username and password validation

Is this method of validation for password and username considered to be
secured. In my previous post I was given a solution that uses command
object and the values are parsed by parameters. But the solution only
worked well for insert and delete, but not select.

<%
if Request.QueryString("Action") = 1 then
username = Trim(request.form("username"))
password = Trim(request.form("password"))
if username <> "" and password <> "" then
set conn = server.CreateObject("ADODB.Connection")
conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
conn.open
set rs = server.CreateObject("ADODB.Recordset")
sql = "SELECT Count(*) FROM Account WHERE username='" &
username & "' AND password='" & password & "'"
rs.open sql,conn,3,3
if rs.Fields(0) = 1 then
session("boolean") = "true"
response.redirect "main.asp"
else
session("boolean") = "false"
response.write "<center><font class='error'>Error: Invalid
Authentication</font></center><br><br>"
end if
conn.close
Set conn = nothing
end if
end if
%>

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***

well, your not requiring a case sensative password and I think your open to
SQL injection attacks even with using a count statement so probably no



"Eugene Anthony" <solomon_13000@yahoo.com> wrote in message
news:%230IMPIXkGHA.1320@TK2MSFTNGP04.phx.gbl...[color=blue]
> Is this method of validation for password and username considered to be
> secured. In my previous post I was given a solution that uses command
> object and the values are parsed by parameters. But the solution only
> worked well for insert and delete, but not select.
>
> <%
> if Request.QueryString("Action") = 1 then
> username = Trim(request.form("username"))
> password = Trim(request.form("password"))
> if username <> "" and password <> "" then
> set conn = server.CreateObject("ADODB.Connection")
> conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
> Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
> conn.open
> set rs = server.CreateObject("ADODB.Recordset")
> sql = "SELECT Count(*) FROM Account WHERE username='" &
> username & "' AND password='" & password & "'"
> rs.open sql,conn,3,3
> if rs.Fields(0) = 1 then
> session("boolean") = "true"
> response.redirect "main.asp"
> else
> session("boolean") = "false"
> response.write "<center><font class='error'>Error: Invalid
> Authentication</font></center><br><br>"
> end if
> conn.close
> Set conn = nothing
> end if
> end if
> %>
>
> Eugene Anthony
>
> *** Sent via Developersdex http://www.developersdex.com ***[/color]

On Fri, 16 Jun 2006 13:24:07 -0500, Eugene Anthony
<solomon_13000@yahoo.com> wrote:
[color=blue]
> Is this method of validation for password and username considered to be
> secured.[/color]

No, I'm afraid it is not. Your code as written is vulnerable to a
widely-known attack which would allow an attacker to easily log in as any
arbitrary user. The problem is with these lines:
[color=blue]
> set rs = server.CreateObject("ADODB.Recordset")
> sql = "SELECT Count(*) FROM Account WHERE username='" &
> username & "' AND password='" & password & "'"
> rs.open sql,conn,3,3[/color]

By directly embedding the values of the ``username`` and ``password``
variables in your SQL statement, you are effectively executing arbitrary
code supplied by the client. Instead, you should use the ADO Command
object to pass arguments to a query.

Set cmd = CreateObject("ADODB.Command")
With cmd
Set .ActiveConnection = conn
.CommandType = adCmdText
.CommandText = "SELECT COUNT(*) FROM Account WHERE username=? AND
password=?"
.Parameters.Append cmd.CreateParameter("username", adVarChar,
adParamInput, 50, username)
.Parameters.Append cmd.CreateParameter("password", adVarChar,
adParamInput, 50, password)
Set rst = .Execute()
End With

Note that for this example you'll need to declare the ADO constants if you
haven't already. See http://www.aspfaq.com/show.asp?id=2112 if you aren't
familiar with the ADO constants.

