By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,365 Members | 2,946 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,365 IT Pros & Developers. It's quick & easy.

Login not validating

P: n/a
okay...so I got this login script and I edited it all and it seems to
run fine...IE it listens to the script as far as permissions go when I
place a restriction on a page and when you login it redirects. But
first it doesn't tell you that you're logged in and doesn't provide a
logout feature.

And most importantly if I type in a random username and password not
listed in the database it doesn't seem to matter it still "lets me
login"
I think it may have something to do with my database connection. I
am using an SQL database/server ADO connection. But I don't know if
I entered it right in the code. If you could look and verify whether
I've made a mistake, a simple script maybe for logout and letting one
know he/she is logged in that would be soooooooooooooooooooooooooooooo
great. I'd be forever grateful!
here is the code:

<% Response.Buffer = true %>
<%
Session("DatabasePath") = "/XXXXX/XXXXX.mdb"
If Request.Form("btnLogin") = "Login" AND Request.Form("txtName") <>
"" _
AND Request.Form("txtPassword") <"" Then

'-- Declare your variables
Dim DataConnection, cmdDC, RecordSet
Dim RecordToEdit, Updated, strUserName, strPassword

strUserName = Request.Form("txtName")
strPassword = Request.Form("txtPassword")

'-- Create object and open database
Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Driver={SQL Server}; Server=XXXXXXXXX;
Database=XXXXXX; UID=XXXXXXX; PWD=XXXXXXX;" & ";"
Set cmdDC = Server.CreateObject("ADODB.Command")
cmdDC.ActiveConnection = DataConnection
%>
<%
'-- default SQL
SQL = "SELECT * FROM Users"

If Request.Form("txtName") <"" Then
SQL = "SELECT Users.* FROM Users " & _
"WHERE Users.userID='" & strUserName& _
"' AND Users.password ='" & strPassword & "'"
End If

cmdDC.CommandText = SQL
Set RecordSet = Server.CreateObject("ADODB.Recordset")

'-- Cursor Type, Lock Type
'-- ForwardOnly 0 - ReadOnly 1
'-- KeySet 1 - Pessimistic 2
'-- Dynamic 2 - Optimistic 3
'-- Static 3 - BatchOptimistic 4
RecordSet.Open cmdDC, , 0, 2
If Not RecordSet.EOF Then
Dim strPermissionsGranted
strPermissionsGranted = RecordSet.Fields("PermissionsGranted")
Session("PermissionsGranted") = strPermissionsGranted
Else
'The user was not validated...
'Take them to a page which tells them they were not validated...
Response.Redirect "register.asp"
End If
End If
%>
<form action="home.asp" method="post">
<% If Session("PermissionsGranted") 0 AND Request.Form("btnLogin") =
"Login" _
AND Request.Form("txtName") <"" AND _
Request.Form("txtPassword") <"" Then
Response.write("<b>" & Request.Form("txtName"))
Response.write("</bis logged on.<BR>")
Response.write("User Access Level is: ")
Response.write(RecordSet.Fields("PermissionsGrante d") & "<BR>")
End If
%>

<table border="1" cellpadding="5" cellspacing="0">
<tr>
<td>User Name:</td>
<td><input type="text" name="txtName" size="40" ></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="txtPassword" size="40" value=""></td>
</tr>
</table>
<p>
<input type="submit" name="btnLogin" value="Login">
</form>

Jun 4 '07 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Je*************@gmail.com wrote:
okay...so I got this login script and I edited it all and it seems to
run fine...IE it listens to the script as far as permissions go when I
place a restriction on a page and when you login it redirects. But
first it doesn't tell you that you're logged in and doesn't provide a
logout feature.

