program using ASP technology to compile hidden user password program
Excerpt from: Software World Author: Agan
A query with permissions on the Internet (or intranet) that only "legitimate users" can enter. This mechanism is implemented through web programs. In the course of the visit, if the program is poorly designed, the user's password will be exposed to the address bar (for example: Http://www.mmm.nnn/default.asp? superusername=john&passwd=john123, User name John and password john123 are all exposed, so the system has no confidentiality and security to speak of. How to avoid the occurrence of this phenomenon? This article will use an ASP (Active Server pages) program to explain how to hide user names and passwords.
ASP is one of Microsoft's newest technologies for processing dynamic network databases, which can be explained and published by the Web Server IIS4.0 (Microsoft Internet Information Server4.0) on the Windows NT platform. Access multiple databases (in the background) with the active Data object's ADO (ActiveX Data Objects) component and through ODBC (Open database Connectivity). The database used in this article is ORACLE8, the following ASP program (named Default.asp) to achieve the function of the database query operations, only its hidden user name and password part of the description.
<% web_user =request ("Web_user") ' WEB username%>
<% web_user_passwd =request ("web_user_passwd") ' Password for WEB user%>
<% ' encrypts the web username and password by add 32 to the ASCII code of the variable value from left to right, and generate a new string, which, when executed to this point, is displayed on the address line as "encrypted" after the username and password, not the real username and password, to achieve the confidentiality purpose% >
<% temp1= ""% >
<% for I=1 to Len (web_user)%>
<% Temp2=mid (web_user,i,1)%>
<% TEMP2=CHR (ASC (TEMP2) +32)%>
<% TEMP1=TEMP1&TEMP2%>
<% Next%>
<% WEB_USER=TEMP1%>
<% temp1= ""%>
<% for I=1 to Len (WEB_USER_PASSWD)%>
<% Temp2=mid (web_user_passwd,i,1)%>
<% TEMP2=CHR (ASC (TEMP2) +32)%>
<% TEMP1=TEMP1&TEMP2%>
<% Next%>
<% WEB_USER_PASSWD=TEMP1%>
<% ' establishes a connection to the database, defines the ODBC name (ODBCNAME), Oracle username (orauser), and password (ORAUSER_PASSWD)%>
<%set Conn = Server.CreateObject ("ADODB.") Connection ")
Conn.Open "Odbcname", "Orauser", "ORAUSER_PASSWD"
%>
<% ' Establish query statement-sql statement%>
<%
Var_sql= "SELECT * from Verifytab,dw_tab where verifytab.user_pd= '" &WEB_USER_PASSWD& ""
Set rs = conn.execute (var_sql) ' Qualified records are generated in RS%>
<% ' will translate username and password into correct, but at this time the address bar does not appear, reached the confidentiality requirements%>
<% temp1= ""%>
<% for I=1 to Len (web_user)%>
<% Temp2=mid (web_user,i,1)%>
<% TEMP2=CHR (ASC (TEMP2) -32)%>
<% TEMP1=TEMP1&TEMP2%>
<% Next%>
<% WEB_USER=TEMP1%>
<% temp1= ""%>
<% for I=1 to Len (WEB_USER_PASSWD)%>
<% Temp2=mid (web_user_passwd,i,1)%>
<% TEMP2=CHR (ASC (TEMP2) -32)%>
<% TEMP1=TEMP1&TEMP2%>
<% Next%>
<% WEB_USER_PASSWD=TEMP1%>
<% ' verifies that the Web username and password entered are correct, and if so, go back to the Default.htm call, which is the default call file for IIS%>〈〉
<%if web_user= "Superuser" and web_user_passwd= "SUPERUSERPD" Then
Else
If RS. EOF Then
Response.Redirect ("default.htm")
End If
End If
%>
<% ' Below is a form interface designed with FrontPage 98, which omits the content%>
......
You may wish to try, the browser end without any unsafe information, confidentiality effect is good.
