To: lcx45(木头)
sql="select * from users where name='" & name & "' and pwd='" & pwd & "'"
To: thb28(c++学习中)
rs.Open "select * from works where name='"&name&"' and password='"&password&"' " ,conn,1,1
楼上的两位这两句都有很大漏洞,我用特殊的用户名,密码我可以随便打都可以进入!
===================================
看清楚了:
-----------------------------------------------
lcx45(木头)
name=request.form("username")
pwd=request.form("userpassword")
if instr(name,"'")<>0 or instr(pwd,"'")<>0 then
response.redirect "login.asp"
response.end
end if
-----------------------------------------------
thb28(c++学习中)
name=replace(trim(request("name")),"'","")
password=replace(trim(request("password")),"'","")
'处理非法字符
strName=Replace(strName,"'","")
strPwd=Replace(strPwd,"'","")
sql="Select UserName From Login Where UserName='" & strName & "'"
set objrs=Server.CreateObject("ADODB.RecordSet")
'打开数据库语句,自己写。。。。。。我的和你不一样!!
If objrs.Bof And objrs.Eof Then
Response.Write "无此用户<p></p>"
%>
<a href=javascript:history.back()>返回</a>
<%
Response.End
End If
If objrs.RecordCount=1 Then
If objrs("pwd")=strPwd Then
Response.Redirect "kj.asp"
Else
Response.Write "密码错误,请确认后重新输入!<br><br>"
%>
<a href=javascript:history.back()>返回重填</a>
<%
Response.End
End If
Else
Response.Write "用户名错误,请确认后重新输入!<br><br>"
%>
<a href=javascript:history.back()>返回重填</a>
<%
Response.End
End If
objrs.Close
Set objrs=Nothing
%>
</body>
</html>
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<%
‘连接数据库,以ACCESS为例
option explicit
Response.Expires=0
dim conn,connstr,db,rs,name,password
db="你的数据库路径和名称.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
connstr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(""&db&"")
conn.Open connstr
‘接收用户登陆信息
name=replace(trim(request("name")),"'","")
password=replace(trim(request("password")),"'","")
if name="" or password="" then
response.Write "<script language=javascript>alert('请填写用户名和密码')</script>"
response.end
end if
‘通过数据库验证用户身份
set rs=server.CreateObject("adodb.recordset")
rs.Open "select * from works where name='"&name&"' and password='"&password&"' " ,conn,1,1
if not(rs.bof and rs.eof) then
if password=rs("password") then
‘创建SESSION
session("user")=trim(rs("name"))
session("PASS")=trim(rs("PASSWORD"))
‘限定过期时间
session.Timeout=60
rs.Close
set rs=nothing
'验证正确接受用户登陆
response.Redirect "../login.asp"
else
call Error
end if
else
call Error()
end if
sub Error()
response.write "<script language=javascript>alert('无效的用户名和密码')</script>"
end sub
全选?
<form name=test><input type=checkbox name=chk value=A>A<input type=checkbox name=chk value=B>B<input type=checkbox name=chk value=C>C
<input type=button value=全选 onclick="SelAllNow()">
</form>
<script language=vbscript>
sub SelAllNow()
for i=0 to 2
test.chk(i).checked=true
next
end sub
</script>
<%
if request("username")<>"" and request("userpassword")<>"" then
dim name
dim pwd
dim sql
dim rs
name=request.form("username")
pwd=request.form("userpassword")
if instr(name,"'")<>0 or instr(pwd,"'")<>0 then
response.redirect "login.asp"
response.end
end if
set rs = server.createobject("adodb.recordset")
sql="select * from users where name='" & name & "' and pwd='" & pwd & "'"
rs.open sql,conn,1,1
if err.number <> 0 then
response.write "数据库操作失败:"&err.description
response.end
else
if not rs.eof and not rs.bof then
session("purview")=rs("purview")
session("name")=rs("name")
response.redirect "admin/index.asp"
end if
end if
rs.close
set rs=nothing
end if
%>