我的登录页面,谁能帮看看有什么漏洞啊?若有,怎么解决呢?(另:这个论坛找发新帖的入口可真是挺难找的呀!)
FBII 2004-08-01 12:50:40 如题。反正自已做的这个页面就是不放心,不知会不会让人SQL注入呢?会不会有漏洞啊?有高手路过帮我看一下啦!拜托啦!下面是代码
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="MD5/md5.asp" -->
<!--#include file="../Connections/koko.asp" -->
<%
Dim Reg__strshopID
Reg__strshopID = "x"
If (Request.Form("shopID") <> "") Then
Reg__strshopID = Request.Form("shopID")
End If
%>
<%
Dim Reg__strPassword
Reg__strPassword = "1"
if (Request.Form("Password") <> "") then Reg__strPassword = Request.Form("Password")
%> <%
set Reg = Server.CreateObject("ADODB.Recordset")
Reg.ActiveConnection = MM_koko_STRING
Reg.Source = "SELECT * FROM dbo.shop WHERE shopname = '" + Replace(Reg__strshopID, "'", "''") + "' AND password = '" + md5(trim(Replace(Reg__strPassword, "'", "''")),32) + "'"
Reg.CursorType = 0
Reg.CursorLocation = 2
Reg.LockType = 3
Reg.Open()
Reg_numRows = 0
%> <% If Reg__strshopID <> "x" Then
If Not Reg.EOF Then
Session("kokoshopname")=Reg.Fields.Item("shopname").Value
Session("kokoPass")=Reg.Fields.Item("password").Value
Session("managerlevel")=Reg.Fields.Item("managerlevel").Value
Session("shopID")=Reg.Fields.Item("shopID").Value
Session("shopCategoryID")=Reg.Fields.Item("shopCategoryID").Value
if Session("managerlevel") = "product and news" then
Response.Redirect "manage.asp"
end if
if Session("managerlevel") = "product" then
Response.Redirect "manage11.asp"
end if
if Session("managerlevel") = "news" then
Response.Redirect "manage3.asp"
end if
else
Response.Redirect "loginfail.asp"
End If
End If
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><!-- InstanceBegin template="/Templates/content6.dwt.asp" codeOutsideHTMLIsLocked="false" --><HEAD><meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<!-- InstanceBeginEditable name="doctitle" -->
<title>网站登录页</title>
.........
...................下面省啦!