asp登陆验证(高手帮忙分析)
<%session.timeout=30ghao=trim(request.Form("ghao"))pass=trim(request.form("pass"))ifg...
<%
session.timeout=30
ghao=trim(request.Form("ghao"))
pass=trim(request.form("pass"))
if ghao="" or pass="" then
response.Write("<script>alert('用户名或密不能为空!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
else
sql="select * from user where ghao='"&ghao&"' and pass='"&pass&"'"
set rs=server.CreateObject("adodb.recordset")
rs.open sql,conn,1,1
if not rs.eof then
session("ghao")=ghao
else
response.Write("<script>alert('用户名或密码错误!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
response.End()
end if
end if
%>
让我困惑的是:
1.用户名为空,检查正确,可以出现提示,但在登陆框填写
资料后 提交就会报错:
ADODB.Recordset 错误 '800a0bb9'
引数中可能发生类型错误、超过可接受的定义范围、或与其他引数发生冲突。
/login.asp, 列17
大家看看我的if 判断有没有问题
:有程序比较严谨的,完善的登陆验证代码发一个上来参考一个也可以,我这个老是有问题,要ASP的,谢谢了---顺便说一下在写ASP程序时注意的单引号和双引号问题,捆饶了我好久,尤其是数据库操作的时候... 展开
session.timeout=30
ghao=trim(request.Form("ghao"))
pass=trim(request.form("pass"))
if ghao="" or pass="" then
response.Write("<script>alert('用户名或密不能为空!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
else
sql="select * from user where ghao='"&ghao&"' and pass='"&pass&"'"
set rs=server.CreateObject("adodb.recordset")
rs.open sql,conn,1,1
if not rs.eof then
session("ghao")=ghao
else
response.Write("<script>alert('用户名或密码错误!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
response.End()
end if
end if
%>
让我困惑的是:
1.用户名为空,检查正确,可以出现提示,但在登陆框填写
资料后 提交就会报错:
ADODB.Recordset 错误 '800a0bb9'
引数中可能发生类型错误、超过可接受的定义范围、或与其他引数发生冲突。
/login.asp, 列17
大家看看我的if 判断有没有问题
:有程序比较严谨的,完善的登陆验证代码发一个上来参考一个也可以,我这个老是有问题,要ASP的,谢谢了---顺便说一下在写ASP程序时注意的单引号和双引号问题,捆饶了我好久,尤其是数据库操作的时候... 展开
展开全部
楼主你的代码没问题啊,你要分析什么?安全性吗?如果担心SQL注入安全,可以加代码,另外你可以规定用户名字和密码不能有非法字符才可以.
'防止SQL注入代码
Dim Query_Badword,Form_Badword,Err_Message,Err_Web,form_name
'------定义部份 头----------------------------------------------------------------------
Err_Message = 1 '处理方式:1=提示信息,2=转向页面,3=先提示再转向
Err_Web = "Err.Asp" '出错时转向的页面
Query_Badword="'‖and‖select‖update‖chr‖delete‖%20from‖;‖insert‖mid‖master.‖set‖chr(37)‖="
'在这部份定义get非法参数,使用"‖"号间隔
Form_Badword="'‖%‖&‖*‖#‖@‖=‖select‖and‖set‖delete" '在这部份定义post非法参数,使用"‖"号间隔
'------定义部份 尾-----------------------------------------------------------------------
'
On Error Resume Next
'----- 对 get query 值 的过滤.
if request.QueryString<>"" then
Chk_badword=split(Query_Badword,"‖")
FOR EACH Query_form_name IN Request.QueryString
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.QueryString(Query_form_name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&form_name&" 的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');window.close();</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&form_name&"的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');location.href='"&Err_Web&"';</Script>"
End Select
Response.End
End If
NEXT
NEXT
End if
'-----对 post 表 单值的过滤.
