28,391
社区成员
发帖
与我相关
我的任务
分享关于用户登录问题,帮忙看看这段代码怎么啦??
我的用户表有三个字段:UserID,PWD,Admingroup
如果Admingroup为0就是管理员进入管理界面,如果为1就是普通用户录入界面,可是我的这段代码怎么不能实现呀?
<%
Function CheckPwd( UserID, PWD )
Dim conn, param, rs
connstr="Provider=SQLOLEDB;Data Source=XUJIA;Database=showroom;UID=sa;Pwd="
set conn=server.createobject("ADODB.CONNECTION")
conn.open connstr
sql = "Select * From tblUser Where UserID='" & UserID & "' And PWD = '" & PWD & "'"
Set Session("Userrs") = conn.Execute( sql )
If Session("Userrs").EOF Then
CheckPwd = False
Else
CheckPwd = True
End If
sqlAdmingroup="select Admingroup from tblUser where UserID='" & UserID& "'"
set ad=conn.execute(sqlAdmingroup)
End Function
%>
<%
If IsEmpty(Session("Passed")) Then Session("Passed") = False
Head = "<font size='2' face='Arial'>请输入用户名和密码</font>"
UserID = Request("UserID")
PWD = Request("PWD")
Admingroup = Request("Admnigroup")
If UserID = "" Or PWD = "" Then
Head = ""
ElseIf not CheckPwd( UserID, PWD ) Then
Head = "<font size='2' face='Arial'>信息有误!请重新输入</font>"
Elseif ad="0" then
Session("UserID") = Session("Userrs")(0)
response.redirect "admin.asp"
Elseif ad="1" then
Session("UserID") = Session("Userrs")(0)
response.redirect "localadmin.asp"
else
Session("UserID") = Session("Userrs")(0)
response.redirect "register.asp"
End If
%>
如果Admingroup为0就是管理员进入管理界面,如果为1就是普通用户录入界面,可是我的这段代码怎么不能实现呀?
<%
Function CheckPwd( UserID, PWD )
Dim conn, param, rs
connstr="Provider=SQLOLEDB;Data Source=XUJIA;Database=showroom;UID=sa;Pwd="
set conn=server.createobject("ADODB.CONNECTION")
conn.open connstr
sql = "Select * From tblUser Where UserID='" & UserID & "' And PWD = '" & PWD & "'"
Set Session("Userrs") = conn.Execute( sql )
If Session("Userrs").EOF Then
CheckPwd = False
Else
CheckPwd = True
End If
sqlAdmingroup="select Admingroup from tblUser where UserID='" & UserID& "'"
set ad=conn.execute(sqlAdmingroup)
End Function
%>
<%
If IsEmpty(Session("Passed")) Then Session("Passed") = False
Head = "<font size='2' face='Arial'>请输入用户名和密码</font>"
UserID = Request("UserID")
PWD = Request("PWD")
Admingroup = Request("Admnigroup")
If UserID = "" Or PWD = "" Then
Head = ""
ElseIf not CheckPwd( UserID, PWD ) Then
Head = "<font size='2' face='Arial'>信息有误!请重新输入</font>"
Elseif ad="0" then
Session("UserID") = Session("Userrs")(0)
response.redirect "admin.asp"
Elseif ad="1" then
Session("UserID") = Session("Userrs")(0)
response.redirect "localadmin.asp"
else
Session("UserID") = Session("Userrs")(0)
response.redirect "register.asp"
End If
%>
...全文
请发表友善的回复…
发表回复
Brookes 2003-08-18
- 打赏
- 举报
1。你的登陆验证语句有重大漏洞!
sql = "Select * From tblUser Where UserID='" & UserID & "' And PWD = '" & PWD & "'"
设想,如果有人输入username name'or'1'='1,。。。。。?
改为:
sql = "Select password From tblUser Where UserID='" & UserID
然后验证密码是否一直就可以了
2.不要使用这样的验证方法,既然写了验证函数,为何只验证用户名和密码的正确性?
考虑这样:
如果通过,则返回Admingroup,如果不通过,则返回-1.
你只需要读取函数返回值就可以根据情况处理了!
sql = "Select * From tblUser Where UserID='" & UserID & "' And PWD = '" & PWD & "'"
设想,如果有人输入username name'or'1'='1,。。。。。?
改为:
sql = "Select password From tblUser Where UserID='" & UserID
然后验证密码是否一直就可以了
2.不要使用这样的验证方法,既然写了验证函数,为何只验证用户名和密码的正确性?
考虑这样:
如果通过,则返回Admingroup,如果不通过,则返回-1.
你只需要读取函数返回值就可以根据情况处理了!
skyweave 2003-08-18
- 打赏
- 举报
看一看你的ad有没有在Function CheckPwd( UserID, PWD )之外定义
如果没有定义ad将是一个局部变量,离开Function CheckPwd之后,就变成了nothing。
下面引用ad就不对了。
个人感觉你的这些代码太乱,Function CheckPwd就应该只做Check Password的功能,不应该再增加返回AdminGroup的功能,你应该再写一个方法Function GetAdminGroup,这样代码的结构才能够清晰。
如果没有定义ad将是一个局部变量,离开Function CheckPwd之后,就变成了nothing。
下面引用ad就不对了。
个人感觉你的这些代码太乱,Function CheckPwd就应该只做Check Password的功能,不应该再增加返回AdminGroup的功能,你应该再写一个方法Function GetAdminGroup,这样代码的结构才能够清晰。
tigerwen01 2003-08-18
- 打赏
- 举报
...
If UserID = "" Or PWD = "" Then
Head = ""
ElseIf not CheckPwd( UserID, PWD ) Then
Head = "<font size='2' face='Arial'>信息有误!请重新输入</font>"
Elseif ad("Admingroup")="0" then
Session("UserID") = Session("Userrs")(0)
response.redirect "admin.asp"
Elseif ad("Admingroup")="1" then
Session("UserID") = Session("Userrs")(0)
response.redirect "localadmin.asp"
else
Session("UserID") = Session("Userrs")(0)
response.redirect "register.asp"
End If
If UserID = "" Or PWD = "" Then
Head = ""
ElseIf not CheckPwd( UserID, PWD ) Then
Head = "<font size='2' face='Arial'>信息有误!请重新输入</font>"
Elseif ad("Admingroup")="0" then
Session("UserID") = Session("Userrs")(0)
response.redirect "admin.asp"
Elseif ad("Admingroup")="1" then
Session("UserID") = Session("Userrs")(0)
response.redirect "localadmin.asp"
else
Session("UserID") = Session("Userrs")(0)
response.redirect "register.asp"
End If
