Identity authentication security for ASP programming

In ASP programming, identity authentication can be said to be used frequently. But how to achieve the security of certification?

Form Submission page: sub.htm

　　 　　<title>管理员登陆＜/title>
　　<body>
　　<form name="form1" method="post" action="sub.asp">
　　<p> 管理员:
　　<input type="text" name="UserID" size="25" maxlength="20">Password

<input type="text" name="Pass" size="12" maxlength="20">
　　<input type="submit" name="Submit" value="提交">
　　</p>
　　</form>
　　</body>
　　

Sub.asp Program

<%

Receive data from a form

user=request.from("UserID")

Check whether the data submitted by the form is empty (the form page may be controlled by JavaScript or VBScript, but don't forget to control here!)

if user="" thenGo to the error prompt page!

response.redirect "err1.htm"

This sentence may not be useful, but add it as well!

response.end
　　end if
　　pass=request.from("Pass")
　　if pass="" then
　　response.redirect "err2.htm"
　　response.end
　　end if

Join database

file=server.mappath("你的数据库")
　　set conn=server.createobject("adodb.connection")
　　dr="driver={microsoft access driver (*.mdb)};dbq="&file
　　conn.open dr
　　set rs=server.createobject("adodb.recordset")

The key is the SQL language here

sql="select * from 表 where user= "&user&" and pass= "&pass&" "
　　rs.open sql
　　if not rs.eof then

If you find it, go to the admin page.

reponse.redirect "login.asp"
　　else

Go to the wrong page without finding it

response.write "err3.htm"
　　end if
　　%>

We feel that the above code should be no problem ah, but here is a serious security risk:

If I want to log in to the administrator, you can enter in the Sub.htm form input box:

Enter the first text box: A or 1 = 1 or =

Enter the second text box: A or 1 = 1 or =

Submit, you will see ... "Woo, listen to me say good, bricks will be thrown over again ..."

"A" and "1" are any characters

Some people will ask why you enter these characters as an administrator to enter it??

In fact, these characters are for your program in the SQL language deception, and the successful entry of the

Everyone look: In the Start program SQL is the record that queries the table to satisfy the user= "&user&" and pass= "&pass&" condition

Sql= "SELECT * from table where user=" &user& "and pass=" &pass& ""

I entered the above code and became the following:

Sql= "SELECT * from table where user= A or 1 = 1 and pass= A or 1 = 1"

Can you see the reason for not entering?? Give me a reason not to enter, first!

The above user pass field is a character type if it is the same as the number of the same reason!