if request.form<>"" then
Chk_badword=split(Form_Badword,"‖")
FOR EACH form_name IN Request.Form
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.form(form_name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write "<Script Language=JavaScript>alert('出错了!表单 "&form_name&" 的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');window.close();</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert('出错了!参数 "&form_name&"的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');location.href='"&Err_Web&"';</Script>"
End Select
Response.End
End If
NEXT
NEXT
end if
二次回答:
<!-- #include file="conn.asp" -->
<!-- #include file="inc/md5.asp" -->
<%
if Trim(Request.Form("login"))<>"" then
if Trim(Request.Form("admin_name"))="" then
response.write"<script>alert('请输入用户名!');history.back();</Script>"
response.end
else
admin_name=Trim(Request.Form("admin_name"))
end if
if Trim(Request.Form("admin_pass"))="" then
response.write"<script>alert('请输入密码!');history.back();</Script>"
response.end
else
admin_pass=md5(Trim(Request.Form("admin_pass")))
end if
if Trim(Request.Form("code"))="" then
response.write"<script>alert('请输入验证码!');history.back();</Script>"
response.end
end if
if request("code")="" or trim(Session("safenum"))<>trim(replace(request("code"),"'","")) then
response.write"<SCRIPT language=JavaScript>alert('请您输入正确的验证码!');"
response.write"javascript:history.go(-1)</SCRIPT>"
response.end
end if
set rs=server.createobject("adodb.recordset")
sql="select * from Admin where admin_name='"&admin_name&"'"
rs.open sql,conn,1,3
if rs.eof and rs.bof then
response.write"<script>alert('对不起您输入的用户名不正确,请输入正确的用户名!');history.back();</Script>"
response.end
else
if rs("admin_pass")<>admin_pass then
response.write"<script>alert('对不起您输入的密码错误,请输入正确的密码!');history.back();</Script>"
response.end
else
Response.Cookies("Mweb_Admin")("admin_name") = rs("admin_name")
Response.Cookies("Mweb_Admin")("admin_pass") = rs("admin_pass")
Response.Cookies("Mweb_Admin")("admin_id") = rs("id")
select case Trim(Request.Form("cook_time"))
case "1"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 1, Date),vbLongDate)
case "2"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 7, Date),vbLongDate)
case "3"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 30, Date),vbLongDate)
case "4"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 365, Date),vbLongDate)
end select
response.redirect "index.asp"
end if
end if
rs.close
set rs=nothing
end if
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title><%=homename_h%>----管理登录</title>
<style type="text/css">
<!--
@import url("css/css.css");
-->
</style>
</head>
<body>
<%
if Request.Cookies("Mweb_Admin")("admin_name")="" then
%>
<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="middle"><table width="554" border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="518" align="center" valign="top" background="images/loginbg.jpg"><table width="554" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="203" height="70"> </td>
<td width="351"> </td>
</tr>
<tr>
<td height="185"> </td>
<td align="center"><table width="350" border="0" cellspacing="0" cellpadding="0">
<form name="form1" method="post" action="">
<tr>
<td width="86" height="25" align="right">用户名:</td>
<td colspan="2" align="left">
<INPUT name="admin_name" type="text" class="inputstyle" id="admin_name" size="30"></td>
</tr>
<tr>
<td height="25" align="right">密 码:</td>
<td colspan="2" align="left">
<INPUT name="admin_pass" type="password" class="inputstyle" id="admin_pass" size="30"></td>
</tr>
<tr>
<td height="25" align="right">Cookies:</td>
<td colspan="2" align="left">
<select name="cook_time" id="cook_time">
<option value="0">不保留</option>
<option value="1">保留一天</option>
<option value="2">保留一周</option>
<option value="3">保留一月</option>
<option value="4">保留一年</option>
</select>
</td>
</tr>
<tr>
<td height="25" align="right">验证码:</td>
<td width="74" align="left">
<INPUT name="code" type="text" class="inputstyle" id="code" size="6"></td>
<td width="190" align="left"><img src="inc/code/code.asp"></td>
</tr>
<tr>
<td height="35" colspan="3" align="center"><input name="login" type="submit" class="loginbotton" id="login" value=" 登 录 "></td>
</tr>
</form>
</table>
</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
</table>
<%
else
response.redirect "index.asp"
end if
%>
</body>
</html>
'防止SQL注入代码
Dim Query_Badword,Form_Badword,Err_Message,Err_Web,form_name
'------定义部份 头----------------------------------------------------------------------
Err_Message = 1 '处理方式:1=提示信息,2=转向页面,3=先提示再转向
Err_Web = "Err.Asp" '出错时转向的页面
Query_Badword="'‖and‖select‖update‖chr‖delete‖%20from‖;‖insert‖mid‖master.‖set‖chr(37)‖="
'在这部份定义get非法参数,使用"‖"号间隔
Form_Badword="'‖%‖&‖*‖#‖@‖=‖select‖and‖set‖delete" '在这部份定义post非法参数,使用"‖"号间隔
'------定义部份 尾-----------------------------------------------------------------------
'
On Error Resume Next
'----- 对 get query 值 的过滤.
