0
昨天晚上,我收到了來自主管的電話,表示當他試圖用虛擬密碼登錄我們的應用程序時,他的驗證成功。使用密鑰按鍵問題進行表單驗證
事實證明,點擊鼠標來驗證密碼的效果很好,因爲無效密碼的用戶被拒絕訪問。
但是,在鍵盤上輸入密碼並按下ENTER鍵將允許用戶訪問系統。
有誰知道爲什麼會發生這種情況,以及如何防止它繼續發生?
Protected Sub btn_Click(ByVal sender As Object, ByVal e As EventArgs) Handles btn.Click
Dim StrPass As String
Dim BValid As Boolean
Dim rs As SqlDataReader
Dim StrSQL As String
'Protect against SQL Injection
StrPass = Replace(txtPass.Text, "'", "''", 1, -1, 1)
' This is our boolean variable for validation purposes set to true if valid user
BValid = False
StrSQL = "select * from users u " & _
" Where u.pass [email protected]"
' Initialize Database Connection
Dim connStr As String = ConfigurationManager.ConnectionStrings("dbconn").ConnectionString
Dim conn As New SqlConnection(connStr)
Dim cmd As New SqlCommand(StrSQL, conn)
'We use parametized query to prevent sql injection attack
Dim p1 As New SqlParameter("@pass", StrPass)
cmd.Parameters.Add(p1)
'Now open connection to the db
conn.Open()
'open recordset to receive db values
rs = cmd.ExecuteReader()
While rs.Read()
If rs("pass") <> "" Then
Session("pass") = txtPass.Text
BValid = True
Else
End If
End While
' No leaking allowed
conn.Close()
' This handles all response per validation
If BValid = True Then
dbto.Hide()
Else
'If all else fails, then reject their athentication attempt and let them hear it.
lblWrong.Text = "Incorrect pass entered."
End If
End Sub
「標記
<tr>
<td>
<asp:Label runat="server" ID="lblPass" Text="Please enter Password: " Font-Size="14pt"/>
<asp:TextBox runat="server" ID="txtPass" TextMode="Password" />
</td>
</tr>
<tr>
<td>
<asp:Button ID="btn" runat="server" Text="Submit" />
</td>
</tr>
<tr>
<td>
<asp:Label ID="lblWrong" runat="server" ForeColor="Red" Font-Names="Tahoma" />
</td>
</tr>
林假設一下按鈕點擊上面的套路,但並按下回車鍵打呢? –
@Dylan,不,這是問題。擊中「輸入」似乎沒有任何效果。因此,它只是忽略它。 –