Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Check username and Password in Database 2

Status
Not open for further replies.

Dashsa

Programmer
Aug 7, 2006
110
US
Hello,
I am working on a form that allows a user to create an account and then start filling out the form and then exit and re enter the form at the location that they left at.
I have created a sign in page that collects the user email and password and now I am working on creating the page that allows them to sign back in.
I am having issues looping through the database to see if the email string matches. My code works fine if the user already has an account and the usernames match but if the username is not found it fails.
I am searching the DB for the email address entered by the user and if there is no mach then I get an error- how do I loop without having to specify the email address in the SQL?

here is the code
Code:
<%@ language=JScript %>
<!-- #include file="adojavas.inc" -->
<html>
<head>
</head>
<body>
	<%

var umail = Request.Form("uemail")
var userPass=Request.Form("upass")
Session("UserEmail") = umail.item;
Session("upass") = userPass.item;

var connect = Server.CreateObject("ADODB.Connection");
var record = Server.CreateObject("ADODB.RecordSet");
connect.Open("DSN=hhhba");
record.Open("select * from Data where EmailAddress  ='"+ umail+"'", connect, adOpenKeyset, adLockOptimistic);

userName=record("EmailAddress");
str1 = userName.value;
str2 =  umail.value;
	
if(str1!=str1)
		{
		Response.Write("Passowrd Fail")
		 }
	 else
		 {
		 Response.Write("Password Pass")
	}
 connect.close();
 connect=null;
%>
	</body></html>
 
you posted almost the exact same question here:


and said you had it working, what's wrong with it now? Why don't you use the same procedure recommended in the other solution?

--------
GOOGLE is a great resource to find answers to questions like "how do i..."

If you don't know exaclty what you want to do or what to search on, try Google Suggest: --------
I have recently been semi-converted to ensuring all my code (well most of it) works in both javascript and non-javasc
 
Actually its a different question, if it was the same I would not have re posted it.
In the other question I did not "LOOP" through the database to check to see if the email address(user name) was there, i simply looked at the location of the cursor and deduced that the email address was there or not. right?
now I need to see if the email address that the user is trying to sign in with is the same as the email address I have in the data base.
I cant use the code
Code:
record.Open("select * from Data where EmailAddress  ='"+ umail+"'", connect, adOpenKeyset, adLockOptimistic);
because although this works if the user types in the correct email address, if there is a typing error or the email address is not in the DB then the SQL statement cannot work as the is no corresponding record. right?
So I need a solution that will enable me to loop through the DB and look for that particular email address and make sure the passwords match.
 
Why can't you check the email address and password at the same time?

Code:
record.Open("select * from Data where EmailAddress  ='"+ umail+"' And Password='" + userpass + "'", connect, adOpenKeyset, adLockOptimistic);

If record.Eof = True
  ' The combination of email and password were not found
Else
  ' This should be a valid login
End If

If the combination of email address and password is not found, there will be no rows returned from the database.

Also.... you should do a little research on SQL Injection. In this case.... if the user enters (for the password) "' or 1=1;"

the resulting query would be.

Select * From Data Where EmailAddress='blah@whatever.com' and Password='' or 1=1;'

the OR part will return true and all rows will be returned. Simply checking for the existence of a row will return true and that user will gain access to the system.

Instead, you should use a command object. OR, at the least, replace single apostrophes with 2 of them.

Code:
record.Open("select * from Data where EmailAddress  ='"+ Replace(umail, "'", "''")+"' And Password='" + Replace(userpass, "'", "''") + "'", connect, adOpenKeyset, adLockOptimistic);

If record.Eof = True
  ' The combination of email and password were not found
Else
  ' This should be a valid login
End If

Either way, I would not want to loop through a recordset to validate a user. Imagine what would happen if you had millions of users. Looping in ASP would be incredibly slow in comparison.



-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Hello George,
Thanks for replying.
So it seems like I have a logic error. You are saying that I should query the DB to test weather the record exists for user and password. So this will mean that I don't have to actually loop through the DB?

Thanks again.

I guess this is what vicvirk was getting at!

I will try this and see if I can get it to work.
 
Hello,
Actually I am getting the same error.
It works when I have a correct user name and password but as soon as the SQL code fails then the page fails.
The SQL fails when it cannot find a user name or password in the DB.
It fails before it even gets the chance to run the IF statement.
Any other thoughts?
 
Please show the code you are running right now.

-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Here it is:

Code:
<%@ language=JScript %>
<!-- #include file="adojavas.inc" -->
<html>
<head>
</head>
<body>
	<%

var umail = Request.Form("uemail")
var userPass=Request.Form("upass")
Session("UserEmail") = umail.item;
Session("upass") = userPass.item;



var connect = Server.CreateObject("ADODB.Connection");
	var record = Server.CreateObject("ADODB.RecordSet");
	connect.Open("DSN=hhhba");
record.Open("select * from Data where EmailAddress  ='"+ umail+"' And userPass ='"+ userPass+"'", connect, adOpenKeyset, adLockOptimistic); 

	if(record.EOF)
		{
		Response.Write("Passowrd Fail")
		 }
	 else
		 {
		 Response.Write("Password Pass")
	}
	
 connect.close();
 connect=null;
%>
	</body></html>
 
I don't immediately see anything wrong with that code.

What error message are you getting?
What line is throwing the error message?
What type of database are you using?

-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
I am using an Access DB
I think the error happens because the SQL states the it should return the record the equals the user name and Password. if i don't have a record in the DB the sql fails and that's when I get the error.
 
I'm with George, don't see anything wrong with that code..

The only thing that pops out is that in your previous version (in the other thread I mentioned) I seem to recall your if/else logic was reversed - you checked to see if you were not at the EOF and then had an else, here you are checking to see if you are at the EOF and then doing an else.

--------
GOOGLE is a great resource to find answers to questions like "how do i..."

If you don't know exaclty what you want to do or what to search on, try Google Suggest: --------
I have recently been semi-converted to ensuring all my code (well most of it) works in both javascript and non-javasc
 
The error is probably not coming from the database. If you response.write the query and then copy/paste to access and run it, you should see that the query runs (but doesn't return any rows). I suspect the problem MUST be somewhere in the code you are show (or at least somewhere on the page).

I encourage you to do exactly this. response.write the query and copy/paste to an access window to see what happens. That will at least rule out a database issue.



-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
ITS WORKING!!!!!!!
Thanks very much!!
 
What did you do/change to make it suddenly start working?

-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
I cleaned up my real code to match the code I posted above - I must of had something wrong.
The code above works well!
Now all I have to worry about is making sure the data is safe on the Server - I am a bit stressed about collecting these users passwords I am sure they only use one password for all their sites - too much responsibility to keep it safe....
 
Like I said earlier, do a little research on SQL Injection.

[google]SQL Injection Access Database[/google]

-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top