Hello, hope I'm in the right area for this question.

I have a Login page using 3 pieces of info: User Name, Password and PIN. This goes to a success page (coming off a MYSQL Db). The problem is when you successfully log in, the address bar shows:

www.thesiteaddress.com/admin~/index_t.asp?id=3

Unfortunately anyone can change the id=3 to id=4 or 5, 6, etc. and access other peoples details. I can't find a solution to prevent this.

I would prefer to have done this all in Dreamweaver MX without separate coding.

I've been giving myself headaches trying to secure this login! If anyone can help I'd appreciate it. The code is below. Cheers Guys & Gals.

PS. Does anyone know a a good AutoResponder script that different people can use from the same site. Logging in for their personalised Autorespond page and mangae their own emails. Preferably using MYSQL Db. I'm using Linux.




-----------------The Login Page

<%@LANGUAGE="VBSCRIPT"%>

<%

'/////login////

response.buffer = true



If request("id" = "verify" then

set dbConn = Server.CreateObject("ADODB.Connection"

dbConn.ConnectionString = "DSN=TheDSN"

dbConn.Open



set rs = Server.CreateObject("ADODB.Recordset"

SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username" & "' AND Password = '" & request("Password" & "' AND PinNumber = '" & request("PinNumber" & "'"

set rs = dbConn.Execute(SQL)



If not rs.eof then

While not rs.EOF

group = rs("AccessGroup"

'response.write("group:" & group)

userid = rs("id"

'response.write("userid: " & userid)

rs.movenext

wend

If group = "Paid" then

session("Loggedin"=True
session("id"=userid

'redir = "admin~/index_t.asp

'response.write(redir)

'response.end

response.redirect("admin~/index_t.asp?id=" & userid)

ElseIf group = "NotPaid" then

session("oldloggedin"=True
session("id"=userid

'redir = "notavailable_cust.asp

'response.write(redir)

'response.end

response.redirect("notavailable_cust?id=" & userid)

End If

Else

'/////// redirect page if no match found in database///////

response.redirect("index_ie.asp?id=error"

End If

End If



%>



<SCRIPT runat=SERVER language=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID

strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If

On Error Resume Next

If (nLCID > -1) Then
Session.LCID = nLCID
End If

If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If

If (nLCID > -1) Then
Session.LCID = oldLCID
End If

DoDateTime = strRet
End Function
</SCRIPT>
<HTML>
<HEAD>
<TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1126" name=GENERATOR>
</HEAD>
<BODY bgcolor=#ffffff leftmargin=0 topmargin=0>
<TABLE cellspacing=0 cellpadding=0 width="100%" border=0>
<TBODY>
<TR valign="top">
<TD height="453">
<TABLE cellspacing=0 cellpadding=0 width="100%"
border=0>
<TBODY>
<TR>
<TD valign=middle colspan=3>
<TABLE width="740" border=0 align=left cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="575" valign="top">
<TABLE width="100%" border=0 cellpadding=0 cellspacing=0>
<TBODY>
<TR>
<TD width="508" valign="top"><!-- ======================= form beginning ==========================//--> <%

if request("id" = "error" then

vartext = "Wrong, please check and try again."

End If

%>
<form name="Login" method="post" action="index_t.asp?id=verify" class="normal"> <form name="Login" method="post" action="/admin~/index_t.asp" class="normal">

<table border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#99CC66">
<tr>
<td height="18" colspan="2" valign="baseline" class="mainred"><%=vartext%></td>
</tr>
<tr>
<td height="32" colspan="2"><span
class=mainwht11><b><span class=mainblk><span
class=maindrkgrey><span class=mainwht11>Member Area:</span></span></span></b></span> <span
class=mainwht11><b><span class=mainblk></span></b></span></td>
</tr>
<tr>
<td width="106" class="mainwht">User Name</td>
<td width="140"><input class=mainblk maxlength=128
name=UserName size="20">
</td>
</tr>
<tr>
<td class="mainwht">Password</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=Password size="20">
</td>
</tr>
<tr>
<td class="mainwht">Pin</td>
<td width="140"><input class=mainblk type=password
maxlength=20 name=PinNumber size="20">
</td>
</tr>
<tr>
<td height="28"> </td>
<td width="140"> <input class=maindrkgrey type=submit value="Log In" name=submit>
</td>
</tr>
</table>
</form>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</TD>
<TD valign=top width=482>  </TD>
<TD width=165> </TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</BODY>
</HTML>