--
Justin Piper
Bizco Technologies
http://www.bizco.com/

Eugene Anthony wrote:[color=blue]
> Is this method of validation for password and username considered to be
> secured. In my previous post I was given a solution that uses command
> object and the values are parsed by parameters. But the solution only
> worked well for insert and delete, but not select.
>
> <%
> if Request.QueryString("Action") = 1 then
> username = Trim(request.form("username"))
> password = Trim(request.form("password"))
> if username <> "" and password <> "" then
> set conn = server.CreateObject("ADODB.Connection")
> conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
> Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
> conn.open
> set rs = server.CreateObject("ADODB.Recordset")
> sql = "SELECT Count(*) FROM Account WHERE username='" &
> username & "' AND password='" & password & "'"
> rs.open sql,conn,3,3
> if rs.Fields(0) = 1 then
> session("boolean") = "true"
> response.redirect "main.asp"
> else
> session("boolean") = "false"
> response.write "<center><font class='error'>Error: Invalid
> Authentication</font></center><br><br>"
> end if
> conn.close
> Set conn = nothing
> end if
> end if
> %>
>[/color]

If you are uncomfortable using the command object with parameters,
there is a much easier way to do this - use a saved parameter query.

Open your Access database, and go to the Query tab. Choose "Create
Query in Design View". A dialogue box appears offering you to select
tables. Close it. In the top left corner of your menus, you see
"SQL". Click that.

In the new pane that just opened, type (or copy and paste):

SELECT Count(*) FROM Account WHERE username=[p1] AND password=[p2]

Save it as qGetUser.

In your code do this:

<%
if Request.QueryString("Action") = 1 then
p1= Trim(request.form("username"))
p2= Trim(request.form("password"))
if p1<> "" and p2<> "" then
set conn = server.CreateObject("ADODB.Connection")
conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
conn.open
set rs = server.CreateObject("ADODB.Recordset")
conn.qGetUser p1,p2,rs
If rs(0) = 1 Then
session("boolean") = "true"
.....
etc

Doing it this way means you still don't have to delimit values in
concatenated dynamic sql (same as the command and parameters), and you
are protected from sql injection in the same way. It's a lot less code
that the command object version, and if you ever feel the need to
change the name of one of your database fileds, you only have ot go to
the database to do it - you son't have ot chase around ASP code finding
all instances of the old field name.

Saved parameter queries work just as easily for inserts and updates
too.

--
Mike Brind

In asp I did this:

<%
if Request.QueryString("Action") = 1 then
on error resume next
p1 = Trim(request.form("username"))
p2 = Trim(request.form("password"))
if username <> "" and password <> "" then
set conn = Server.CreateObject("ADODB.Connection")
conn.open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &
Server.MapPath("/db/upload/stelladb.mdb") & ";"
set rs = Server.CreateObject("ADODB.Recordset")
conn.qGetUser p1,p2,rs
if rs(0) = 1 then
session("boolean") = "true"
response.redirect "main.asp"
else
session("boolean") = "false"
response.write "<center><font class='error'>Error: Invalid
authentication</font></center><br><br>"
end if
if Err.number <> 0 then
Response.Write(Err.number & ":" & Err.Description & "<br>")
end if
on Error goto 0
conn.close
Set conn = nothing
end if
end if
%>


and in ms access I created the sql query:

SELECT Count(*) FROM Account WHERE username=[p1] AND password=[p2]


but when I access the page its going into a loop.

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***

I did test qGetUser in MS Access, supplied the values and it works.
However using asp it is going into a loop.

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***

Eugene Anthony wrote:[color=blue]
> I did test qGetUser in MS Access, supplied the values and it works.
> However using asp it is going into a loop.
>
>[/color]

Get rid of on error resume next to see where it goes wrong. On Error
Resume Next has no place in code until it has been fully tested and is
working properly. It hides errors.

Look, the easiest way I find to produce ASP pages is the following:

1. Add Option Explicit statement to the top of a page.
2. Produce ASP code without any html
3. Test and debug
4. Once it's working as it should, add error handling
5. Test and debug
6. Add html (or move tested code to html page already constructed)
7. Test and debug.
8. Once working and ready for deployment, remove Option Explicit
statement

What's the name of the page you have put this code in? Is it main.asp?
Where is the loop? On the Redirect?

--
Mike Brind

This is the complete code for login.asp. inc_Common.asp contains all the
variable.


