Login Box Allowing Users that it shouldn't 1

[Airpan]

I come here in shame and degradation. lol
I made a login box that was successful at logging users in. For whatever reason, it seems that only the username is being held as criteria for people to login, not the username and password.
I should mention that I changed the connection information today (wanted to make sure that I was opening and closing things correctly). I am thinking this may have had something to do with it suddenly only using the username to log users in, but could be wrong. Without further ado...

<%
dim username, password, loginButton
username=TRIM(Request("USERLOG"))
password=TRIM(Request("PASSLOG"))
logButton=Request("loginButton")="Login"
if logButton then
 Dim oConn, Rec, sConn, sFilePath

Set oConn = Server.CreateObject("ADODB.Connection")
sFilePath = Server.MapPath("db/logins.mdb")
sConn = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & sFilePath & ";"
oConn.Open sConn
   
Set Rec = oConn.Execute("SELECT * FROM cust_logins WHERE [USERLOG] = '" & username & "' AND [PASSLOG] = '" & password & "'")
'If no match found, EOF is not true.
  if NOT Rec.EOF then
  Response.Redirect("custhome.asp")
   else
      blankError="Invalid username and/or password." 
   end if
end if
%>
<html>
<head>
<title>Customer Login</title>
</head>
<body>
<form name="Form" method="post" action="custhome.asp">
<center>
<table border =1>
<tr><td colspan="2">
<%

if blankError<>"" then
Response.Write("<center><font color='red' size='3'>"&blankError&"</font></center>")
end if
%>
</td></tr>
<tr>
<td>Username:</td>
<td><input type="text" name="username" size="35"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" size="35"></td>
</tr>
<tr><td colspan="2" align="center">
<input type="submit" name="loginButton" value="Login">
<input type="reset" name="reset" value="Clear"></td>
</tr>
</table>
</center>
</form>
</body>
</html>

I checked my cust_login table to be sure I was calling the right columns. The column names that hold the information are: USERLOG and PASSLOG. I changed them this morning wondering if constantly using the words "username" and "password" was somehow effecting the login to function correctly? *sigh*

~E

 

[DotNetGnat]

<form name="Form" method="post" action="custhome.asp">

should it be something else(yourcurrentpage.asp) and not custhome.asp

-DNG

 

[Airpan]

DNG,
I tried changing the action in the form to point to iself (btw, that page is custlogin) and it now displays the "Invalid username and/or password." error message. I know it is something simple that I am missing. I just can't see it.

~E

 

[Sheco]

It looks like you intend for the "Invalid username ..." message to be displayed when the form is submitted without a username/password pair is not in the cust_logins table.

 

[DotNetGnat]

So the page looks like working now...did you enter the correct username and password...

or are you saying that you are getting invalid username...message even when the username and password are correct...

-DNG

 

[Airpan]

Sheco,
Are you saying I need to do something with the username and password as a pair? Before this happened today, the error would display under the following scenarios:
incorrect username, correct password
correct username, incorrect password
no username, correct password
correct username, no password
no username, no password

Now it displays the error message is displaying regardless of what I type in or don't type in. Sorry if I am not understanding you... going to hit the coffee pot again. Be back.

~E

 

[DotNetGnat]

put this:

if form("submit") <> "" then
'all your asp code
end if

-DNG

 

[Sheco]

Sorry for the confusion, I did not understand that you were seeing the message even with a valid username/password pair.

For testing purposed you could temporarily "hard code" the SQL statement to use a valid username/password .... just to eliminate the possibility of a database connection problem since that changed recently.

 

[Airpan]

Thanks Sheco - will give that a shot.

~E

 

[Airpan]

Well I tried hard coding it, and it still gave me grief. So I went back to the original code that I had when I started out and it was working. However, this in turn leads me back to my original problem...
the action of the form calls this:

action="<%=Request.ServerVariables("URL")%>"

What does it do? I looked it up in my old school book, and it gave the basics (definition of, how to view them in the browser, etc etc) but doesn't explain what "URL" is doing.

I need to point the action of the login to the custhome page so I can create a session variable for the subsequent pages, as the session variable utilizes a form value from the login box. Thanks in advance.

~E

 

[Sheco]

Actually you can just omit the action property of the <form> tag when the page submits to itself.


To view a list of ServerVariables you can make a little test ASP like this:

<%
for each foo in request.servervariables
  response.write foo & " = " & request.servervariables(foo) & "<br>" & vbCrLf
next
%>

 

[Airpan]

Sheco,
Thanks for the above. Are you saying that I can omit the action part of the form, if it submits to itself? I am creating a session variable based on the value entered into the username section of the form. I was under the impression (but could be wrong) that the action of the form has to submit to the next page in order to create the session variable from the form. Am I wrong?