if request.QueryString<>"" then
Chk_badword=split(Query_Badword,"‖")
FOR EACH Query_form_name IN Request.QueryString
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.QueryString(Query_form_name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&form_name&" 的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');window.close();</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&form_name&"的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');location.href='"&Err_Web&"';</Script>"
End Select
Response.End
End If
NEXT
NEXT
End if
'-----对 post 表 单值的过滤.
if request.form<>"" then
Chk_badword=split(Form_Badword,"‖")
FOR EACH form_name IN Request.Form
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.form(form_name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write "<Script Language=JavaScript>alert('出错了!表单 "&form_name&" 的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');window.close();</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert('出错了!参数 "&form_name&"的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');location.href='"&Err_Web&"';</Script>"
End Select
Response.End
End If
NEXT
NEXT
end if
二次回答:
<!-- #include file="conn.asp" -->
<!-- #include file="inc/md5.asp" -->
<%
if Trim(Request.Form("login"))<>"" then
if Trim(Request.Form("admin_name"))="" then
response.write"<script>alert('请输入用户名!');history.back();</Script>"
response.end
else
admin_name=Trim(Request.Form("admin_name"))
end if
if Trim(Request.Form("admin_pass"))="" then
response.write"<script>alert('请输入密码!');history.back();</Script>"
response.end
else
admin_pass=md5(Trim(Request.Form("admin_pass")))
end if
if Trim(Request.Form("code"))="" then
response.write"<script>alert('请输入验证码!');history.back();</Script>"
response.end
end if
if request("code")="" or trim(Session("safenum"))<>trim(replace(request("code"),"'","")) then
response.write"<SCRIPT language=JavaScript>alert('请您输入正确的验证码!');"
response.write"javascript:history.go(-1)</SCRIPT>"
response.end
end if
set rs=server.createobject("adodb.recordset")
sql="select * from Admin where admin_name='"&admin_name&"'"
rs.open sql,conn,1,3
if rs.eof and rs.bof then
response.write"<script>alert('对不起您输入的用户名不正确,请输入正确的用户名!');history.back();</Script>"
response.end
else
if rs("admin_pass")<>admin_pass then
response.write"<script>alert('对不起您输入的密码错误,请输入正确的密码!');history.back();</Script>"
response.end
else
Response.Cookies("Mweb_Admin")("admin_name") = rs("admin_name")
Response.Cookies("Mweb_Admin")("admin_pass") = rs("admin_pass")
Response.Cookies("Mweb_Admin")("admin_id") = rs("id")
select case Trim(Request.Form("cook_time"))
case "1"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 1, Date),vbLongDate)
case "2"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 7, Date),vbLongDate)
case "3"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 30, Date),vbLongDate)
case "4"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 365, Date),vbLongDate)
end select
response.redirect "index.asp"
end if
end if
rs.close
set rs=nothing
end if
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title><%=homename_h%>----管理登录</title>
<style type="text/css">
<!--
@import url("css/css.css");
-->
</style>
</head>
<body>
<%
if Request.Cookies("Mweb_Admin")("admin_name")="" then
%>
<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="middle"><table width="554" border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="518" align="center" valign="top" background="images/loginbg.jpg"><table width="554" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="203" height="70"> </td>
<td width="351"> </td>
</tr>
<tr>
<td height="185"> </td>
<td align="center"><table width="350" border="0" cellspacing="0" cellpadding="0">
<form name="form1" method="post" action="">
<tr>
<td width="86" height="25" align="right">用户名:</td>
<td colspan="2" align="left">
<INPUT name="admin_name" type="text" class="inputstyle" id="admin_name" size="30"></td>
</tr>
<tr>
<td height="25" align="right">密 码:</td>
<td colspan="2" align="left">
<INPUT name="admin_pass" type="password" class="inputstyle" id="admin_pass" size="30"></td>
</tr>
<tr>
<td height="25" align="right">Cookies:</td>
<td colspan="2" align="left">
<select name="cook_time" id="cook_time">
<option value="0">不保留</option>
<option value="1">保留一天</option>
<option value="2">保留一周</option>
<option value="3">保留一月</option>
<option value="4">保留一年</option>
</select>
</td>
</tr>
<tr>
<td height="25" align="right">验证码:</td>
<td width="74" align="left">
<INPUT name="code" type="text" class="inputstyle" id="code" size="6"></td>
<td width="190" align="left"><img src="inc/code/code.asp"></td>
</tr>
<tr>
<td height="35" colspan="3" align="center"><input name="login" type="submit" class="loginbotton" id="login" value=" 登 录 "></td>
</tr>
</form>
</table>
</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
</table>
<%
else
response.redirect "index.asp"
end if
%>
</body>
</html>
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
防伪标签
2025-07-10 广告
联系我们:18501924525。中企防伪溯源防窜货渠道管控模块,可做系统接口,实现与企业 ERP、CRM、MIS 等系统做无缝对接,形成闭环生态系统。中企防伪在防伪溯源行业从业20多年,一直以优质高效的方案帮助企业进行符合国家监管政策的改...
