ASP background management system's 'or' = 'or' Vulnerability
Source: Internet
Author: User
ASP is only a technology, but a runtime environment. It does not mean that the background management systems are all ASP, or PHP, JSP, CGI, aspx, or other technologies, ASP is currently a popular technology. The 'or' = 'or' vulnerability you mentioned is ProgramThe logic vulnerability at the time of writing is not an ASP Vulnerability. This vulnerability is called the "injection Injection Vulnerability". The principle is as follows: when a user enters the user name and password, submit a well-constructed username "A or username <> 'a" with the password "A or PWD <> 'a", and the program's judgment statement is: select * From user_table where username = username and Pwd = password. However, after the above username and password are taken up, it becomes: select * From user_table where username = A or username <> A and Pwd = A or PWD <> A, it becomes the preceding SQL statement. In this case, the logic vulnerability occurs. The program will think that both the user name and password are correct, and the user name will be assigned to the correct session, which will enter the background. The solution is to use Replace () the function filters out "'", which is again the number of characters in the input box of the user name and password. If the other party does not know the username and password fields in the database, the password cannot be cracked.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
