Is this method of validation for password and username considered to be
secured. In my previous post I was given a solution that uses command
object and the values are parsed by parameters. But the solution only
worked well for insert and delete, but not select.
<%
if Request.QuerySt ring("Action") = 1 then
username = Trim(request.fo rm("username") )
password = Trim(request.fo rm("password") )
if username <> "" and password <> "" then
set conn = server.CreateOb ject("ADODB.Con nection")
conn.connection string = "Provider=Micro soft.Jet.OLEDB. 4.0;Data
Source=" & Server.MapPath( "/db/upload/stelladb.mdb") & ";"
conn.open
set rs = server.CreateOb ject("ADODB.Rec ordset")
sql = "SELECT Count(*) FROM Account WHERE username='" &
username & "' AND password='" & password & "'"
rs.open sql,conn,3,3
if rs.Fields(0) = 1 then
session("boolea n") = "true"
response.redire ct "main.asp"
else
session("boolea n") = "false"
response.write "<center><f ont class='error'>E rror: Invalid
Authentication</font></center><br><br> "
end if
conn.close
Set conn = nothing
end if
end if
%>
Eugene Anthony
*** Sent via Developersdex http://www.developersdex.com ***
Jun 16 '06
15 9743 sashi 1,754
Recognized Expert Top Contributor
Hi guys,
the scripts seems to be ok with me.. it needs a little tidy up.. i guess.. well.. my suggestions will be as below;
1.) protect the .mdb file with a password
2.) set the session.timeout value - incase of idle session
3.) encrypt user password
below is the my script.. check it out..
'//--- inc_connection ---
<%
DIM ObjCon
Set ObjCon = Server.CreateOb ject("ADODB.Con nection")
ObjCon.Open ("Provider=Micr osoft.Jet.OLEDB .4.0;Persist Security Info=False;Jet OLEDB:Database Password=xyz;Da ta Source=" & Server.MapPath( "../db/eduguide.mdb"))
%>
'//--- inc_authenticat e.asp ---
<%@ LANGUAGE="VBSCR IPT" %>
<!--#INCLUDE FILE="inc_conne ction.asp" -->
<!--#INCLUDE FILE="inc_encry ption.asp" -->
<%
Dim myAccountNo, Message, Action,ID,UID,P WD,ACL,EMAILID, nNewsID, nNewsSummary
myAccountNo = Session("myAcco untNo")
Message = Session("Messag e")
Session("Messag e") = ""
Action = Session("Action ")
ID = Session("ID")
UID = Session("UID")
PWD = Session("PWD")
ACL = Session("ACL")
EMAILID = Session("EMAILI D")
%>
<%
dim URL_Link
dim myname, mypassword
dim cnpath, sSQL, TMPSQL
dim objRS, objUpdateRec
myname=request. form("txtUserna me")
mypassword=requ est.form("txtPa ssword")
URL_Link = Request.ServerV ariables("HTTP_ REFERER")
if myname = "Username" or myname = "" then
Session("Messag e") = "Check username"
Response.Redire ct URL_Link
elseif mypassword = "Password" or mypassword= "" then
Session("Messag e") = "Check password"
Response.Redire ct URL_Link
end if
sSQL ="SELECT * FROM sSECURITYTBL WHERE USERNAME='"
sSQL = sSQL & myname & "'"
set objRS=objCon.ex ecute(sSQL)
If objRS.EOF then
objRS.close
objCon.close
set objRS=nothing
set objCon=nothing
Session("Messag e") = "Invalid username"
'Response.Redir ect URL_Link"?error =" & Server.URLEncod e(Message)
Response.Redire ct URL_Link
end if
If objRS("password ")= pEncrypt(mypass word) then
'The default value is 10 minutes
Session.Timeout = 10
If Request.Form("c hkRememberMe") = "True" Then
Response.Cookie s("Username") = Request.Form("t xtUsername")
Response.Cookie s("Username").E xpires = DateAdd("m", 1, Now())
Response.Cookie s("Password") = Request.Form("t xtPassword")
Response.Cookie s("Password").E xpires = DateAdd("m", 1, Now())
end if
If Request.Form("c hkRememberMe") = "" Then
Response.Cookie s("Username") = ""
Response.Cookie s("Username").E xpires = DateAdd("m", -3, Now())
Response.Cookie s("Password") = ""
Response.Cookie s("Password").E xpires = DateAdd("m", -3, Now())
end if
'If they made it here, they logged in successfully,
'so set the value of the LoggedIn session variables
Session("Logged In") = "yes"
