<% ' ****************************************************************************************** ' added 16/03/06: sql injection prevention functions ' usage - ' stripQuotes(stringToClean) - optional, if we want to keep quotes ' sanitize(stringToClean) ' ****************************************************************************************** function stripQuotes(strWords) stripQuotes = replace(strWords, "'", "''") end function function sanitize(strWords) dim badChars dim newChars ' the ultra mega ok version 'badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|") ' a little less strict version badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "#", "%", "&", "'", ";", "=", "?", "`", "|") newChars = strWords for i = 0 to uBound(badChars) newChars = replace(newChars, badChars(i) , "") next sanitize = newChars end function ' ****************************************************************************************** if Request.ServerVariables("REQUEST_METHOD") = "POST" Then strUser = sanitize( request.form("user") ) strPass = sanitize( request.Form("pass") ) strSQL = "SELECT * FROM T_USERS" Set Rs = Server.CreateObject("ADODB.Recordset") Rs.ActiveConnection = strConn Rs.Source = strSQL Rs.CursorType = 0 Rs.CursorLocation = 2 Rs.LockType = 1 Rs.Open() Rs.MoveFirst While Not Rs.EOF if strUser = rs("uUSERNAME") AND strPass = rs("uPASSWORD") Then userFound = 1 theUser = rs("uUSERNAME") else userFound = 0 End if Rs.MoveNext Wend Rs.close() set Rs = nothing if userFound = 1 Then Session("adminLogged") = true Session("username") = theUser response.Redirect("./?") else response.Redirect("login.asp?error=nouser") end if else %> Simpleblog 2.3
  SIMPLEBLOG 3.0
user name:
password:
    <% if request.QueryString("error") = "nouser" Then %> ! Error: user not found <% end if %>
 
<% end if %>