中科新闻网天灾来临玩不了:这代码有什么问题?
来源:百度文库 编辑:中科新闻网 时间:2024/05/01 14:05:16
<!--#include file="Conn.asp"-->
<%if Request.QueryString("no")<>"eshop" then%>
<html>
<head>
<title></title>
<meta name="Author" content="Tianyi">
<meta name="Contact" content="lcdesign@sina.com">
<meta name="Copyright" content="lanchuo design">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<link href="Inc/ManageMent.css" rel="stylesheet" type="text/css">
</head>
<body>
<FORM ACTION="Login.asp?no=eshop" METHOD="post">
<br>
<center>
<table width="300" border="0" cellpadding="0" cellspacing="2" class="HeaderTdStyle">
<tr>
<td height="30" colspan="2" align="center"> <b>企业网站后台管理系统登陆</b> </td>
</tr>
<tr>
<td height="30" align="right">管理帐号:</td>
<td>
<input name="Name" size=12 maxlength="20"
>
</td>
</tr>
<tr>
<td height="30" align="right">管理密码:</td>
<td>
<input name="Pwd" type="password" size=12 maxlength="20">
</td>
</tr>
<tr>
<td height="30" colspan="2" align="center">
<input name="Submit" type="submit" value="登陆系统">
</td>
</tr>
</table>
<p></p>
<p></p>
<p></p>
<p></p>
<p> </p>
</center>
</form>
</body>
</html>
<%else%>
<%
pwd = request.form("Pwd")
name = request.form("Name")
Set rs = Server.CreateObject("ADODB.Connection")
sql = "select * from Manage_User where UserName='" & name & "' And PassWord='"&encrypt(pwd)&"'"
Set rs = conn.Execute(sql)
If Not rs.EOF = True Then
Session("Name") = rs("UserName")
Session("Pwd") = rs("PassWord")
Response.Redirect("Manage.asp")
Else
Response.Redirect "Loginsb.asp?msg=错误的帐号或密码!<br>您的IP已被记录!"
End If
end if
%>
<%if Request.QueryString("no")<>"eshop" then%>
<html>
<head>
<title></title>
<meta name="Author" content="Tianyi">
<meta name="Contact" content="lcdesign@sina.com">
<meta name="Copyright" content="lanchuo design">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<link href="Inc/ManageMent.css" rel="stylesheet" type="text/css">
</head>
<body>
<FORM ACTION="Login.asp?no=eshop" METHOD="post">
<br>
<center>
<table width="300" border="0" cellpadding="0" cellspacing="2" class="HeaderTdStyle">
<tr>
<td height="30" colspan="2" align="center"> <b>企业网站后台管理系统登陆</b> </td>
</tr>
<tr>
<td height="30" align="right">管理帐号:</td>
<td>
<input name="Name" size=12 maxlength="20"
>
</td>
</tr>
<tr>
<td height="30" align="right">管理密码:</td>
<td>
<input name="Pwd" type="password" size=12 maxlength="20">
</td>
</tr>
<tr>
<td height="30" colspan="2" align="center">
<input name="Submit" type="submit" value="登陆系统">
</td>
</tr>
</table>
<p></p>
<p></p>
<p></p>
<p></p>
<p> </p>
</center>
</form>
</body>
</html>
<%else%>
<%
pwd = request.form("Pwd")
name = request.form("Name")
Set rs = Server.CreateObject("ADODB.Connection")
sql = "select * from Manage_User where UserName='" & name & "' And PassWord='"&encrypt(pwd)&"'"
Set rs = conn.Execute(sql)
If Not rs.EOF = True Then
Session("Name") = rs("UserName")
Session("Pwd") = rs("PassWord")
Response.Redirect("Manage.asp")
Else
Response.Redirect "Loginsb.asp?msg=错误的帐号或密码!<br>您的IP已被记录!"
End If
end if
%>
错误太多。从上往下给你说:
0,Set rs = Server.CreateObject("ADODB.Connection") ,应该是adodb.recordset
1,不应该用name作变量名。
2,pwd和name应该做一下特殊字符的处理防止出错和sql注入攻击
3,set rs=conn.execute(sql)的“set rs=”应去掉
4,if not rs.eof=ture then 应改为if not rs.eof then
5,Response.Redirect "Loginsb.asp?msg=错误的帐号或密码!<br>您的IP已被记录!" 这句我估计你是想先跳出个消息框再进入loginsb.asp这个文件,如果想在本页实现,是实现不了的,如果是想在loginsb.asp实现,没必要传递那么长的参数。
被加了后门了把
问题很严重!
问题太多了!谁弄的?