'Reroute users to appropriate page based on their access level
if objRS("accessle vel")="administ rator" then
Session("isAdmi nLogin") = "yes"
Session("Action ")= "main"
Session("ID") = objRS("ID")
Session("UID")= objRS("Username ")
Session("PWD")= objRS("Password ")
Session("ACL")= objRS("AccessLe vel")
Session("EMAILI D")=objRS("Emai l")
Response.redire ct "../admin/default.asp"
elseif objRS("accessle vel")="educator " then
Session("Action ")= "main"
Session("myAcco untNo") = objRS("vAccount _No")
Session("ID") = objRS("ID")
Session("UID")= objRS("Username ")
Session("PWD")= objRS("Password ")
Session("ACL")= objRS("AccessLe vel")
Session("EMAILI D")=objRS("Emai l")
Response.redire ct "../admin/educator/default.asp"
elseif objRS("accessle vel")="supplier " then
Session("Action ")= "main"
Session("myAcco untNo") = objRS("vAccount _No")
Session("ID") = objRS("ID")
Session("UID")= objRS("Username ")
Session("PWD")= objRS("Password ")
Session("ACL")= objRS("AccessLe vel")
Session("EMAILI D")=objRS("Emai l")
Response.redire ct "../admin/supplier/default.asp"
end if
objRS.Close
objCon.Close
set objRS=nothing
set objCon=nothing
else
objRS.Close
objCon.Close
set objRS=nothing
set objCon=nothing
Session("Messag e") = "Invalid password"
'Response.Redir ect URL_Link"?error =" & Server.URLEncod e(Message)
Response.Redire ct URL_Link
end if
%>
On Sat, 17 Jun 2006 03:13:17 -0500, Mike Brind <pa*******@hotm ail.com>
wrote: 8. Once working and ready for deployment, remove Option Explicit statement
I've never heard such advice. What do you gain by doing this?
--
Justin Piper
Bizco Technologies http://www.bizco.com/
Justin Piper wrote: 8. Once working and ready for deployment, remove Option Explicit statement
I've never heard such advice. What do you gain by doing this?
A few CPU cycles. And probably a bad habit.
As Eric Lippert has written[1], VBScript performance is vastly improved when
variables are explicitly declared. I have seen suggestions[2] that removing
Option Explicit from your code eliminates one parsing step during script
execution and does not harm performance as long as the script would function
with the declaration intact.
IMO, if you are that desperate for performance improvement, VBScript is the
wrong language for you anyway.
[1] http://groups.google.com/groups?oi=d...m=an_558784968
[2] Among others, http://groups.google.com/group/micro...3958ec80?hl=en
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
On Mon, 19 Jun 2006 11:51:12 -0500, Dave Anderson
<NY**********@s pammotel.com> wrote: Justin Piper wrote: 8. Once working and ready for deployment, remove Option Explicit statement I've never heard such advice. What do you gain by doing this?
A few CPU cycles. And probably a bad habit.
As Eric Lippert has written[1], VBScript performance is vastly improved when variables are explicitly declared. I have seen suggestions[2] that removing Option Explicit from your code eliminates one parsing step during script execution and does not harm performance as long as the script would function with the declaration intact.
Has this ever been corraborated, though? Or even profiled? It's one thing
for Eric Lippert to say how something works, performance-wise. It's quite
another for some guy who knows a guy who went to an ASP developer
conference to say it.
I can't even see how it would work. If omitting Option Explicit causes the
parser to skip the pass where it checks for declared variables, then it
wouldn't have an opportunity to build the name tables Eric describes, and
it would have to fall back on the hunt-all-over-everywhere strategy. It
sounds like complete bunk to me.
IMO, if you are that desperate for performance improvement, VBScript is the wrong language for you anyway.
Indeed. By the time you're optimising for the /parser/ you should be
investigating other options. Doesn't IIS cache script environments, anyway?
