|
#2
卜酷塔2008-06-14 13:49
|
有一登陆界面,输入字母、符号不用密码也能进去,而且加了判断也没用,麻烦各位高手帮忙看看:
代码如下:
<!--#include file="..\Data\Data_connect.asp"-->
<%
uid=trim(Request("user_name"))
upwd=trim(Request("user_password"))
role=trim(Request("user_role"))
if uid="" then
Response.Write "<script language=JavaScript>{window.alert('登录帐号不得为空!');window.history.go(-1);}</script>"
end if
if instr(1,uid,",")>=1 then
Response.Write "<script language=JavaScript>{window.alert('登录帐号不得包含逗号!');window.history.go(-1);}</script>"
end if
if instr(1,uid,"'")>=1 then
Response.Write "<script language=JavaScript>{window.alert('登录帐号不得包含单引号!');window.history.go(-1);}</script>"
end if
'判断帐号及密码是否正确
set recCheckUser=server.CreateObject("ADODB.recordset")
if role="教 师" then
strSQL="select * from [user] where name_id='"&uid& "' and password='"&upwd& "'"
recCheckUser.Open strSQL,conn,1,1
if not recCheckUser.EOF then
'如果用户帐号及密码正确
session("User")=uid
Session("Department")=recCheckUser("department")
response.redirect "../Worker/index.asp"
else
'用户帐号及密码不正确
recCheckUser.Close
set recCheckUser=nothing
set conn=nothing
Response.Write "<script language=JavaScript>{window.alert('您输入的帐号及密码错误,请重新输入!');window.history.go(-1);}</script>"
end if
end if
if role="管 理" then
strSQL="select * from [admin] where name='"&uid& "' and password='"&upwd& "'"
recCheckUser.Open strSQL,conn,1,1
if not recCheckUser.EOF then
'如果用户帐号及密码正确
session("User")=uid
Session("Department")=recCheckUser("department")
Session("Role")=recCheckUser("role")
response.redirect "../System/System_Index.asp"
else
'用户帐号及密码不正确
recCheckUser.Close
set recCheckUser=nothing
set conn=nothing
Response.Write "<script language=JavaScript>{window.alert('您输入的管理员帐号及密码错误,请重新输入!');window.history.go(-1);}</script>"
end if
end if
%>