UC知道漏洞修复('or'='or')
来源:百度知道 编辑:UC知道 时间:2024/09/23 17:26:06
代码如下.如何修改请赐教.
<!--#include file=conn.asp -->
<%
userid=trim(request("userid"))
pass=trim(request("pass"))
check=trim(request("check"))
if check<>"" then
if userid="" or pass="" then
response.write"<SCRIPT language=JavaScript>alert('用户名或者密码没有输入');"
response.write"window.location.href='index.asp';</SCRIPT>"
response.end
end if
sql="select * from user where username='"&userid&"' and pass='"&pass&"'"
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,3,1
if rs.eof or rs.bof then
response.write"<SCRIPT language=JavaScript>alert('用户名或者密码不对,请重新输入!');"
response.write"window.location.href='index.asp'</SCRIPT>"
<!--#include file=conn.asp -->
<%
userid=trim(request("userid"))
pass=trim(request("pass"))
check=trim(request("check"))
if check<>"" then
if userid="" or pass="" then
response.write"<SCRIPT language=JavaScript>alert('用户名或者密码没有输入');"
response.write"window.location.href='index.asp';</SCRIPT>"
response.end
end if
sql="select * from user where username='"&userid&"' and pass='"&pass&"'"
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,3,1
if rs.eof or rs.bof then
response.write"<SCRIPT language=JavaScript>alert('用户名或者密码不对,请重新输入!');"
response.write"window.location.href='index.asp'</SCRIPT>"
直接在 conn.asp 文件内加如下代码,就整站防止注入了,不用改别的地方:
<%
Query_Badword="'‖and‖select‖update‖chr‖delete‖%20from‖delete%20from‖;‖insert‖mid‖master.‖set‖chr(37)‖="
On Error Resume Next
if request.QueryString<>"" then
Chk_badword=split(Query_Badword,"‖")
FOR EACH Query_Name IN Request.QueryString
for i8=0 to ubound(Chk_badword)
If Instr(LCase(request.QueryString(Query_Name)),Chk_badword(i8))<>0 Then
response.write "<SCRIPT>alert('小样,想干啥!');window.location='/'</SCRIPT>"
Response.End
End If
NEXT
NEXT
End if
%>
得到数据后,直接判断不容许使用',=就可以了啊