Hello!

I have a problem with understanding the code in section "creating a database driven site", which Dreamweaver creates. It's about using access levels for pages. Here's the code for login.asp page(which i understand):

<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("txtUserName"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization="AccessLevel"
  MM_redirectLoginSuccess="home.asp"
  MM_redirectLoginFailed="login.asp"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_connTheSoccerSite_STRING
  MM_rsUser.Source = "SELECT Name, Password"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM Users WHERE Name='" & Replace(MM_valUsername,"'","''") &"' AND Password='" & Replace(Request.Form("txtPassword"),"'","''") & "'"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = MM_rsUser.Fields.Item(MM_fldUserAuthorization).Val ue
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And false Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>


And here is the code in admin.asp page:

MM_authorizedUsers="Administrators"
MM_authFailedURL="../login.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
  If (false Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthor ization"))>=1) Then
    MM_grantAccess = true
  End If
End If
If Not MM_grantAccess Then
  MM_qsChar = "?"
  If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
  MM_referrer = Request.ServerVariables("URL")
  if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
  MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
  Response.Redirect(MM_authFailedURL)
End If
%>

This is the section in admin.asp that i do not get:

If Session("MM_Username") <> "" Then
  If (false Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthor ization"))>=1) Then
    MM_grantAccess = true

If we suppose, that from login.asp we get variable MM_UserAuthorization set to empty string "" (it's in bold), and we compare it against the former section of code we set variable
MM_grantAccess to true anyway. Or am I missing something?
I would really appreciate any help or tip. Thanks

Hi Luke,

When you post about the book, can you please specify the version (MX vs MX 2004) and a page number? Makes it easier to find out what you're talking about.

Anyway, you're right in your assumptions. When a user has an empty access level, they gain access to the protected areas. Therefore, it's important a user always has an access level specified. Take a look at the book's extension article about adding users, located here: http://Imar.Spaanjaars.Com/QuickDocID.aspx?QUICKDOC=209

Somewhere half way down the article you'll find a section called "Adding the Insert Record Behavior". Look at its subsection "A Little Explanation" for an explanation about the security hole, and three ways to close that hole.

Hope this help; otherwise let me know.

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

Hello Imar!

I would like to thank you for your reply and help. I'm currently "digesting" the article "Adding the Insert Record Behavior" which is quite helpful.

Thanks again,
Luke

Great. Have fun and let me know if you need more help or a more detailed explanation.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.