Forums
This topic is locked
advanced login page
Posted 12 Apr 2003 10:37:51
1
has voted
12 Apr 2003 10:37:51 richard thomas posted:
Hi,I'm trying to develop the code (starting with the basic DW login code) for an advanced login page, requiring five (5) fields to verify the users. I have a basic form (included in the code) with five fields etc. I've attempted to modify the code to include the additonal fields but I have a feeling there is alot more to it than that?
I'd appreciate anyone who can advise me and show me the way...
Thanks in advance.
<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<!--#include file="../Connections/connection.asp" -->
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL"
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("field1"
)If MM_valUsername <> "" Then
MM_fldUserAuthorization=""
MM_redirectLoginSuccess="ok.htm"
MM_redirectLoginFailed="no.htm"
MM_flag="ADODB.Recordset"
set MM_rsUser = Server.CreateObject(MM_flag)
MM_rsUser.ActiveConnection = MM_connection_STRING
MM_rsUser.Source = "SELECT usr_field1, usr_field2, usr_field3, usr_field4, usr_field5"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM multipleLogin WHERE usr_field1='" & Replace(MM_valUsername,"'","''"
&"' AND usr_field2='" & Replace(Request.Form("field2","'","''" & "'" &"' AND usr_field3='" & Replace(Request.Form("field3","'","''" & "'" &"' AND usr_field4='" & Replace(Request.Form("field4","'","''" & "'" &"' AND usr_field5='" & Replace(Request.Form("field5","'","''" & "'"MM_rsUser.CursorType = 0
MM_rsUser.CursorLocation = 2
MM_rsUser.LockType = 3
MM_rsUser.Open
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username"
= MM_valUsernameIf (MM_fldUserAuthorization <> ""
ThenSession("MM_UserAuthorization"
= CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)Else
Session("MM_UserAuthorization"
= ""End If
if CStr(Request.QueryString("accessdenied"
) <> "" And false ThenMM_redirectLoginSuccess = Request.QueryString("accessdenied"
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginSuccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If
%>
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<form ACTION="<%=MM_LoginAction%>" method="POST" name="loginForm" id="loginForm">
<table width="100%" border="0" cellspacing="0" cellpadding="3">
<tr>
<td><div align="right">field 1</div></td>
<td><label>
<input name="field1" type="text" id="field1">
</label></td>
</tr>
<tr>
<td><div align="right">field 2</div></td>
<td><input name="field2" type="text" id="field2"></td>
</tr>
<tr>
<td><div align="right">field 3</div></td>
<td><input name="field3" type="text" id="field3"></td>
</tr>
<tr>
<td><div align="right">field 4</div></td>
<td><input name="field4" type="text" id="field4"></td>
</tr>
<tr>
<td><div align="right">field 5</div></td>
<td><input name="field5" type="text" id="field5"></td>
</tr>
<tr>
<td><div align="right"></div></td>
<td><label>
<input type="submit" name="Submit" value="Submit">
</label></td>
</tr>
<tr>
<td><div align="right"></div></td>
<td> </td>
</tr>
</table></form>
</body>
</html>
Replies
Replied 12 Apr 2003 11:00:10
12 Apr 2003 11:00:10 Graham Cole replied:
HI
Are you saying that it doesn't work
Graham
Are you saying that it doesn't work
Graham
Replied 12 Apr 2003 12:05:58
12 Apr 2003 12:05:58 richard thomas replied:
Sorry, no it doesn't work, well not on my local machine anyway. I set-up the standard login page with DWMX, then tried to amend the code, which is what I have now, shown in my previous post.
Replied 12 Apr 2003 13:12:23
12 Apr 2003 13:12:23 Graham Cole replied:
Hi
Well based on the fact that Im not sure of the database and the errors you are getting, if any? I would suggest that in the line of code where you are doing the where comparison, you would need to use parenthaseses to let the database know that all data items are required to qualify the login.
It might also be advantageous to select the data based on the userID and password and then perform some extra checks against the data passed by the form.
It might be an idea to let me know why you are qualifying five fields of input against a database.
as another pointer I would suggest you look at data sanitising when excepting login authorisation data.
