chrismartz
10-08-2004, 11:24 PM
On a asp site I have, if you put ' or 'a'='ainto the username and password it logs in.....how can i stop this? Here is how I get to my db and check stuff. <% If Request.Form("id")= "" or Request.Form("password")="" then
Response.Redirect "index.asp?action=failed"
end if
%>
<%
Dim objDC, objRS, sql, RS, id, password
id = Request.Form("id")
password = Request.Form("password")
Set objDC = Server.CreateObject("ADODB.Connection")
objRS = "DRIVER={Microsoft Access Driver (*.mdb)};"
objDC.Open "DBQ=" & Server.MapPath("zytre45.mdb") & ";Driver={Microsoft Access Driver (*.mdb)};DriverId=25;MaxBufferSize=8192;Threads=20;", "user", "password"
sql = "select id from homework where id = " & (id) & ""
sql = sql & " and password = '" & (password) & "'"
Set RS = objDC.Execute(sql)
If RS.BOF AND RS.EOF Then
Response.Redirect "index.asp?action=failed"
Else
Response.Cookies("teacher")("id")=(id)
Response.Cookies("teacher")("password")=""
Response.Redirect "teacherhome.asp?id=" & (id) &""
End If
%> also, if you have a site that logs in with asp check to make sure you have this problem fixed!
Response.Redirect "index.asp?action=failed"
end if
%>
<%
Dim objDC, objRS, sql, RS, id, password
id = Request.Form("id")
password = Request.Form("password")
Set objDC = Server.CreateObject("ADODB.Connection")
objRS = "DRIVER={Microsoft Access Driver (*.mdb)};"
objDC.Open "DBQ=" & Server.MapPath("zytre45.mdb") & ";Driver={Microsoft Access Driver (*.mdb)};DriverId=25;MaxBufferSize=8192;Threads=20;", "user", "password"
sql = "select id from homework where id = " & (id) & ""
sql = sql & " and password = '" & (password) & "'"
Set RS = objDC.Execute(sql)
If RS.BOF AND RS.EOF Then
Response.Redirect "index.asp?action=failed"
Else
Response.Cookies("teacher")("id")=(id)
Response.Cookies("teacher")("password")=""
Response.Redirect "teacherhome.asp?id=" & (id) &""
End If
%> also, if you have a site that logs in with asp check to make sure you have this problem fixed!