<%Option Explicit%>
<!--#INCLUDE FILE="inc_Common.asp" -->
<%
if Request.QueryString("Action") = 1 then
'on error resume next
p1 = Trim(request.form("username"))
p2 = Trim(request.form("password"))
if username <> "" and password <> "" then
set conn = Server.CreateObject("ADODB.Connection")
conn.open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &
Server.MapPath("/db/upload/stelladb.mdb") & ";"
set rs = Server.CreateObject("ADODB.Recordset")
conn.qGetUser p1,p2,rs
if rs(0) = 1 then
session("boolean") = "true"
response.redirect "main.asp"
else
session("boolean") = "false"
response.write "<center><font class='error'>Error: Invalid
authentication</font></center><br><br>"
end if
' if Err.number <> 0 then
' Response.Write(Err.number & ":" & Err.Description & "<br>")
' end if
'on Error goto 0
conn.close
Set conn = nothing
end if
end if
%>
<html>
<head>
<title>Login</title>
</head>
<body bgcolor="#FFFFFF">
<center>
<table width="291" border="0" cellpadding="0" cellspacing="0"
height="20">
<tr>
<td class="header" width="420"><font
class="PopTitle"><center>Login</center></font></td>
</tr>
<tr>
<td height="50">
<br>
<center>
<form name="form1" method="post" action="login.asp?Action=1">
<table border="0" cellpadding="2" cellspacing="0" width="223">
<tr>
<td width="150">Username</td>
<td width="148">
<input type="text" name="username"
style="background:FFFFF9; border:1px solid; size="20" size="20">
</td>
</tr>
<tr>
<td width="150">Password</td>
<td width="148">
<input type="password" name="password"
style="background:FFFFF9; border:1px solid; size="20" size="20">
</td>
</tr>
<tr>
<td width="298" colspan="2">
<table border="0" cellpadding="2" cellspacing="0"
width="100%">
<tr>
<td width="25%"></td>
<td width="25%">
<input type="Submit" style="background:EEEEEE;
border:1px solid; " value="Submit" name="Submit">
</td>
<td width="22%">
<input type="Reset" value="Reset"
style="background:EEEEEE; border:1px solid; " size="20" name="Reset">
</td>
<td width="28%"></td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</center>
</td>
</tr>
</table>
</center>
</body>
</html>


Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***

I found the error:

In my <!--#INCLUDE FILE="inc_Common.asp" -->

I have this code

<%
if session("boolean") = "false" or session("boolean") = "" then
response.redirect "login.asp"
end if
%>

and this caused the problem.

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***

Justin Piper wrote:[color=blue]
> By directly embedding the values of the ``username`` and ``password``
> variables in your SQL statement, you are effectively executing
> arbitrary code supplied by the client. Instead, you should use the
> ADO Command object to pass arguments to a query.
>
> Set cmd = CreateObject("ADODB.Command")
> With cmd
> Set .ActiveConnection = conn
> .CommandType = adCmdText
> .CommandText = "SELECT COUNT(*) FROM Account WHERE username=?
> AND password=?"
> .Parameters.Append cmd.CreateParameter("username", adVarChar,
> adParamInput, 50, username)
> .Parameters.Append cmd.CreateParameter("password", adVarChar,
> adParamInput, 50, password)
> Set rst = .Execute()
> End With
>[/color]

It can be done more simply than this, especially with Jet which does not
support output or return parameters:
http://groups-beta.google.com/group/...e36562fee7804e

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Hi guys,

the scripts seems to be ok with me.. it needs a little tidy up.. i guess.. well.. my suggestions will be as below;

1.) protect the .mdb file with a password
2.) set the session.timeout value - incase of idle session
3.) encrypt user password


below is the my script.. check it out..
'//--- inc_connection ---
<%
DIM ObjCon
Set ObjCon = Server.CreateObject("ADODB.Connection")
ObjCon.Open ("Provider=Microsoft.Jet.OLEDB.4.0;Persist Security Info=False;Jet OLEDB:Database Password=xyz;Data Source=" & Server.MapPath("../db/eduguide.mdb"))
%>

