")="进入" then
conn.close
set conn=nothing
Response.Redirect "index.asp"
end if
end if
%>
for i=1 to len(name)
us=mid(name,i,1)
if us="'" or us="%" or us="<" or us=">" or us="&" then
%>
<SCRIPT LANGUAGE=javascript>
window.alert("请输入正确用户名!");
history.go(-1)
</SCRIPT>
<%
response.end
end if
next
按这种方式处理一下特殊符号试试!