And most importantly if I type in a random username and password not
listed in the database it doesn't seem to matter it still "lets me
login"
I think it may have something to do with my database connection. I
am using an SQL database/server ADO connection.
Extremely unlikely. It is more likely to be a problem with the code
you've written to handle the answer you receive from your database
query.
But I don't know if
I entered it right in the code. If you could look and verify whether
I've made a mistake, a simple script maybe for logout and letting one
know he/she is logged in that would be soooooooooooooooooooooooooooooo
great. I'd be forever grateful!
here is the code:

<% Response.Buffer = true %>
<%
Session("DatabasePath") = "/XXXXX/XXXXX.mdb"
Access? You should be using a filesystem path, not a virtual web path.
If Request.Form("btnLogin") = "Login" AND Request.Form("txtName") <>
"" _
AND Request.Form("txtPassword") <"" Then

'-- Declare your variables
Dim DataConnection, cmdDC, RecordSet
Dim RecordToEdit, Updated, strUserName, strPassword
This is a bad place to be declaring variables. All variables should be
declared at the beginning of the procedure (before the If Statement).
Given that this is vbscript whose compiler "hoists" all variable
declarations to the top of the code, this bad practice will not hurt
you: at worst it will make it difficult for anyone attempting to
maintain your code.
strUserName = Request.Form("txtName")
strPassword = Request.Form("txtPassword")
You should have done the above two steps in the first place, and used
the variables in your initial If statement. This is a minor quibble -
it's a good idea to minimize the references to Form variables.

It looks like you refer to btnLogin later on. You should assign that
value to a variable as well. The code should be changed to:

<%
Dim DataConnection, cmdDC, RecordSet,strPermissionsGranted
Dim RecordToEdit, Updated, strUserName, strPassword, btnLogin
strUserName = Request.Form("txtName")
strPassword = Request.Form("txtPassword")
btnLogin = Request.Form("btnLogin")

'comment out these lines when finished debugging:
'************************************************* **********
Response.Write "For debugging:<br>"
Response.write "strUserName contains """ & _
strUserName & """<br>"
Response.write "strPassword contains """ & _
strPassword & """<br>"
Response.write "btnLogin contains """ & _
btnLogin & """<br>"
'************************************************* **********

If btnLogin = "Login" And strUserName <>"" And _
strPassword <"" Then

>
'-- Create object and open database
Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Driver={SQL Server}; Server=XXXXXXXXX;
Database=XXXXXX; UID=XXXXXXX; PWD=XXXXXXX;" & ";"
Again, it's still probably got nothing to do with your problem, but see:
http://www.aspfaq.com/show.asp?id=2126

You should not be passing a UID or PWD to open the database.
>

Set cmdDC = Server.CreateObject("ADODB.Command")
cmdDC.ActiveConnection = DataConnection
You should use the Set keyword in the above line:
Set cmdDC.ActiveConnection = DataConnection
%>
<%
'-- default SQL
SQL = "SELECT * FROM Users"
http://www.aspfaq.com/show.asp?id=2096

Looking ahead, I see that the only field you seem to be interested in is
"PermissionsGranted". Why force ADO to retrieve the values of all the
other fields in your table?
>
If Request.Form("txtName") <"" Then
Again, a reference to a Form variable whose value is already stored in a
local variable (strUserName).
And why check it again? It's not going to change ...
SQL = "SELECT Users.* FROM Users " & _
"WHERE Users.userID='" & strUserName& _
"' AND Users.password ='" & strPassword & "'"
End If
You are leaving yourself extremely vulnerable to hackers utilizing SQL
Injection to attack your site. Avoid dynamic SQL!! Since you already
have a Command object, change your code to this:

SQL = Select PermissionsGranted From Users Where " & _
"UserID = ? AND [password] = ?"
cmdDC.CommandText = SQL

(notice that I surrounded password with brackets. The reason this is
necessary is because "password" is a reserved keyword. See
http://www.aspfaq.com/show.asp?id=2080. I strongly recommend that you
change the name of that field. I you are unable to do so, you will need
to remember to use brackets when using it in your queries)
cmdDC.CommandText = SQL
Set RecordSet = Server.CreateObject("ADODB.Recordset")

