昨晚,我接到了我们主管的电话,表示当他尝试使用虚拟密码登录我们的应用时,他的验证成功。
事实证明,点击鼠标验证密码的工作正常,因为无效密码的用户被拒绝访问。
但是,输入密码并点击键盘上的ENTER键将允许用户访问系统。
有谁知道为什么会这样,以及如何防止它继续发生?
Protected Sub btn_Click(ByVal sender As Object, ByVal e As EventArgs) Handles btn.Click
Dim StrPass As String
Dim BValid As Boolean
Dim rs As SqlDataReader
Dim StrSQL As String
'Protect against SQL Injection
StrPass = Replace(txtPass.Text, "'", "''", 1, -1, 1)
' This is our boolean variable for validation purposes set to true if valid user
BValid = False
StrSQL = "select * from users u " & _
" Where u.pass =@pass"
' Initialize Database Connection
Dim connStr As String = ConfigurationManager.ConnectionStrings("dbconn").ConnectionString
Dim conn As New SqlConnection(connStr)
Dim cmd As New SqlCommand(StrSQL, conn)
'We use parametized query to prevent sql injection attack
Dim p1 As New SqlParameter("@pass", StrPass)
cmd.Parameters.Add(p1)
'Now open connection to the db
conn.Open()
'open recordset to receive db values
rs = cmd.ExecuteReader()
While rs.Read()
If rs("pass") <> "" Then
Session("pass") = txtPass.Text
BValid = True
Else
End If
End While
' No leaking allowed
conn.Close()
' This handles all response per validation
If BValid = True Then
dbto.Hide()
Else
'If all else fails, then reject their athentication attempt and let them hear it.
lblWrong.Text = "Incorrect pass entered."
End If
End Sub
“标记
<tr>
<td>
<asp:Label runat="server" ID="lblPass" Text="Please enter Password: " Font-Size="14pt"/>
<asp:TextBox runat="server" ID="txtPass" TextMode="Password" />
</td>
</tr>
<tr>
<td>
<asp:Button ID="btn" runat="server" Text="Submit" />
</td>
</tr>
<tr>
<td>
<asp:Label ID="lblWrong" runat="server" ForeColor="Red" Font-Names="Tahoma" />
</td>
</tr>
答案 0 :(得分:0)
将您的内容放入面板并指定默认按钮。