'//--- inc_authenticate.asp ---
<%@ LANGUAGE="VBSCRIPT" %>
<!--#INCLUDE FILE="inc_connection.asp" -->
<!--#INCLUDE FILE="inc_encryption.asp" -->
<%
Dim myAccountNo, Message, Action,ID,UID,PWD,ACL,EMAILID, nNewsID, nNewsSummary
myAccountNo = Session("myAccountNo")
Message = Session("Message")
Session("Message") = ""
Action = Session("Action")
ID = Session("ID")
UID = Session("UID")
PWD = Session("PWD")
ACL = Session("ACL")
EMAILID = Session("EMAILID")
%>
<%
dim URL_Link
dim myname, mypassword
dim cnpath, sSQL, TMPSQL
dim objRS, objUpdateRec
myname=request.form("txtUsername")
mypassword=request.form("txtPassword")
URL_Link = Request.ServerVariables("HTTP_REFERER")
if myname = "Username" or myname = "" then
Session("Message") = "Check username"
Response.Redirect URL_Link
elseif mypassword = "Password" or mypassword= "" then
Session("Message") = "Check password"
Response.Redirect URL_Link
end if
sSQL ="SELECT * FROM sSECURITYTBL WHERE USERNAME='"
sSQL = sSQL & myname & "'"
set objRS=objCon.execute(sSQL)
If objRS.EOF then
objRS.close
objCon.close
set objRS=nothing
set objCon=nothing
Session("Message") = "Invalid username"
'Response.Redirect URL_Link"?error=" & Server.URLEncode(Message)
Response.Redirect URL_Link
end if
If objRS("password")= pEncrypt(mypassword) then
'The default value is 10 minutes
Session.Timeout = 10
If Request.Form("chkRememberMe") = "True" Then
Response.Cookies("Username") = Request.Form("txtUsername")
Response.Cookies("Username").Expires = DateAdd("m", 1, Now())
Response.Cookies("Password") = Request.Form("txtPassword")
Response.Cookies("Password").Expires = DateAdd("m", 1, Now())
end if
If Request.Form("chkRememberMe") = "" Then
Response.Cookies("Username") = ""
Response.Cookies("Username").Expires = DateAdd("m", -3, Now())
Response.Cookies("Password") = ""
Response.Cookies("Password").Expires = DateAdd("m", -3, Now())
end if
'If they made it here, they logged in successfully,
'so set the value of the LoggedIn session variables
Session("LoggedIn") = "yes"
'Reroute users to appropriate page based on their access level
if objRS("accesslevel")="administrator" then
Session("isAdminLogin") = "yes"
Session("Action")= "main"
Session("ID") = objRS("ID")
Session("UID")=objRS("Username")
Session("PWD")=objRS("Password")
Session("ACL")=objRS("AccessLevel")
Session("EMAILID")=objRS("Email")
Response.redirect "../admin/default.asp"
elseif objRS("accesslevel")="educator" then
Session("Action")= "main"
Session("myAccountNo") = objRS("vAccount_No")
Session("ID") = objRS("ID")
Session("UID")=objRS("Username")
Session("PWD")=objRS("Password")
Session("ACL")=objRS("AccessLevel")
Session("EMAILID")=objRS("Email")
Response.redirect "../admin/educator/default.asp"
elseif objRS("accesslevel")="supplier" then
Session("Action")= "main"
Session("myAccountNo") = objRS("vAccount_No")
Session("ID") = objRS("ID")
Session("UID")=objRS("Username")
Session("PWD")=objRS("Password")
Session("ACL")=objRS("AccessLevel")
Session("EMAILID")=objRS("Email")
Response.redirect "../admin/supplier/default.asp"
end if
objRS.Close
objCon.Close
set objRS=nothing
set objCon=nothing
else
objRS.Close
objCon.Close
set objRS=nothing
set objCon=nothing
Session("Message") = "Invalid password"
'Response.Redirect URL_Link"?error=" & Server.URLEncode(Message)
Response.Redirect URL_Link
end if
%>

On Sat, 17 Jun 2006 03:13:17 -0500, Mike Brind <paxtonend@hotmail.com>
wrote:
[color=blue]
> 8. Once working and ready for deployment, remove Option Explicit
> statement[/color]

I've never heard such advice. What do you gain by doing this?

