MM公司的官方声明！～
Issue
The Log In User server behavior in Dreamweaver UltraDev version 4 can allow unauthorized users to successfully log in to a secured site.

Without implementing the code fix described below, a user with adequate coding knowledge can gain access without knowing either a username or password. This will allow them to be granted access permissions based on the first record in the validation table.

Web site security is an important and complex issue. Developers must research methodologies and determine the best approach to protect their sites from unauthorized access. No site can be completely secure. With proper precautions, however, a reasonable level of security can be achieved. More inFORMation on security issues is available from Carnegie Mellon and Microsoft, as well as other sources.

The Log In User server behavior should be considered a low-to-medium security mechanism. Malicious users can still obtain confidential inFORMation using packet sniffers and other tools.

Reason
The password validation code generated by UltraDev allows entry of character strings which can modify the SQL statement used to query the validation table.

Solution
Modify the code in the login page to prohibit the use of single quotes. This will ensure any characters entered in the username or password text boxes are treated as character strings and not as part of a SQL statement.

Insert and/or replace the lines identified below. Be sure to note your existing names for the following elements. After replacing the code, you must edit the new code to refer to your names.

login_table Name of your login validation table.
username_field Name of your username field in login_table.
password_field Name of your password field in login_table.
password_textbox Name of the password textbox on your login page.

vbscript:
Locate the following line:


MM_rsUser.Source = MM_rsUser.Source & " FROM login_table WHERE username_field='" & MM_valUsername &"' AND password_field='" & CStr(Request.FORM("password_textbox")) & "'"
Replace it with:


MM_rsUser.Source = MM_rsUser.Source & " FROM login_table WHERE username_field='" & Replace(MM_valUsername,"'","''") &"' AND password_field='" & Replace(Request.FORM("password_textbox"),"'","''") & "'"


javascript:

Locate the following line:


MM_rsUser.Source += " FROM login_table WHERE username_field='" + MM_valUsername + "' AND password_field='" + String(Request.FORM("password_textbox")) + "'";
Replace it with:


MM_rsUser.Source += " FROM login_table WHERE username_field='" + MM_valUsername.replace(/'/g, "''") + "' AND password_field='" + String(Request.FORM("password_textbox")).replace(/'/g, "''") + "'";


ColdFusion:
Locate the following line:


MM_valUsername=Evaluate("FORM." & "username_textbox");
Add the following line immediately below the above line:


MM_valPassword=Evaluate("FORM." & "password_textbox");
Next, locate the following line:

SELECT #MM_queryFieldList# FROM login_table WHERE username_field='#MM_valUsername#' AND password_field='#Evaluate("FORM." & "password_textbox")#'

Replace it with:

SELECT #MM_queryFieldList# FROM login_table WHERE username_field='#Replace(MM_valUsername,"\'"," ","ALL")#' AND password_field='#Replace(MM_valPassword,"\'"," ","ALL")#'



JSP:
Locate the following line:


String MM_valUsername=request.getParameter("username_textbox");
Add the following line immediately below the above line:


String MM_valPassword=request.getParameter("password_textbox");
Next, locate the following line:

MM_pSQL += " FROM login_table WHERE username_field='" + MM_valUsername + "' AND password_field='" + request.getParameter("password_textbox")) + "'";
Replace it with:

MM_pSQL += " FROM login_table WHERE username_field='" + MM_valUsername.replace('\'', ' ') + "' AND password_field='" + MM_valPassword.replace('\'', ' ') + "'";


Last updated: February 28, 2001
Keywords: login, authorization, security
Created: February 16, 2001

英文看得我晕，一句话，比ASP要好

deepdark在上个帖子中说

引用:

---

更多的取决于你用的WEB应用服务器。

---

sun solaris 8

longdas在上个帖子中说

引用:

---

好呀。apache会好一点吗

---

APACHE 不是 JSP SERVER TOMCAT 才是

要想实现安全保密 就把程序写在JAVABEAN里 而非JSP页面里