473,554 Members | 3,078 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

username and password validation

Is this method of validation for password and username considered to be
secured. In my previous post I was given a solution that uses command
object and the values are parsed by parameters. But the solution only
worked well for insert and delete, but not select.

<%
if Request.QuerySt ring("Action") = 1 then
username = Trim(request.fo rm("username") )
password = Trim(request.fo rm("password") )
if username <> "" and password <> "" then
set conn = server.CreateOb ject("ADODB.Con nection")
conn.connection string = "Provider=Micro soft.Jet.OLEDB. 4.0;Data
Source=" & Server.MapPath( "/db/upload/stelladb.mdb") & ";"
conn.open
set rs = server.CreateOb ject("ADODB.Rec ordset")
sql = "SELECT Count(*) FROM Account WHERE username='" &
username & "' AND password='" & password & "'"
rs.open sql,conn,3,3
if rs.Fields(0) = 1 then
session("boolea n") = "true"
response.redire ct "main.asp"
else
session("boolea n") = "false"
response.write "<center><f ont class='error'>E rror: Invalid
Authentication</font></center><br><br> "
end if
conn.close
Set conn = nothing
end if
end if
%>

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***
Jun 16 '06 #1
15 9709
well, your not requiring a case sensative password and I think your open to
SQL injection attacks even with using a count statement so probably no

"Eugene Anthony" <so***********@ yahoo.com> wrote in message
news:%2******** ********@TK2MSF TNGP04.phx.gbl. ..
Is this method of validation for password and username considered to be
secured. In my previous post I was given a solution that uses command
object and the values are parsed by parameters. But the solution only
worked well for insert and delete, but not select.

<%
if Request.QuerySt ring("Action") = 1 then
username = Trim(request.fo rm("username") )
password = Trim(request.fo rm("password") )
if username <> "" and password <> "" then
set conn = server.CreateOb ject("ADODB.Con nection")
conn.connection string = "Provider=Micro soft.Jet.OLEDB. 4.0;Data
Source=" & Server.MapPath( "/db/upload/stelladb.mdb") & ";"
conn.open
set rs = server.CreateOb ject("ADODB.Rec ordset")
sql = "SELECT Count(*) FROM Account WHERE username='" &
username & "' AND password='" & password & "'"
rs.open sql,conn,3,3
if rs.Fields(0) = 1 then
session("boolea n") = "true"
response.redire ct "main.asp"
else
session("boolea n") = "false"
response.write "<center><f ont class='error'>E rror: Invalid
Authentication</font></center><br><br> "
end if
conn.close
Set conn = nothing
end if
end if
%>

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***

Jun 16 '06 #2
On Fri, 16 Jun 2006 13:24:07 -0500, Eugene Anthony
<so***********@ yahoo.com> wrote:
Is this method of validation for password and username considered to be
secured.
No, I'm afraid it is not. Your code as written is vulnerable to a
widely-known attack which would allow an attacker to easily log in as any
arbitrary user. The problem is with these lines:
set rs = server.CreateOb ject("ADODB.Rec ordset")
sql = "SELECT Count(*) FROM Account WHERE username='" &
username & "' AND password='" & password & "'"
rs.open sql,conn,3,3


By directly embedding the values of the ``username`` and ``password``
variables in your SQL statement, you are effectively executing arbitrary
code supplied by the client. Instead, you should use the ADO Command
object to pass arguments to a query.

Set cmd = CreateObject("A DODB.Command")
With cmd
Set .ActiveConnecti on = conn
.CommandType = adCmdText
.CommandText = "SELECT COUNT(*) FROM Account WHERE username=? AND
password=?"
.Parameters.App end cmd.CreateParam eter("username" , adVarChar,
adParamInput, 50, username)
.Parameters.App end cmd.CreateParam eter("password" , adVarChar,
adParamInput, 50, password)
Set rst = .Execute()
End With

Note that for this example you'll need to declare the ADO constants if you
haven't already. See http://www.aspfaq.com/show.asp?id=2112 if you aren't
familiar with the ADO constants.

--
Justin Piper
Bizco Technologies
http://www.bizco.com/
Jun 16 '06 #3

Eugene Anthony wrote:
Is this method of validation for password and username considered to be
secured. In my previous post I was given a solution that uses command
object and the values are parsed by parameters. But the solution only
worked well for insert and delete, but not select.

<%
if Request.QuerySt ring("Action") = 1 then
username = Trim(request.fo rm("username") )
password = Trim(request.fo rm("password") )
if username <> "" and password <> "" then
set conn = server.CreateOb ject("ADODB.Con nection")
conn.connection string = "Provider=Micro soft.Jet.OLEDB. 4.0;Data
Source=" & Server.MapPath( "/db/upload/stelladb.mdb") & ";"
conn.open
set rs = server.CreateOb ject("ADODB.Rec ordset")
sql = "SELECT Count(*) FROM Account WHERE username='" &
username & "' AND password='" & password & "'"
rs.open sql,conn,3,3
if rs.Fields(0) = 1 then
session("boolea n") = "true"
response.redire ct "main.asp"
else
session("boolea n") = "false"
response.write "<center><f ont class='error'>E rror: Invalid
Authentication</font></center><br><br> "
end if
conn.close
Set conn = nothing
end if
end if
%>


If you are uncomfortable using the command object with parameters,
there is a much easier way to do this - use a saved parameter query.

