asp登陆验证(高手帮忙分析)

楼主你的代码没问题啊,你要分析什么?安全性吗?如果担心SQL注入安全,可以加代码,另外你可以规定用户名字和密码不能有非法字符才可以.

'防止SQL注入代码
Dim Query_Badword,Form_Badword,Err_Message,Err_Web,form_name

'------定义部份 头----------------------------------------------------------------------

Err_Message = 1 '处理方式：1=提示信息,2=转向页面,3=先提示再转向

Err_Web = "Err.Asp" '出错时转向的页面

Query_Badword="'‖and‖select‖update‖chr‖delete‖%20from‖;‖insert‖mid‖master.‖set‖chr(37)‖="

'在这部份定义get非法参数,使用"‖"号间隔

Form_Badword="'‖%‖&‖*‖#‖@‖=‖select‖and‖set‖delete" '在这部份定义post非法参数,使用"‖"号间隔

'------定义部份 尾-----------------------------------------------------------------------
'

On Error Resume Next

'----- 对 get query 值 的过滤.

if request.QueryString<>"" then
Chk_badword=split(Query_Badword,"‖")
FOR EACH Query_form_name IN Request.QueryString
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.QueryString(Query_form_name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write ""
Case "2"
Response.Write ""
Case "3"
Response.Write ""
End Select
Response.End
End If
NEXT
NEXT
End if

'-----对 post 表 单值的过滤.

if request.form<>"" then
Chk_badword=split(Form_Badword,"‖")
FOR EACH form_name IN Request.Form
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.form(form_name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write ""
Case "2"
Response.Write ""
Case "3"
Response.Write ""
End Select
Response.End
End If
NEXT
NEXT
end if

二次回答:


<%
if Trim(Request.Form("login"))<>"" then

if Trim(Request.Form("admin_name"))="" then
response.write""
response.end
else
admin_name=Trim(Request.Form("admin_name"))
end if

if Trim(Request.Form("admin_pass"))="" then
response.write""
response.end
else
admin_pass=md5(Trim(Request.Form("admin_pass")))
end if

if Trim(Request.Form("code"))="" then
response.write""
response.end
end if

if request("code")="" or trim(Session("safenum"))<>trim(replace(request("code"),"'","")) then
response.write""
response.end
end if

set rs=server.createobject("adodb.recordset")
sql="select * from Admin where admin_name='"&admin_name&"'"
rs.open sql,conn,1,3
if rs.eof and rs.bof then
response.write""
response.end
else
if rs("admin_pass")<>admin_pass then
response.write""
response.end
else
Response.Cookies("Mweb_Admin")("admin_name") = rs("admin_name")
Response.Cookies("Mweb_Admin")("admin_pass") = rs("admin_pass")
Response.Cookies("Mweb_Admin")("admin_id") = rs("id")
select case Trim(Request.Form("cook_time"))
case "1"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 1, Date),vbLongDate)
case "2"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 7, Date),vbLongDate)
case "3"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 30, Date),vbLongDate)
case "4"
Response.Cookies("Mweb_Admin").Expires=FormatDateTime(DateAdd("d", 365, Date),vbLongDate)
end select
response.redirect "index.asp"
end if
end if
rs.close
set rs=nothing

end if
%>








<%
if Request.Cookies("Mweb_Admin")("admin_name")="" then
%>

用户名：   密  码：   Cookies：   不保留 保留一天 保留一周 保留一月 保留一年 验证码：

session.timeout=30
30秒内完成,过了为超时

ghao=trim(request.Form("ghao"))
pass=trim(request.form("pass"))
获取用户名和密码

if ghao="" or pass="" then
response.Write("")
response.Write("")
检查用户名和密码是否为空,如果空的弹出提示并返回主页

else

sql="select * from user where ghao='"&ghao&"' and pass='"&pass&"'"
set rs=server.CreateObject("adodb.recordset")
rs.open sql,conn,1,1
如果不是,从数据库查找用户并对正密码

if not rs.eof then
session("ghao")=ghao
如果找到相符的,把session设为此用户名的session

else
response.Write("")
response.Write("")
response.End()
end if
end if
要是数据库没有相符的用户名和密码,弹出错误信息并返回首页

加上 dim ghao, pass

ghao=trim(request.Form("ghao"))
pass=trim(request.form("pass"))
改为
ghao=trim(request.Form("ghao"))
ghao=replacr(ghao,"'","")
pass=trim(request.form("pass"))
这样作是为了过滤掉表单中的'

-----------------------------------
response.Write("")
response.Write("")
改为
response.Write("")
response.Write("")
response.end

------------------
sql="select * from user where ghao='"&ghao&"' and pass='"&pass&"'"
改为：
sql="select * from [user] where ghao='"&ghao&"' and pass='"&pass&"'"
这里给user加上[]，因为user是系统保留字