ASP login check

[Sachinkhare]

Hi
I'm using access2000 database. I want to check the username and password.....and if username and passowrd is correct then i have to show some page say "xyz.htm" or i want to display that username/password is incorrect and i want to show the same ASP page again asking for username and password????

pls give me suitable code for that. i'm begineer in ASP

thankx
regards
sachin

 

[ehsant]

Hi ...
OK ...
first you have to make a HTML or ASP file which contains a form with two input tags and a submit button like this :
<form name=&quot;loginfrm&quot; method=&quot;post&quot; action=&quot;login_main.asp&quot;>
Username : <input type=&quot;text&quot; name=&quot;uname&quot;>
Password : <input type=&quot;password&quot; name=&quot;pword&quot;>
<input type=&quot;submit&quot; name=&quot;submit&quot; value=&quot;submit&quot;>
</form>

and then make an ASP file named the one in the action of the last page &quot;login_main.asp&quot; or anything else and then act like this :

uname = request.form(&quot;uname&quot
pword = request.form(&quot;pword&quot

I think that DBConn is your connection object :

n = DBConn.Execute(&quot;SELECT COUNT(*) FROM tblUsers WHERE UserName = '&quot;&Uname&&quot;' AND Password = '&quot;&pword&&quot;' &quot.Fields(0).Value

If n <> 0 Then
response.write &quot;User Logged in&quot;
Else
response.write &quot;Invalid Username or password&quot;
End If
----
TNX.
E.T.

 

[BKQc]

the only problem with this kind of login is that it's sent as clear text so if the data is confidential.......

 

[ehsant]

Hi ...
yes ... you are right ...
but this is a simple one ...
there are many ways to send data over the net more secure ...
first, you have to user autocomplete=off for your form ...
and also there is a MD5 hashing script that yahoo and hotmail use for sending password over the client to server that is very secure and there is no way to hack the password but I just wanted to explain how to do the thing which Sachinkhare wanted to do ...


----
TNX.
E.T.

 

[Sachinkhare]

Hi
If the username is not correct then it should show me the same login page or it should show me next page.

so what i have to pass to show these pages

thankx in advance

regards
sachin

 

[ehsant]

Hi ...
you can use this code :
If n <> 0 Then
response.write &quot;User Logged in&quot;
Else
response.redirect &quot;Loginform.asp&quot;
End If
----
TNX.
E.T.

 

[vanillapod]

ehsant, this is a bit late after this thread was started but do you know of any good tutorials on using the MD5 hash with ASP?

Cheers

 

[ehsant]

Hi ...
I know a bit about MD hashing (there are MD2, MD4 an MD5)
and also you can make it more secure with a challenge response tech.
you also can download the code from yahoo website.
it's free. and it's in javascript.
when you want to login in yahoo, in that page, just view source. that's it.
----
TNX.
E.T.

 

[Tarwn]

One more thing you may want to do is check entries (username and password) for single quotes. People will occasionally attempt to crack your user database by entering a single quote, there own SQL statement, and then a following single quote. This allows them to execute their own SQL statemenbts inside yours. The easiest way to get rid of single quotes from a text entry is to replace them with double single quotes, this being the escape character to make QSL Server treat the single quote as part of the text field you are inserting/updating/selecting on.

Dim txtUsername, txtPassword
txtUsername = Request.Form("uname")
txtPassword = Request.Form("pword")
txtUsername = Replace(txtUsername,"'","''")
txtPassword = Replace(txtPassword ,"'","''")
sqlVerify = "SELECT * FROM UserTable WHERE user_name = '"&txtUsername&"' AND user_pass = '"&txtPassword&"'"

One additional comment on naming techniques, though you may not need it. It's generally a bad idea to name fields after words like &quot;username&quot; or &quot;password&quot; because these could be considered reserved words by the database, which are resolved before field names. This will cause you unnessasary (sp? issues ) problems down the road when you either have to modify the field names or start referencing them by tablename.fieldname every time you try to do anything with them.

-Tarwn --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
For my next trick I will pull a hat out of a rabbit (if you think thats bad you should see how the pigeon feels...)

 

[ehsant]

Hi ...
As Tarwn said, there are some chars which you have to replace and there are some chars which you shuld not let user to use them such as &quot;;&quot; or &quot;-&quot;.
because with a simple combination of these chars, if a user knows or even doesn't know but just guess the name of your tables in your DB, he/she can drop your tables.
like this :
imagine you have a table named &quot;Users&quot; and you have a input in your form for username ...
the only think which the user must do is that he/she types this command insted of the username :
'; drop table users--
that's it ... and you don't have the table any more ...
so be very careful...
----
TNX.
E.T.

 

[vanillapod]

Cheers for the responses, see what you mean about the double quotes, i'm off to look at the yahoo md5 example

Cheers