Open your Access database, and go to the Query tab. Choose "Create
Query in Design View". A dialogue box appears offering you to select
tables. Close it. In the top left corner of your menus, you see
"SQL". Click that.

In the new pane that just opened, type (or copy and paste):

SELECT Count(*) FROM Account WHERE username=[p1] AND password=[p2]

Save it as qGetUser.

In your code do this:

<%
if Request.QuerySt ring("Action") = 1 then
p1= Trim(request.fo rm("username") )
p2= Trim(request.fo rm("password") )
if p1<> "" and p2<> "" then
set conn = server.CreateOb ject("ADODB.Con nection")
conn.connection string = "Provider=Micro soft.Jet.OLEDB. 4.0;Data
Source=" & Server.MapPath( "/db/upload/stelladb.mdb") & ";"
conn.open
set rs = server.CreateOb ject("ADODB.Rec ordset")
conn.qGetUser p1,p2,rs
If rs(0) = 1 Then
session("boolea n") = "true"
.....
etc

Doing it this way means you still don't have to delimit values in
concatenated dynamic sql (same as the command and parameters), and you
are protected from sql injection in the same way. It's a lot less code
that the command object version, and if you ever feel the need to
change the name of one of your database fileds, you only have ot go to
the database to do it - you son't have ot chase around ASP code finding
all instances of the old field name.

Saved parameter queries work just as easily for inserts and updates
too.

--
Mike Brind

Jun 16 '06 #4
In asp I did this:

<%
if Request.QuerySt ring("Action") = 1 then
on error resume next
p1 = Trim(request.fo rm("username") )
p2 = Trim(request.fo rm("password") )
if username <> "" and password <> "" then
set conn = Server.CreateOb ject("ADODB.Con nection")
conn.open "Provider=Micro soft.Jet.OLEDB. 4.0;Data Source=" &
Server.MapPath( "/db/upload/stelladb.mdb") & ";"
set rs = Server.CreateOb ject("ADODB.Rec ordset")
conn.qGetUser p1,p2,rs
if rs(0) = 1 then
session("boolea n") = "true"
response.redire ct "main.asp"
else
session("boolea n") = "false"
response.write "<center><f ont class='error'>E rror: Invalid
authentication</font></center><br><br> "
end if
if Err.number <> 0 then
Response.Write( Err.number & ":" & Err.Description & "<br>")
end if
on Error goto 0
conn.close
Set conn = nothing
end if
end if
%>
and in ms access I created the sql query:

SELECT Count(*) FROM Account WHERE username=[p1] AND password=[p2]
but when I access the page its going into a loop.

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***
Jun 17 '06 #5
I did test qGetUser in MS Access, supplied the values and it works.
However using asp it is going into a loop.

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***
Jun 17 '06 #6

Eugene Anthony wrote:
I did test qGetUser in MS Access, supplied the values and it works.
However using asp it is going into a loop.


Get rid of on error resume next to see where it goes wrong. On Error
Resume Next has no place in code until it has been fully tested and is
working properly. It hides errors.

Look, the easiest way I find to produce ASP pages is the following:

1. Add Option Explicit statement to the top of a page.
2. Produce ASP code without any html
3. Test and debug
4. Once it's working as it should, add error handling
5. Test and debug
6. Add html (or move tested code to html page already constructed)
7. Test and debug.
8. Once working and ready for deployment, remove Option Explicit
statement

What's the name of the page you have put this code in? Is it main.asp?
Where is the loop? On the Redirect?