[1] http://groups.google.com/groups?oi=d...m=an_558784968 [2] Among others, http://groups.google.com/group/micro...3958ec80?hl=en
--
Justin Piper
Bizco Technologies http://www.bizco.com/
Justin Piper wrote: I can't even see how it would work. If omitting Option Explicit causes the parser to skip the pass where it checks for declared variables, then it wouldn't have an opportunity to build the name tables Eric describes, and it would have to fall back on the hunt-all-over-everywhere strategy. It sounds like complete bunk to me.
I don't think it's possible for the parser to not parse the script, Option
Explicit or not. I have read Lippert's post carefully, and I don't see
anything to suggest that. And I believe this sentence suggests the opposite:
"By forcing you to declare locals, Option Explicit makes you write
faster code."
Lippert seems to be saying that it is the variable declaration, and not the
Option Explicit directive, that matters.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
On Mon, 19 Jun 2006 13:01:51 -0500, Dave Anderson
<NY**********@s pammotel.com> wrote: Justin Piper wrote: I can't even see how it would work. If omitting Option Explicit causes the parser to skip the pass where it checks for declared variables, then it wouldn't have an opportunity to build the name tables Eric describes, and it would have to fall back on the hunt-all-over-everywhere strategy. It sounds like complete bunk to me.
I don't think it's possible for the parser to not parse the script, Option Explicit or not.
Well, if I understand the claim against using Option Explicit correctly,
it's that with it enabled there are two passes, one looking for
exclusively for Dim statements and one that processes the script. It's
possible that it works that way, but it would be a very peculiar thing to
do.
--
Justin Piper
Bizco Technologies http://www.bizco.com/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Lobang Trader |
last post by:
Hi all,
I am trying to create a username and a password class.
I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?
These fields will be something like this:
private static final int DEFAULT_MINIMUM_LENGTH = ??????
|
by: john brown |
last post by:
There is a web page that I access frequently and would like to
automate the authentication of the username and password. I would
like to user a perl script but I'm not really sure about the steps.
If someone could point me in the right direction. I don't know if
it's this simple but wouldn't it just be a matter of using the LWP
module. Calling the webpage and passing in the parameters? Any help
would be appreciated.
<html>...
|
by: brijesh |
last post by:
i am relatively new to javascript
i am trying for a password validation code
but iam not able to stop the page from loading the page when the
password is wrong. the code is as below
------------------
<html>
<head>
<title>New User</title>
<script language = "JavaScript">
function validatePasswords() {
|
by: thoducng |
last post by:
I am writing some code to access share folder on a remote network.
DirectoryInfo dicInfo = new DirectoryInfo("remoteNetwork\shareFolder");
if (dicInfo.Exists)
{
//application code followed
|
by: Cecil |
last post by:
Does this make sense for a logon table:
CREATE TABLE Logon
(
ID INT NOT NULL IDENTITY PRIMARY KEY,
name VARCHAR(15) NOT NULL,
password VARCHAR(15) NOT NULL
)
GO
CREATE UNIQUE INDEX IX_Logon_Name ON Logon(name)
| |
by: nemo |
last post by:
I've included a list of username/password combinations in the
Web.Config file and I've a simple aspx page with a username and
password field for the users to log in. While the password field seems
to be case sensitive, the username field is not. How can I force the
username field to be case sensitive, i.e. match exactly what I have on
the Web.config file? Do I have to use regular expressions?
thanks
Nemo
|
by: nemo |
last post by:
I've included a list of username/password combinations in the
Web.Config file and I've a simple .aspx page with a username and
password field for the users to log in. While the password field is
automatically case sensitive, the username field is not. How can I
force the username field to be case sensitive, i.e. match exactly what
I have on the Web.config file? Do I have to use regular expressions?
thanks
Nemo
|
by: webmechanic |
last post by:
I have a photo gallery site and would like to
1. validate login information(username & password)
2. logout user due to inactivity for certain amount of time
3. Create logout button
Please provide tutorial or thorough explanation. Thanks.
|
by: livefreeordie |
last post by:
Hi,
I'm part of a 5-person team that develops websites for our company. I
need to use the ftp_* functions to find some files on another file
server. I need to authenticate to the file server using my username &
password but I don't want to have it right there in the script in plain
text.
Any suggestions?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |