Need help with Username and Password script

[TJunior]

I am trying to use a basic username and password authentication system with a MS SQL Server DB.
The problem I am experiencing is when the main login page loads and a valid username and password are entered, instead of being passed to a protected .asp page, the valid user is sent to an error .asp page (Only supposed to happen if a invalid username and/or password are entered). The script I'm using is below and I have marked where I think it is going wrong:-

<%@ Language=VBScript %>
<%
Option Explicit
Response.Expires = 0

Dim objconn, objRS, strconn, strout, strQ

Set objconn = Server.CreateObject(&quot;ADODB.Connection&quot
strconn = &quot;DSN=Worry-not; Database=tdotcom;&quot;
strconn = strconn & &quot;UID=;PWD=;&quot;
objconn.Open strconn

Set objRS = Server.CreateObject(&quot;ADODB.Recordset&quot
Set objRS.ActiveConnection = objconn
strQ = &quot;SELECT * &quot;
strQ = strQ & &quot;FROM Password &quot;
strQ = strQ & &quot;WHERE Username = '&quot; & Request.Form(&quot;login&quot & &quot;' &quot;
objRS.Open strQ
%>
<%While Not objRS.EOF
dim username
username = objRS(&quot;Username&quot

dim friendlyname
friendlyname = objRS(&quot;Nickname&quot

response.cookies(&quot;passes&quot = username
response.cookies(&quot;passes2&quot = friendlyname

If Request.Form(&quot;login&quot = objRS(&quot;Username&quot AND Request.Form(&quot;password&quot = objRS(&quot;Passwd&quot Then

Response.redirect(&quot;WorryPage2.asp&quot

Else
Response.redirect&quot;login1.asp&quot <<<Jumps to this page
End If
objRS.MoveNext
Wend

OnError response.Redirect (&quot;login1.asp&quot'Added line
objRS.Close
objconn.Close
Set objRS = Nothing
Set objconn = Nothing
%>

Any light anyone can shed on this problem would be more than appreciated. Thanx.

 

[link9]

Consider this.

If you build the sql statement, execute it to create your recordset, and actually get something back, then have you not established at that point that there is a match in the database?

No need to compare the userName and password again against what's in your recordset. Just the fact that the statement returned SOMETHING tells you that they supplied valid credentials. Try this:

if not (rs.eof and rs.bof) then
response.redirect(&quot;worrynot.asp&quot
else
response.redirect(&quot;login1.asp&quot
end if

It's probably a typing issue, as far as why the comparison always returns false, but I think that's immaterial once you actually have a record.

let us know.
paul

 

[TJunior]

Thanx for such a quick reply Paul. I have got a info back from the DB so I know the SQL statements are working and the connection is working fine. I have used the code you sent, but whats happening now is that it's only checking the username for validity. So as long as the username is correct it allows entry to a protected page.
I am going to rewrite my SQL statement to compare both username and password fields.

Any other suggestions from yourself would be a plus. Thanx again.

 

[link9]

Yea, I see that now. Then you need to select from the database based on userName AND password:

strQ = &quot;SELECT * &quot;
strQ = strQ & &quot;FROM Password &quot;
strQ = strQ & &quot;WHERE Username = '&quot; & Request.Form(&quot;login&quot & &quot;' AND password = '&quot; & request.form(&quot;password&quot & &quot;'&quot;

And actually, the fewer times you access the request object, the better. I suggest you store all the request variables in local variables first thing, and then just access those:

dim login, password
login = request.form(&quot;login&quot
password = request.form(&quot;password&quot

strQ = &quot;SELECT * &quot;
strQ = strQ & &quot;FROM Password &quot;
strQ = strQ & &quot;WHERE Username = '&quot; & login & &quot;' &quot;
strQ = strQ & &quot;AND password = '&quot; & password & &quot;'&quot;

Then, the checking for an empty recordset would serve the purpose, yes?


paul

 

[TJunior]

Yes I have done that and it's good. Thank you very much.
No doubt I'll require your services again in the near future.

Have a nice day.