--
Mike Brind

Jun 17 '06 #7
This is the complete code for login.asp. inc_Common.asp contains all the
variable.
<%Option Explicit%>
<!--#INCLUDE FILE="inc_Commo n.asp" -->
<%
if Request.QuerySt ring("Action") = 1 then
'on error resume next
p1 = Trim(request.fo rm("username") )
p2 = Trim(request.fo rm("password") )
if username <> "" and password <> "" then
set conn = Server.CreateOb ject("ADODB.Con nection")
conn.open "Provider=Micro soft.Jet.OLEDB. 4.0;Data Source=" &
Server.MapPath( "/db/upload/stelladb.mdb") & ";"
set rs = Server.CreateOb ject("ADODB.Rec ordset")
conn.qGetUser p1,p2,rs
if rs(0) = 1 then
session("boolea n") = "true"
response.redire ct "main.asp"
else
session("boolea n") = "false"
response.write "<center><f ont class='error'>E rror: Invalid
authentication</font></center><br><br> "
end if
' if Err.number <> 0 then
' Response.Write( Err.number & ":" & Err.Description & "<br>")
' end if
'on Error goto 0
conn.close
Set conn = nothing
end if
end if
%>
<html>
<head>
<title>Login</title>
</head>
<body bgcolor="#FFFFF F">
<center>
<table width="291" border="0" cellpadding="0" cellspacing="0"
height="20">
<tr>
<td class="header" width="420"><fo nt
class="PopTitle "><center>Login </center></font></td>
</tr>
<tr>
<td height="50">
<br>
<center>
<form name="form1" method="post" action="login.a sp?Action=1">
<table border="0" cellpadding="2" cellspacing="0" width="223">
<tr>
<td width="150">Use rname</td>
<td width="148">
<input type="text" name="username"
style="backgrou nd:FFFFF9; border:1px solid; size="20" size="20">
</td>
</tr>
<tr>
<td width="150">Pas sword</td>
<td width="148">
<input type="password" name="password"
style="backgrou nd:FFFFF9; border:1px solid; size="20" size="20">
</td>
</tr>
<tr>
<td width="298" colspan="2">
<table border="0" cellpadding="2" cellspacing="0"
width="100%">
<tr>
<td width="25%"></td>
<td width="25%">
<input type="Submit" style="backgrou nd:EEEEEE;
border:1px solid; " value="Submit" name="Submit">
</td>
<td width="22%">
<input type="Reset" value="Reset"
style="backgrou nd:EEEEEE; border:1px solid; " size="20" name="Reset">
</td>
<td width="28%"></td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</center>
</td>
</tr>
</table>
</center>
</body>
</html>
Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***
Jun 17 '06 #8
I found the error:

In my <!--#INCLUDE FILE="inc_Commo n.asp" -->

I have this code

<%
if session("boolea n") = "false" or session("boolea n") = "" then
response.redire ct "login.asp"
end if
%>

and this caused the problem.

Eugene Anthony

*** Sent via Developersdex http://www.developersdex.com ***
Jun 17 '06 #9
Justin Piper wrote:
By directly embedding the values of the ``username`` and ``password``
variables in your SQL statement, you are effectively executing
arbitrary code supplied by the client. Instead, you should use the
ADO Command object to pass arguments to a query.

Set cmd = CreateObject("A DODB.Command")
With cmd
Set .ActiveConnecti on = conn
.CommandType = adCmdText
.CommandText = "SELECT COUNT(*) FROM Account WHERE username=?
AND password=?"
.Parameters.App end cmd.CreateParam eter("username" , adVarChar,
adParamInput, 50, username)
.Parameters.App end cmd.CreateParam eter("password" , adVarChar,
adParamInput, 50, password)
Set rst = .Execute()
End With


It can be done more simply than this, especially with Jet which does not
support output or return parameters:
http://groups-beta.google.com/group/...e36562fee7804e

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jun 17 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
6051
by: Lobang Trader | last post by:
Hi all, I am trying to create a username and a password class. I would like to know what are the RECOMMENDED minimum and maximum length for both fields? These fields will be something like this: private static final int DEFAULT_MINIMUM_LENGTH = ??????
2
18552
by: john brown | last post by:
There is a web page that I access frequently and would like to automate the authentication of the username and password. I would like to user a perl script but I'm not really sure about the steps. If someone could point me in the right direction. I don't know if it's this simple but wouldn't it just be a matter of using the LWP module. ...
1
11735
by: brijesh | last post by:
i am relatively new to javascript i am trying for a password validation code but iam not able to stop the page from loading the page when the password is wrong. the code is as below ------------------ <html> <head> <title>New User</title> <script language = "JavaScript"> function validatePasswords() {
1
4009
by: thoducng | last post by:
I am writing some code to access share folder on a remote network. DirectoryInfo dicInfo = new DirectoryInfo("remoteNetwork\shareFolder"); if (dicInfo.Exists) { //application code followed
12
4130
by: Cecil | last post by:
Does this make sense for a logon table: CREATE TABLE Logon ( ID INT NOT NULL IDENTITY PRIMARY KEY, name VARCHAR(15) NOT NULL, password VARCHAR(15) NOT NULL ) GO CREATE UNIQUE INDEX IX_Logon_Name ON Logon(name)
0
1286
by: nemo | last post by:
I've included a list of username/password combinations in the Web.Config file and I've a simple aspx page with a username and password field for the users to log in. While the password field seems to be case sensitive, the username field is not. How can I force the username field to be case sensitive, i.e. match exactly what I have on the...
4
4708
by: nemo | last post by:
I've included a list of username/password combinations in the Web.Config file and I've a simple .aspx page with a username and password field for the users to log in. While the password field is automatically case sensitive, the username field is not. How can I force the username field to be case sensitive, i.e. match exactly what I have on...
1
8436
by: webmechanic | last post by:
I have a photo gallery site and would like to 1. validate login information(username & password) 2. logout user due to inactivity for certain amount of time 3. Create logout button Please provide tutorial or thorough explanation. Thanks.
5
4139
by: livefreeordie | last post by:
Hi, I'm part of a 5-person team that develops websites for our company. I need to use the ftp_* functions to find some files on another file server. I need to authenticate to the file server using my username & password but I don't want to have it right there in the script in plain text. Any suggestions?
0
7493
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
8008
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7526
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
7854
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6113
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5411
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5133
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
1
1992
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
808
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.