我的登录页面,谁能帮看看有什么漏洞啊?若有,怎么解决呢?(另:这个论坛找发新帖的入口可真是挺难找的呀!)

FBII 2004-08-01 12:50:40
如题。反正自已做的这个页面就是不放心,不知会不会让人SQL注入呢?会不会有漏洞啊?有高手路过帮我看一下啦!拜托啦!下面是代码
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="MD5/md5.asp" -->
<!--#include file="../Connections/koko.asp" -->
<%
Dim Reg__strshopID
Reg__strshopID = "x"
If (Request.Form("shopID") <> "") Then
Reg__strshopID = Request.Form("shopID")
End If
%>
<%
Dim Reg__strPassword
Reg__strPassword = "1"
if (Request.Form("Password") <> "") then Reg__strPassword = Request.Form("Password")
%> <%
set Reg = Server.CreateObject("ADODB.Recordset")
Reg.ActiveConnection = MM_koko_STRING
Reg.Source = "SELECT * FROM dbo.shop WHERE shopname = '" + Replace(Reg__strshopID, "'", "''") + "' AND password = '" + md5(trim(Replace(Reg__strPassword, "'", "''")),32) + "'"
Reg.CursorType = 0
Reg.CursorLocation = 2
Reg.LockType = 3
Reg.Open()
Reg_numRows = 0
%> <% If Reg__strshopID <> "x" Then
If Not Reg.EOF Then
Session("kokoshopname")=Reg.Fields.Item("shopname").Value
Session("kokoPass")=Reg.Fields.Item("password").Value
Session("managerlevel")=Reg.Fields.Item("managerlevel").Value
Session("shopID")=Reg.Fields.Item("shopID").Value
Session("shopCategoryID")=Reg.Fields.Item("shopCategoryID").Value
if Session("managerlevel") = "product and news" then
Response.Redirect "manage.asp"
end if
if Session("managerlevel") = "product" then
Response.Redirect "manage11.asp"
end if
if Session("managerlevel") = "news" then
Response.Redirect "manage3.asp"
end if
else
Response.Redirect "loginfail.asp"

End If
End If
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><!-- InstanceBegin template="/Templates/content6.dwt.asp" codeOutsideHTMLIsLocked="false" --><HEAD><meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<!-- InstanceBeginEditable name="doctitle" -->
<title>网站登录页</title>
.........
...................下面省啦!
...全文
65 点赞 收藏 1
写回复
1 条回复
切换为时间正序
当前发帖距今超过3年,不再开放新的回复
发表回复
QQgenie 2004-08-01
不错,看不出有问题:

sql="select * from table where (user='"&user&"') and (pass='"&md5(pass)&"')"

一般地,加了密码转换后很难用sql注入,“()”很好用
回复
相关推荐
发帖
ASP
创建于2007-09-28

2.8w+

社区成员

ASP即Active Server Pages,是Microsoft公司开发的服务器端脚本环境。
申请成为版主
帖子事件
创建了帖子
2004-08-01 12:50
社区公告
暂无公告