~E

 

[Airpan]

DNG,
giving your code a try. To answer your questions, the login box works correctly when the action of the form is pointed to itself. When I change the action of the form to point to the next page, which is where I need to go to create a session variable based on the username, it starts malfunctioning and it doesn't matter what I type in, it allows users in.
Before it wasn't allowing anyone to login when I was using the "new" code (the stuff I tried changing), so I ended up just going back to the code that I had originally. If I lost you, let me know. I am going to repost so you can see what I have now:

<%
dim username, password, loginButton
username=TRIM(Request("username"))
password=TRIM(Request("password"))
logButton=Request("loginButton")="Login"
if logButton then
   Dim Con, sql, rec
   set Con = Server.CreateObject("ADODB.Connection")
   Con.Open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("db/logins.mdb")
   'Select the record matching the username.
   sql = "SELECT * FROM cust_logins WHERE UCase(USERNAME)='"& UCase(username) & "' AND UCase(PASSWORD)='" & UCase(password) & "' "
   set rec=Con.execute(sql)
   'If no match found, EOF is not true.
   if NOT rec.EOF then
      Response.Redirect("custhome.asp") 'Change to page redirect to after login
   else
      blankError="Invalid username." 'EOF is true, no match found.
   end if
end if
%>
<html>
<head>
<title>Login</title>
</head>
<body>
<form name="Form" method="post" action="custlogin.asp">
<center>
<table border =1>
<tr><td colspan="2">
<%

if blankError<>"" then
Response.Write("<center><font color='red' size='3'>"&blankError&"</font></center>")
end if
%>
</td></tr>
<tr>
<td><Strong><font face="courier new" size="3">Username:</font></strong></td>
<td><input type="text" name="username" size="35"></td>
</tr>
<tr>
<td><Strong><font face="courier new" size="3">Password</font></strong></td>
<td><input type="password" name="password" size="35"></td>
</tr>
<tr><td colspan="2" align="center"><input type="submit" name="loginButton" value="Login">
<input type="reset" name="reset" value="Clear"></td>
</tr>
</table>
</center>
</form>
</body>
</html>

~E

 

[Sheco]

This page above is designed to submit to itself.
So the browser will Request it from the server twice.
The first Request will not contain the form values.
The second Request will.

Examine this line of code:[tt]
logButton=Request("loginButton")="Login"
[/tt]

When the above line executes, the value of the variable logButton will be either True or False.

For the first Request the value will be False, because the form has not yet been submitted so the Request will not contain form values.

The second request will contain the following name/value pairs:
username = <User Input>
password = <User Input>
loginButton = Login

So the value of username and password will depend on what the user has entered, but the value of loginButton is hard coded in the HTML to always be "Login"

This means that, if the form was submitted, the following line of code will result in the variable logButton have been assigned the value True.
[tt]logButton=Request("loginButton")="Login"[/tt]


Then next line of code tests the value of logButton:[tt]
if logButton then[/tt]

So basically, everything after this conditional test will only run on the second Request.... so the database interaction only runs on the second Request.

After consulting the database, there is a second conditional test that asks this question: "Was there a match for the submitted username/password pair?"

If the answer is "yes" you use Response.Redirect to order the browser to issue a THIRD request for a page named custhome.asp.
If the answer is "no" then the login page is sent to the browser a second time, but this time it include an error message: "Invalid username and/or password."

 

[Airpan]

Sheco,
Thanks for the breakdown, as it now makes more sense. I may have to come up with another way to create a session variable. I had used the form method because I thought it would be a bit simpler, but it seems anytime I adjust the code for login box, it breaks. I tried using just a regular:

request.form("submit") <> "" Then

and it allows anyone to login. I guess I will just have to keep playing around with it. Thanks again.


~E

 

[Sheco]

I didn't see any code for creating any session variables, assigining values to session variables, or reading values from session variables.

We talked above about the Request.ServerVariables collection but that is something totally different.

Request.ServerVariables contains a bunch of information that is parsed out of the HTTP Request header and made available to you in a collection of name/value pairs similar to the way Request.Form contains a list of name/value pairs representing submitted form elements.

If you wanted to set a sessin variable, you would do something like this:

   ' [...]

   'Select the record matching the username.
   sql = "SELECT * FROM cust_logins WHERE USERNAME='"& UCase(username) & "' AND [PASSWORD]='" & UCase(password) & "' "
   set rec=Con.execute(sql)
   'If no match found, EOF is not true.
   if NOT rec.EOF then
      [red]Session("username")=rec("USERNAME")[/red]
      Response.Redirect("custhome.asp") 'Change to page redirect to after login
   else
      blankError="Invalid username." 'EOF is true, no match found.
   end if

   ' [...]

 

[Airpan]

Thanks Sheco - the reason that you didn't see any code for the session variable is because the code for the session variable was on the second page, because my session variable was created to function after the user logs in, and it would take the value from the username of the form. However, your session variable code seems just as efficient, if not, more logical indeed. Thanks again.

~E

 

[Airpan]

Sheco,
it worked great, thanks for the help. I had not used session variables before and had created one with the help of adobe's online help files, but alas, didn't find a way to do it using a record set. At any rate, thanks again.

~E