-----------------The Success Page

<%@LANGUAGE="VBSCRIPT"%>
<!--#include virtual="/Connections/whatever.asp"-->

<%

response.buffer = true


If request("id" = "verify" then

set dbConn = Server.CreateObject("ADODB.Connection"

dbConn.ConnectionString = "DSN=theDSN"

dbConn.Open



set rs = Server.CreateObject("ADODB.Recordset"

SQL = "SELECT * FROM tblUsers WHERE UserName = '" & request("username" & "' AND Password = '" & request("Password" & "' AND PinNumber = '" & request("PinNumber" & "'"

set rs = dbConn.Execute(SQL)



If not rs.eof then

While not rs.EOF

group = rs("AccessGroup"

'response.write("group:" & group)

userid = rs("id"

'response.write("userid: " & userid)

rs.movenext

wend

If group = "Paid" then

session("Loggedin"=True
session("id"=userid

'redir = "admin~/index_t.asp

'response.write(redir)

'response.end

response.redirect("loggedin?id=" & userid)

ElseIf group = "NotPaid" then

session("oldloggedin"=True
session("id"=userid

'redir = "notavailable_cust.asp

'response.write(redir)

'response.end

response.redirect("notavailable_cust?id=" & userid)

End If

Else

'/////// redirect page if no match found in database///////

response.redirect("../sorrylogin.asp?id=error"

End If

End If



%>



<%



set dbConn = Server.CreateObject("ADODB.Connection"

dbConn.ConnectionString = "DSN=TheDSN"

dbConn.Open





if not session("Loggedin" then

response.redirect("../loggedout.asp"

End If

id=Session("id"

set rs= Server.CreateObject("ADODB.RecordSet"

SQL = "SELECT * from tblUsers where id=" & id

set rs = dbConn.Execute(SQL)



While not rs.EOF



rs.movenext

wend

dbconn.close

%>
<%
Dim rsUsers__MMColParam
rsUsers__MMColParam = "1"
If (Request.QueryString("id" <> "" Then
rsUsers__MMColParam = Request.QueryString("id"
End If
%>
<%
Dim rsUsers
Dim rsUsers_numRows

Set rsUsers = Server.CreateObject("ADODB.Recordset"
rsUsers.ActiveConnection = MM_TheConnection_STRING
rsUsers.Source = "SELECT * FROM tblUsers WHERE id = " + Replace(rsUsers__MMColParam, "'", "''" + ""
rsUsers.CursorType = 0
rsUsers.CursorLocation = 2
rsUsers.LockType = 1
rsUsers.Open()

rsUsers_numRows = 0
%>
<SCRIPT RUNAT=SERVER LANGUAGE=VBSCRIPT>
function DoDateTime(str, nNamedFormat, nLCID)
dim strRet
dim nOldLCID

strRet = str
If (nLCID > -1) Then
oldLCID = Session.LCID
End If

On Error Resume Next

If (nLCID > -1) Then
Session.LCID = nLCID
End If

If ((nLCID < 0) Or (Session.LCID = nLCID)) Then
strRet = FormatDateTime(str, nNamedFormat)
End If

If (nLCID > -1) Then
Session.LCID = oldLCID
End If

DoDateTime = strRet
End Function
</SCRIPT>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<%
Response.Write MM_updateStr
%>
<table width="68%" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td>
<table width="100%" cellspacing="0" cellpadding="0" class="mainblk">
<tr class="mainwht11">
<td colspan="9">  </td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top" nowrap> <b class="mainblk11"> <img src="../images/spacer.gif" width="4" height="1"><%=(rsUsers.Fields.Item("AdminContactFn".Value)%><img src="../images/spacer.gif" width="1" height="1">
welcome test</b></td>
</tr>
</table>
</body>
</html>
<%
rsUsers.Close()
Set rsUsers = Nothing
%>

Can't help you with your query but I do have some advice.

I think most people on this forum prefer people not to post huges amounts of code. Linking to a text file or a webpage would probably be a better idea.

--------------------------------------
www.galleryof3d.com

Attempting to convert this to a database driven site - currently all individual pages. lol