--
Justin Piper
Bizco Technologies
http://www.bizco.com/

Justin Piper wrote:[color=blue][color=green]
>> 8. Once working and ready for deployment, remove Option
>> Explicit statement[/color]
>
> I've never heard such advice. What do you gain by doing this?[/color]

A few CPU cycles. And probably a bad habit.

As Eric Lippert has written[1], VBScript performance is vastly improved when
variables are explicitly declared. I have seen suggestions[2] that removing
Option Explicit from your code eliminates one parsing step during script
execution and does not harm performance as long as the script would function
with the declaration intact.

IMO, if you are that desperate for performance improvement, VBScript is the
wrong language for you anyway.




[1] http://groups.google.com/groups?oi=d...m=an_558784968
[2] Among others,
http://groups.google.com/group/micro...3958ec80?hl=en


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.

On Mon, 19 Jun 2006 11:51:12 -0500, Dave Anderson
<NYRUMTPELVWH@spammotel.com> wrote:
[color=blue]
> Justin Piper wrote:[color=green][color=darkred]
>>> 8. Once working and ready for deployment, remove Option
>>> Explicit statement[/color]
>>
>> I've never heard such advice. What do you gain by doing this?[/color]
>
> A few CPU cycles. And probably a bad habit.
>
> As Eric Lippert has written[1], VBScript performance is vastly improved
> when
> variables are explicitly declared. I have seen suggestions[2] that
> removing
> Option Explicit from your code eliminates one parsing step during script
> execution and does not harm performance as long as the script would
> function
> with the declaration intact.[/color]

Has this ever been corraborated, though? Or even profiled? It's one thing
for Eric Lippert to say how something works, performance-wise. It's quite
another for some guy who knows a guy who went to an ASP developer
conference to say it.

I can't even see how it would work. If omitting Option Explicit causes the
parser to skip the pass where it checks for declared variables, then it
wouldn't have an opportunity to build the name tables Eric describes, and
it would have to fall back on the hunt-all-over-everywhere strategy. It
sounds like complete bunk to me.
[color=blue]
> IMO, if you are that desperate for performance improvement, VBScript is
> the
> wrong language for you anyway.[/color]

Indeed. By the time you're optimising for the /parser/ you should be
investigating other options. Doesn't IIS cache script environments, anyway?
[color=blue]
> [1] http://groups.google.com/groups?oi=d...m=an_558784968
> [2] Among others,
> http://groups.google.com/group/micro...3958ec80?hl=en[/color]


--
Justin Piper
Bizco Technologies
http://www.bizco.com/

Justin Piper wrote:[color=blue]
> I can't even see how it would work. If omitting Option
> Explicit causes the parser to skip the pass where it checks
> for declared variables, then it wouldn't have an opportunity
> to build the name tables Eric describes, and it would have
> to fall back on the hunt-all-over-everywhere strategy. It
> sounds like complete bunk to me.[/color]

I don't think it's possible for the parser to not parse the script, Option
Explicit or not. I have read Lippert's post carefully, and I don't see
anything to suggest that. And I believe this sentence suggests the opposite:

"By forcing you to declare locals, Option Explicit makes you write
faster code."

Lippert seems to be saying that it is the variable declaration, and not the
Option Explicit directive, that matters.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.

On Mon, 19 Jun 2006 13:01:51 -0500, Dave Anderson
<NYRUMTPELVWH@spammotel.com> wrote:
[color=blue]
> Justin Piper wrote:[color=green]
>> I can't even see how it would work. If omitting Option
>> Explicit causes the parser to skip the pass where it checks
>> for declared variables, then it wouldn't have an opportunity
>> to build the name tables Eric describes, and it would have
>> to fall back on the hunt-all-over-everywhere strategy. It
>> sounds like complete bunk to me.[/color]
>
> I don't think it's possible for the parser to not parse the script,
> Option
> Explicit or not.[/color]

Well, if I understand the claim against using Option Explicit correctly,
it's that with it enabled there are two passes, one looking for
exclusively for Dim statements and one that processes the script. It's
possible that it works that way, but it would be a very peculiar thing to
do.

--
Justin Piper
Bizco Technologies
http://www.bizco.com/