I can verify user name and password

hdoldur · March 31st, 2004, 09:20 PM

I have created a user profile and cannot verify the data such as username and password in order to pass the authorization.. Here is the code as following:
<%
    'Save the entered username and password
    Username = Request.Form("txtUsername")
    Password = Request.Form("txtPassword")

    'Build connection with database
    set conn = server.CreateObject ("ADODB.Connection")
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & server.MapPath ("userss.mdb")
    set rs = server.CreateObject ("ADODB.Recordset")
    'Open record with entered username
    rs.Open "SELECT * FROM userlist where username='"& Username &"'", conn, 1

    'If there is no record with the entered username, close connection
    'and go back to login with QueryString
    If rs.recordcount = 0 then
        rs.close
        conn.close
        set rs=nothing
        set conn=nothing
        Response.Redirect("login.asp?login=namefailed")
    end if

    'If entered password is right, close connection and open mainpage
    if rs("password") = Password then
        Session("name") = rs("fullname")
        rs.Close
        conn.Close
        set rs=nothing
        set conn=nothing
        Response.Redirect("default.asp")
    'If entered password is wrong, close connection
    'and return to login with QueryString
    else
        rs.Close
        conn.Close
        set rs=nothing
        set conn=nothing
        Response.Redirect("login.asp?login=passfailed")
    end if

%>

pgtips · April 1st, 2004, 03:57 AM

Change this:

If rs.recordcount = 0 then

to this:

If rs.EOF then

You need this change because by default you get a recordset which doesn't support the RecordCount property (well it always returns -1 however many records there are).

One other general point:
It looks like your database is stored in the same directory as your asp pages. This means that anyone could download the mdb and they would then be able to see all your user ids and passwords (you really shouldn't store passwords in plain text, its not very secure is it?). You should either move the access db outside of the web root, or put in a folder inside the web root and configure IIS to deny read access to it.

hth
Phil

planoie · April 3rd, 2004, 07:51 PM

To add to Phil's suggestion:

When I do login verification (and I think you'll notice this on a lot of sites) I never tell a user that the username is bad. Either pass or fail, but don't say why. If a malicious user gets a "good username, bad password" indication, then s/he is 50% on the way to cracking a login. I do this with a query that specifies both the username and password. (This is also microscopically faster because you don't have to do string comparisons in the calling code. You just test for a record returned or not.)

Peter
------------------------------------------------------
Work smarter, not harder.