Security issues of SQL statement execution in ASP programs

In ASP programs, if our programs are improperly designed, the database may be controlled by others.

The following is a simple code for changing the password of a user:
---------------------
Username = request ("user_name ")
Pwd = request ("PWD ")
Username = Replace (username ,"'","''")
Pwd = Replace (PWD ,"'","''")
SQL = "Update tbl_test set Pwd = '" & PWD & "'where uid ='" & username &"'"
Set rsw.conn.exe cute (SQL)

--------------
Now, if I register a user, the user name is AA'; Exec sp_addlogin 'haha

What will happen when the user changes the password (assuming the password is changed to pp ??

SQL changes to update tbl_test set Pwd = 'pp 'Where uid = 'a'; Exec sp_addlogin 'hahaha'

The result is that the user password is not modified because there is no AA user,
However, you have created a login in your database. The new login name is Haha.

By slightly modifying the user name, you can actually run any SQL statement or any SQL system process.
All of this happens without your knowledge. In fact, the above is just

For example, modify the user name slightly. we can add a DBA account to delete

Unauthorized operations such as recording and reading user passwords.

 

Solution:

Before you use a parameter, strictly check the parameter, especially the parameter entered by the user.

Check the data type and length, and check its content.

Let's look at another piece of code. (User login)

Username = request ("user_name ")
Pwd = request ("PWD ")
Username = Replace (username ,"'","''")
Pwd = Replace (PWD ,"'","''")

SQL = "select uid, PWD from account where uid = '" & username & "' and Pwd = '" & PWD "'"
Rs. Open SQL, Conn, 1, 1
If not Rs. EOF then
Response. Write RS (0) & "Welcome, you have logged in successfully"
Else
Response. Write "Login Failed, incorrect username or password"
End if
............
The vulnerabilities in the above programs are obvious.
We can use Username: Admin Password: a' or '1' = '1
Easily log on to the system with the admin account
Because our SQL is changed
Select uid, PWD from account where uid = 'admin' and Pwd = 'A' or '1' = '1'
Apparently uid = 'admin' and Pwd = 'A' or '1' = '1' is always true, so Rs. EOF is false

The correct statement should be
SQL = "select uid, PWD from account where uid = '" & username & "' and Pwd = '" & PWD "'"
Rs. Open SQL, Conn, 1, 1
If RS (0) = username and RS (1) = PWD then
Response. Write RS (0) & "Welcome, you have logged in successfully"
Else
Response. Write "Login Failed, incorrect username or password"
End if

 

---- Full text --------