Wrox Programmer Forums
|
Classic ASP Databases Discuss using ASP 3 to work with data in databases, including ASP Database Setup issues from the old P2P forum on this specific subtopic. See also the book forum Beginning ASP.NET Databases for questions specific to that book. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Databases section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old March 31st, 2004, 09:20 PM
Registered User
 
Join Date: Mar 2004
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default I can verify user name and password

I have created a user profile and cannot verify the data such as username and password in order to pass the authorization.. Here is the code as following:
<%
    'Save the entered username and password
    Username = Request.Form("txtUsername")
    Password = Request.Form("txtPassword")

    'Build connection with database
    set conn = server.CreateObject ("ADODB.Connection")
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & server.MapPath ("userss.mdb")
    set rs = server.CreateObject ("ADODB.Recordset")
    'Open record with entered username
    rs.Open "SELECT * FROM userlist where username='"& Username &"'", conn, 1

    'If there is no record with the entered username, close connection
    'and go back to login with QueryString
    If rs.recordcount = 0 then
        rs.close
        conn.close
        set rs=nothing
        set conn=nothing
        Response.Redirect("login.asp?login=namefailed")
    end if

    'If entered password is right, close connection and open mainpage
    if rs("password") = Password then
        Session("name") = rs("fullname")
        rs.Close
        conn.Close
        set rs=nothing
        set conn=nothing
        Response.Redirect("default.asp")
    'If entered password is wrong, close connection
    'and return to login with QueryString
    else
        rs.Close
        conn.Close
        set rs=nothing
        set conn=nothing
        Response.Redirect("login.asp?login=passfailed")
    end if

%>


 
Old April 1st, 2004, 03:57 AM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 1,212
Thanks: 0
Thanked 1 Time in 1 Post
Default

Change this:

If rs.recordcount = 0 then

to this:

If rs.EOF then

You need this change because by default you get a recordset which doesn't support the RecordCount property (well it always returns -1 however many records there are).

One other general point:
It looks like your database is stored in the same directory as your asp pages. This means that anyone could download the mdb and they would then be able to see all your user ids and passwords (you really shouldn't store passwords in plain text, its not very secure is it?). You should either move the access db outside of the web root, or put in a folder inside the web root and configure IIS to deny read access to it.

hth
Phil
 
Old April 3rd, 2004, 07:51 PM
planoie's Avatar
Friend of Wrox
 
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

To add to Phil's suggestion:

When I do login verification (and I think you'll notice this on a lot of sites) I never tell a user that the username is bad. Either pass or fail, but don't say why. If a malicious user gets a "good username, bad password" indication, then s/he is 50% on the way to cracking a login. I do this with a query that specifies both the username and password. (This is also microscopically faster because you don't have to do string comparisons in the calling code. You just test for a record returned or not.)

Peter
------------------------------------------------------
Work smarter, not harder.





Similar Threads
Thread Thread Starter Forum Replies Last Post
how to prompt user for password Imtiaz Ahmed Classic ASP Professional 1 June 21st, 2007 05:28 PM
password/user functions sola Access 3 January 13th, 2006 08:49 AM
what is the password and user id for ........! Random Servlets 1 November 8th, 2005 02:59 AM
user password validating cooky4 VB How-To 15 May 4th, 2005 08:45 AM
Using Windows Login to Verify User Access dasschmidthaus Pro VB.NET 2002/2003 14 February 1st, 2005 03:21 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.