CAn anyone see a problem in this?

[Jerkycold]

<html>
<head>
<title> Process Login Include Test Page </title>
</head>

<body>

<!-- #include virtual=&quot;/includes/dbopen.asp&quot; -->

<%
username = Request.Form(&quot;Username&quot
password = Request.Form(&quot;Password&quot
Response.Write(Username & &quot; &quot; & Password & &quot;<br>&quot

If username <> &quot;&quot; Then
SQL = &quot;SELECT * FROM employees WHERE username='&quot; & username & &quot;' AND password ='&quot; & password & &quot;'&quot;
End If

set cmdDC = Server.CreateObject(&quot;ADODB.Command&quot
cmdDC.ActiveConnection = Conn

cmdDC.CommandText = SQL
Set RecordSet = Server.CreateObject(&quot;ADODB.Recordset&quot

'-- Cursor Type, Lock Type
'-- ForwardOnly 0 - ReadOnly 1
'-- KeySet 1 - Pessimistic 2
'-- Dynamic 2 - Optimistic 3
'-- Static 3 - BatchOptimistic 4

RecordSet.Open cmdDC, , 0, 2

If Not RecordSet.EOF Then
Response.Write(&quot;User has been found!&quot
empid = RecordSet.Fields(&quot;EmployeeID&quot
empfname = RecordSet.Fields(&quot;FirstName&quot
emplname = RecordSet.Fields(&quot;LastName&quot
' Dim struserLevel
' struserLevel = RecordSet.Fields(&quot;userLevel&quot
' Session(&quot;userLevel&quot = struserLevel
Session(&quot;empid&quot = empid
Session(&quot;empfname&quot = empfname
Session(&quot;emplname&quot = emplname
Response.Redirect(&quot;

http://pacific/peregrine/loui.asp&quot;)

Else
'The user was not validated...
'Take them to a page which tells them they were not validated...
'Response.Redirect &quot;register.asp&quot;
Response.Write(&quot;User has NOT been found!&quot
Response.Redirect(&quot;

http://pacific/peregrine/default.asp?flag=1&quot;)

End If

Conn.Close
cmdDC.ActiveConnection = Nothing

%>
</body>

</html>




my logon works fine if you put in the correct username and password, and it works great if you put in the wrong username and password, but if you dont put anything at all in the username and try to login it breaks and says there is a error type:

Microsoft OLE DB Provider for ODBC Drivers (0x80040E0C)
Command text was not set for the command object.
/processlogin.asp, line 31

 

[TootingBoy]

It seems to be a problem in the logic of your procedure. If no username is passed through then you do not generate any sql. However, you are still continuing with the procedure and executing an empty sql string - hence the error.

It might also be worth pointing out that, from a security point of view, your code is vulnerable to a variety of hack attacks, including sql injection. You should always sanitise any parameters passed by users before including them in an sql statement.

The path to freedom is seldom trodden by the multitude.

 

[Mr3Putt]

To stop processing when UserName is empty, do something like:

If  username = "" then
  %>
  <h1>Blank User Name</h1>
  <%
  Response.End  ' stops all processing...
End If

' there must be a username if we got this far...
SQL = &quot;SELECT * FROM employees WHERE username='&quot; & username & &quot;' AND password ='&quot; & password & &quot;'&quot;
set cmdDC = Server.CreateObject(&quot;ADODB.Command&quot;)
cmdDC.ActiveConnection = Conn

 

[Jerkycold]

Thanks for your help Mr3putt it worked great. Tooting boy how would you suggest I might sanitise my parameters passed by users before including them in sql statement?

 

[Mr3Putt]

I think, generally, you can thwart most SQL insertion by checking values for Apostrophes (').

SQL Insertion is where, I might type the following into the UserName and Password fields:

A' OR ('A'='A
A') OR 'A'='A

...your SQL stmt becomes:

WHERE username='A' OR ('A'='A' AND password ='A') OR 'A'='A'

...and your result is ALWAYS TRUE...

So, if you first Replace(username,&quot;'&quot;,&quot;&quot... it would create an invalid SQL stmt.

[green](those with better hacking skills than I, don't laugh. Instead, provide a more succinct sample of SQL insertion code);-)[/green]

 

[TootingBoy]

Mr3Putt is right that the main issue is dealing with apostrophes. Although the method of dealing with this is not to replace apostrophes with an empty string but to double them up like so:

Replace(username,"'","''")

However, this is not merely a syntactical issue. By entering an apostrophe and semi-colon a hacker can append their own sql to yours, e.g. they could attempt to drop your master db or use sql server to run system commands (or basically do anything they like.)

Other checks are

- making sure that the parameter does not exceed a specified length
- making sure that the parameter is of the correct data type.

IMHO the best source of information on this topic is probably 'Writing Secure Code' from the Microsoft Press.

Safe Coding!



The path to freedom is seldom trodden by the multitude.

 

[Jerkycold]

I hate to sound stupid but, what do I replace do I replace this:

SQL = &quot;SELECT * FROM employees WHERE username='&quot; & username & &quot;' AND password ='&quot; & password & &quot;'&quot;

Can you show me what I should replace so I can understand?

Thanks

 

[DreXor]

Yours :
SQL = &quot;SELECT * FROM employees WHERE username='&quot; & username & &quot;' AND password ='&quot; & password & &quot;'&quot;


Corrected :
SQL = &quot;SELECT * FROM employees WHERE username='&quot; & Replace(Username,&quot;'&quot;,&quot;''&quot & &quot;' AND password ='&quot; & Replace(Password,&quot;'&quot;,&quot;''&quot & &quot;'&quot;

Hope that helps