'-- Cursor Type, Lock Type
'-- ForwardOnly 0 - ReadOnly 1
'-- KeySet 1 - Pessimistic 2
'-- Dynamic 2 - Optimistic 3
'-- Static 3 - BatchOptimistic 4
RecordSet.Open cmdDC, , 0, 2
These options are mutually exclusive. All you require here is a
server-side, forward-only cursor, which is the default. Just use this to
open your recordset (a variant array is used to pass the parameter
values to the parameter markers, the question marks, in the sql
statement):

cmdDC.CommandType = 1 'adCmdText
arParms = Array(strUserName,strPassword )
Set RecordSet=cmdDC.Execute(,arParms)
If Not RecordSet.EOF Then
Dim strPermissionsGranted
Again, this is a bad place to be declaring a variable.
strPermissionsGranted = RecordSet.Fields("PermissionsGranted")
Session("PermissionsGranted") = strPermissionsGranted
You should be closing your recordset and connection at this point - you
are done with them are you not?
Recordset.Close: Set Recordset=Nothing
Set cmdDC = Nothing
DataConnection.Close: Set DataConnection = Nothing
Else
'The user was not validated...
'Take them to a page which tells them they were not validated...
close your recordset and connection:
Recordset.Close: Set Recordset=Nothing
Set cmdDC = Nothing
DataConnection.Close: Set DataConnection = Nothing

Also, make sure your session variable is blanked:
Session("PermissionsGranted") = ""
Response.Redirect "register.asp"
End If
You did nothing to handle the event that the recordset was empty (EOF
true). I suspect you should add this:

Else
Session("PermissionsGranted") = ""
Recordset.Close: Set Recordset=Nothing
Set cmdDC = Nothing
DataConnection.Close: Set DataConnection = Nothing
Response.Redirect "register.asp"
End If
%>
<form action="home.asp" method="post">
<% If Session("PermissionsGranted") 0 AND Request.Form("btnLogin") =
"Login" _
AND Request.Form("txtName") <"" AND _
Request.Form("txtPassword") <"" Then
Again!! You already have local variables containing these values - use
them!

If strPermissionsGranted 0 and strUserName <"" _
AND strPassword <>"" AND Request.Form("btnLogin") = "Login" Then

Response.write("<b>" & Request.Form("txtName"))
No!! Like this:

Response.write "<b>" & strUserName
Response.write "</bis logged on.<BR>"
Response.write "User Access Level is: "
Response.write strPermissionsGranted & "<BR>"

End If
%>
For more about SQL Injection read these:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf

For a better way to run Access queries, read:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jun 4 '07 #2

P: n/a
Bob Barrows [MVP] wrote:
>>
'-- Create object and open database
Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Driver={SQL Server}; Server=XXXXXXXXX;
Database=XXXXXX; UID=XXXXXXX; PWD=XXXXXXX;" & ";"

Again, it's still probably got nothing to do with your problem, but
see: http://www.aspfaq.com/show.asp?id=2126

You should not be passing a UID or PWD to open the database.
Oops, I was confused by your earlier reference to an Access database
file. With SQL Server, you definitely should be passing a User ID and
Password
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jun 4 '07 #3

P: n/a
On Jun 4, 10:45 am, "Bob Barrows [MVP]" <reb01...@NOyahoo.SPAMcom>
wrote:
Bob Barrows [MVP] wrote:
'-- Create object and open database
Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Driver={SQL Server}; Server=XXXXXXXXX;
Database=XXXXXX; UID=XXXXXXX; PWD=XXXXXXX;" & ";"
Again, it's still probably got nothing to do with your problem, but
see:http://www.aspfaq.com/show.asp?id=2126
You should not be passing a UID or PWD to open the database.

Oops, I was confused by your earlier reference to an Access database
file. With SQL Server, you definitely should be passing a User ID and
Password
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
*Claps* thanks much for the comment...now if I can just decipher
it...so much reading *squints*

Jun 4 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.