Help in Log in.. please

paulapaupau · June 14th, 2012, 02:09 AM

Hi.. Please help me.. I tried to login using correct username and password and the needed page appeared.. I also tried wrong username and password and the needed still appeared..

here's my code:

<script type = "text/javascript">

<%
Sub CheckLogin
Dim Conn, rs, sql

set Conn = server.createobject("adodb.connection")
Conn = "Provider=sqloledb;Data Source=datasource;" & _
"Initial Catalog=catalog;User Id=user;Password=password;"
Set rs = Server.CreateObject( "ADODB.Recordset" )

sql = "SELECT * FROM CarInfo WHERE EmpID = '"&username&"'"

Set rs = conn.executed(sql)

rs.Open sql, Conn
Session("UserLoggedIn") = "false"
Do While Not rs.EOF
If Request.myform("username") = rs("EmpID") And Request.myform("pword") = rs("Password") Then
Session("UserLoggedIn") = "true"
Exit Do
End If
rs.MoveNext
Loop
rs.Close
Conn.Close

If Session("UserLoggedIn") = "true" Then
Response.Redirect ("password1.asp")
Else
Response.Write("Login Failed.<br><br>")
ShowLogin
End If

End Sub

%>

</script>
<body background="back.jpg">

<form action= "car.asp" method="post" name="login" id="login>

<h1><center> Company Name </center></h1>
<h2><center> Project System </center></h2>
<br/><br/><br/><p> <Center> Enter Username and Password </center> </p> <br/>
<p><center> USER NAME <input type="text" name="username"> <br/><br/> PASSWORD <input type="password" name="pword"><br/><br/>
<input type="submit" value="Login" onclick= "UserLoggedIn()">
</center> </p>

</form>

</body>

somebody.. PLEASE HELP ME.. :(

paulapaupau · June 14th, 2012, 02:29 AM

If Session("UserLoggedIn") = "true" Then
Response.Redirect ("password1.asp")

the "password1.asp" is supposed to be "car.asp"

sorry for that mistake.. help me please.. :l

Imar · June 14th, 2012, 02:51 AM

Hi there,

It doesn't look like this is all the code in your page, is it? Can you post the complete code?

Also, there are a lot of issues with your code:

1. First, it's open to SQL Injection. You need to use parameterized queries, or people will be able to submit arbitrary SQL statements to your database. Search Google for "SQL Injection" to learn more.

2. Where does Request.myform come from? That should be Request.Form in normal ASP pages.

3. You're submitting to Car.asp. Could it just be that your login code never runs but simply returns Car.asp?

4. When do you call CheckLogin? You define it as a Sub, but I don't see you call it.

5. Where is the code for UserLoggedIn that you call from the client?

Cheers,

Imar

paulapaupau · June 14th, 2012, 03:31 AM

Thank you for your reply..
I really need some help.. i'm so confused on my codes..

how about this one?.. is this correct?.. this is my first codes..

<%
Response.Expires = -1000
Response.Buffer = True
Session("UserLoggedIn") = ""
If Request.Form("login") = "true" Then
CheckLogin
Else
ShowLogin
End If

Sub ShowLogin
%>

<body background="back.jpg">

<form name="login" id="login>

<<h1><center> Company Name </center></h1>
<h2><center> Project System </center></h2>
<br/><br/><br/><p> <Center> Enter Username and Password </center> </p> <br/>
<p><center> USER NAME <input type="text" name="username"> <br/><br/> PASSWORD <input type="password" name="pword"><br/><br/>
<input type="submit" value="Login" >
</center> </p>

</form>

</body>

<%
End Sub

Sub CheckLogin
Dim Conn, rs, sql

set Conn = server.createobject("adodb.connection")
Conn = "Provider=sqloledb;Data Source=datasource;" & _
"Initial Catalog=catalog;User Id=user;Password=password;"
Set rs = Server.CreateObject( "ADODB.Recordset" )

sql = "SELECT * FROM CarInfo WHERE EmpID = '"&username&"'"

Set rs = conn.execute(sql)

rs.Open sql, Conn
Session("UserLoggedIn") = "false"
Do While Not rs.EOF
If Request.form("username") = rs("EmpID") And Request.form("pword") = rs("Password") Then
Session("UserLoggedIn") = "true"
Exit Do
End If
rs.MoveNext
Loop
rs.Close
Conn.Close

If Session("UserLoggedIn") = "true" Then
Response.Redirect "protectedpage.asp"
Else
Response.Write("Login Failed.<br><br>")
ShowLogin
End If

End Sub

%>

Imar · June 14th, 2012, 04:25 AM

Quote:

is this correct?..

Does it work? Then it is correct. If it doesn't, it's not ;-)

In other words, you need to provide more information. What happens, what do you see when you log in, that kind of information.

I think CheckLogin is never called because this will never be true:

If Request.Form("login") = "true" Then

With the currenty code, I see no reason why this would redirect to protectedpage.asp unless the login page is the protecte page (can't tell because I don't know the name of the page you posted, but I assume it isn't), so it looks like your problem has changed by now.

Also, your code is still open to SQL Injection. Put this page on a live server and someone evil can take over your server in a few hours if you're unlucky.

Imar

paulapaupau · June 14th, 2012, 04:51 AM

Hi Imar,

This still isn't working.. It only shows the Password label, the password text box and the submit button..

Yes, i will try the SQL injection, but I would like to make this login page work first.. Thank you so much for this advice..

What do you think is missing in this code?..

By the way, the name of the page that I posted is password.asp.. :) I'm sorry for the lack of information.

Thank you so much,
Paula

Imar · June 14th, 2012, 04:54 AM

Quote:

It only shows the Password label, the password text box and the submit button..

When? On page load, or also after you try to login? Please be as specific as you can.

Also, did you fix this:

Code:

 
If Request.Form("login") = "true" Then

This is never true, and thus the code never runs. Change it to something like:

Code:

 
If Request.Form("username") <> "" Then

Cheers,

Imar

paulapaupau · June 14th, 2012, 05:20 AM

I did this

If Request.Form("username") <> "" & Request.Form("pword")<>"" Then
CheckLogin

the Password label, the password text box and the submit button appears on page load. I also tried to type a correct password on the password textbox, but nothing happens..

Thanks again,
Paula

Imar · June 14th, 2012, 06:03 AM

& !- And

& concatenates; you need to use And instead....

paulapaupau · June 14th, 2012, 08:28 PM

Hi lmar,

I tried the And.. but still, nothing happens..

the Password label, the password text box and the submit button appears on page load. I also tried to type a correct password on the password textbox, but nothing happens..

Thank you,
Paula