Hope this helps, keep me informed
Graham
Well based on the fact that Im not sure of the database and the errors you are getting, if any? I would suggest that in the line of code where you are doing the where comparison, you would need to use parenthaseses to let the database know that all data items are required to qualify the login.
It might also be advantageous to select the data based on the userID and password and then perform some extra checks against the data passed by the form.
It might be an idea to let me know why you are qualifying five fields of input against a database.
as another pointer I would suggest you look at data sanitising when excepting login authorisation data.
Hope this helps, keep me informed
Graham
Replied 12 Apr 2003 14:32:01
12 Apr 2003 14:32:01 richard thomas replied:
Hi Graham,
Thanks for your input. Your right should have provided some more spec of the application. I'm trying to get this working locally with Access and learn about this code etc. But the app will be deployed on MS SQL. (If this makes a difference to the code? I could hook up with the SQL for development etc).
I'm qualifying five fields because that is the request of the3 client and really the requirements of the app. Sounds excessive I know, but the solution requires a level of security that five qualifying fields displays...if you see what I mean. There are many other features of the app that will improve overall security, this is just one of them.
Re Sanitising Data, agree, this will be applied once I have the basic function of the five field login working. I like to get the key parts of the code working and add the twirls later! Don't know what you think about this?
Thanks
Thanks for your input. Your right should have provided some more spec of the application. I'm trying to get this working locally with Access and learn about this code etc. But the app will be deployed on MS SQL. (If this makes a difference to the code? I could hook up with the SQL for development etc).
I'm qualifying five fields because that is the request of the3 client and really the requirements of the app. Sounds excessive I know, but the solution requires a level of security that five qualifying fields displays...if you see what I mean. There are many other features of the app that will improve overall security, this is just one of them.
Re Sanitising Data, agree, this will be applied once I have the basic function of the five field login working. I like to get the key parts of the code working and add the twirls later! Don't know what you think about this?
Thanks
Replied 12 Apr 2003 15:15:52
12 Apr 2003 15:15:52 Graham Cole replied:
Richard
The best solution to getting this working is to try the sql within the database first.
So
Select * from tblUser where (fld1='foo' and fld2='bar' and fld3='hello' and fld4='world' and fld5='working')
if this returns the expected record, then transpose this into VBscript.
Play around with it and ensure that the record is returned only in specific circumstances eg try eliminating one item of data or making one item of data incorrect and see if the record is returned.
Once you have a working SQL statement then apply it to the script and all should be well.
This is the only way to ensure it will work correctly.
Have you thought about using Stored Procedures? just a thought
Graham
The best solution to getting this working is to try the sql within the database first.
So
Select * from tblUser where (fld1='foo' and fld2='bar' and fld3='hello' and fld4='world' and fld5='working')
if this returns the expected record, then transpose this into VBscript.
Play around with it and ensure that the record is returned only in specific circumstances eg try eliminating one item of data or making one item of data incorrect and see if the record is returned.
Once you have a working SQL statement then apply it to the script and all should be well.
This is the only way to ensure it will work correctly.
Have you thought about using Stored Procedures? just a thought
Graham
Replied 12 Apr 2003 15:22:28
12 Apr 2003 15:22:28 richard thomas replied:
Hey Graham, Listen, thaks for the input, but you where right it was a syntax error. I started again and got it working. Appreciate your input and help.
Replied 12 Apr 2003 15:46:03
12 Apr 2003 15:46:03 Graham Cole replied:
Richard
Always willing to help.
Just incase your interested I have a vast array of experience in building database driven web apps, and am alwyas looking for extra work if your company are in the market of sub contracting.
Just a thought
Graham
Always willing to help.
Just incase your interested I have a vast array of experience in building database driven web apps, and am alwyas looking for extra work if your company are in the market of sub contracting.
Just a thought
Graham
Replied 12 Apr 2003 19:07:49
12 Apr 2003 19:07:49 richard thomas replied:
Hi Graham,
At present I'm in the middle of pitching for 3 larg-ish projects. If I get more than one (chances are good that I'll get all three!), I'll need to outsource. If you can post/send me your details I will certainly inform you of any work.
Regards
Richard.
At present I'm in the middle of pitching for 3 larg-ish projects. If I get more than one (chances are good that I'll get all three!), I'll need to outsource. If you can post/send me your details I will certainly inform you of any work.
Regards
Richard.