菜问题,帮忙看看,错在哪里,为何还是能绕过验证?
在用户名和密码处输入: 'or''=' 还是能绕过验证:(
<% admin=replace(trim(request("admin")),"","'")
if admin="" then
response.end
end if
pwd=replace(trim(request("pwd")),"","'")
set rs=server.createobject("adodb.recordset")
sql="select * from admin where admin='"&admin&"' and passwd='"&pwd&"'"
rs.open sql,conn,1,1
if rs.bof or rs.eof then
response.write"<SCRIPT language=JavaScript>alert('错误的用户或名密码,请重新输入!');"
response.write"javascript:history.go(-1)</SCRIPT>"
else
session("admin")=admin
session("userid")=rs("id")
session("popedom")=rs("popedom")
session("name")=rs("name")
session("lasttime")=rs("lasttime")
sql1="update admin set lasttime=now() where id="&session("userid")
conn.execute sql1
response.Redirect "index.asp"
end if %>