点击进入详情页
本回答由防伪标签提供
展开全部
session.timeout=30
30秒内完成,过了为超时
ghao=trim(request.Form("ghao"))
pass=trim(request.form("pass"))
获取用户名和密码
if ghao="" or pass="" then
response.Write("<script>alert('用户名或密不能为空!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
检查用户名和密码是否为空,如果空的弹出提示并返回主页
else
sql="select * from user where ghao='"&ghao&"' and pass='"&pass&"'"
set rs=server.CreateObject("adodb.recordset")
rs.open sql,conn,1,1
如果不是,从数据库查找用户并对正密码
if not rs.eof then
session("ghao")=ghao
如果找到相符的,把session设为此用户名的session
else
response.Write("<script>alert('用户名或密码错误!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
response.End()
end if
end if
要是数据库没有相符的用户名和密码,弹出错误信息并返回首页
加上 dim ghao, pass
30秒内完成,过了为超时
ghao=trim(request.Form("ghao"))
pass=trim(request.form("pass"))
获取用户名和密码
if ghao="" or pass="" then
response.Write("<script>alert('用户名或密不能为空!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
检查用户名和密码是否为空,如果空的弹出提示并返回主页
else
sql="select * from user where ghao='"&ghao&"' and pass='"&pass&"'"
set rs=server.CreateObject("adodb.recordset")
rs.open sql,conn,1,1
如果不是,从数据库查找用户并对正密码
if not rs.eof then
session("ghao")=ghao
如果找到相符的,把session设为此用户名的session
else
response.Write("<script>alert('用户名或密码错误!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
response.End()
end if
end if
要是数据库没有相符的用户名和密码,弹出错误信息并返回首页
加上 dim ghao, pass
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
ghao=trim(request.Form("ghao"))
pass=trim(request.form("pass"))
改为
ghao=trim(request.Form("ghao"))
ghao=replacr(ghao,"'","")
pass=trim(request.form("pass"))
这样作是为了过滤掉表单中的'
-----------------------------------
response.Write("<script>alert('用户名或密不能为空!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
改为
response.Write("<script>alert('用户名或密不能为空!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
response.end
------------------
sql="select * from user where ghao='"&ghao&"' and pass='"&pass&"'"
改为:
sql="select * from [user] where ghao='"&ghao&"' and pass='"&pass&"'"
这里给user加上[],因为user是系统保留字
pass=trim(request.form("pass"))
改为
ghao=trim(request.Form("ghao"))
ghao=replacr(ghao,"'","")
pass=trim(request.form("pass"))
这样作是为了过滤掉表单中的'
-----------------------------------
response.Write("<script>alert('用户名或密不能为空!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
改为
response.Write("<script>alert('用户名或密不能为空!');</script>")
response.Write("<script>window.location.href='index.asp';</script>")
response.end
------------------
sql="select * from user where ghao='"&ghao&"' and pass='"&pass&"'"
改为:
sql="select * from [user] where ghao='"&ghao&"' and pass='"&pass&"'"
这里给user加上[],因为user是系统保留字
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
更多回答(1)
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
