replace a static name with a access database 1

[maximos]

I have this form / login application and i'm trying to attach my database,to replace the static username and password entered its a 2 page - A forum page ( i called it login.cfm ) and the result page which i called it index.cfm , here is the code for the index.cfm before changes which works perfect :
----------------------------------------------------------
<cfset goodLogin = false>

<cfif isDefined(&quot;form.username&quot and len(trim(form.username)) and
isDefined(&quot;form.password&quot and len(trim(form.password))>

<cfif not compare(trim(form.username),&quot;user&quot and not compare(trim(form.password),&quot;user&quot>
<cfloginuser name=&quot;#form.username#&quot; password=&quot;#trim(form.password)#&quot; roles=&quot;add&quot;>
<cfset goodLogin=true>
<cfelseif not compare(trim(form.username),&quot;admin&quot and not compare(trim(form.password),&quot;admin&quot>
<cfloginuser name=&quot;#form.username#&quot; password=&quot;#form.password#&quot; roles=&quot;edit,add,delete&quot;>
<cfset goodLogin=true>
</cfif>
</cfif>
<cfif not goodLogin>
<!--- Display login form --->
<cfinclude template=&quot;login.cfm&quot;>
<cfabort>
</cfif>
</cflogin>

<!--- my outputs if the login succesfully --->
<cfoutput>
<p>
<b>Welcome, #GetAuthUser()#!</b>
</p> </cfoutput>
<cfif isUserInRole(&quot;add&quot>
<a href=&quot;security/index.cfm&quot;>Add Content</a>
</cfif>
<cfif isUserInRole(&quot;edit&quot>
~ <a href=&quot;security/index.cfm&quot;>Edit Content</a>
</cfif>
<cfif isUserInRole(&quot;delete&quot>
~ <a href=&quot;security/index.cfm&quot;>Delete Content</a>
</cfif>

----------------------------------------------------------

now here is what i've done, which its not validating the user name and password from the DB ..
-----------------------------------------------------------
<cfset goodLogin = false>

<cfif isDefined(&quot;form.username&quot and len(trim(form.username)) and
isDefined(&quot;form.password&quot and len(trim(form.password))>

<cfquery name=&quot;qValidLogin&quot; datasource=&quot;stock&quot;>
SELECT *
FROM tblMember </cfquery>
<cfif not compare(trim(form.username),&quot;#qValidLogin.MemberName#&quot and not compare(trim(form.password),&quot;#qValidLogin.Password#&quot>


<cfloginuser name=&quot;#form.username#&quot; password=&quot;#trim(form.password)#&quot; roles=&quot;#qValidlogin.role#&quot;>
<cfset goodLogin=true>
<!---
i deleted this extra cfloginuser
<cfelseif not compare(trim(form.username),&quot;admin&quot and not compare(trim(form.password),&quot;admin&quot>
<cfloginuser name=&quot;#form.username#&quot; password=&quot;#form.password#&quot; roles=&quot;edit,add,delete&quot;>
<cfset goodLogin=true>
--->
</cfif>
</cfif>
<cfif not goodLogin>
<!--- Display login form --->
<cfinclude template=&quot;login.cfm&quot;>
<cfabort>
</cfif>
</cflogin>

<!--- my outputs if the login succesfully --->
<cfoutput>
<p>
<b>Welcome, #GetAuthUser()#!</b>
</p> </cfoutput>
<cfif isUserInRole(&quot;add&quot> <!--- the role is written in the role feild in my database --->
<a href=&quot;security/index.cfm&quot;>Add Content</a>
</cfif>
<cfif isUserInRole(&quot;edit&quot>
~ <a href=&quot;security/index.cfm&quot;>Edit Content</a>
</cfif>
<cfif isUserInRole(&quot;delete&quot>
~ <a href=&quot;security/index.cfm&quot;>Delete Content</a>
</cfif>
---------------------------------------------------------------

the good news i'm not getting any errors, but when i login, it keep me at the login screen, as if i entered the wrong user name and password, i know that the database part is working, cause when i mispell the form feild on purpose (eg, &quot;#qValidLogin.MemberNameeee#&quot; ) i get the an error saying (Element MEMBERNAMEEEE is undefined in QVALIDLOGIN.)

i have a feeling its something simple but i can't figure it out,


I really appreciat your time and help so far

Max

 

[csteinhilber]

At first glance, it looks like you need some sort of WHERE clause in your query... otherwise #qValidLogin.MemberName#, etc are always going to be the same (always the first record in the table).

I think you need something like:

<cfquery name=&quot;qValidLogin&quot; datasource=&quot;stock&quot;>
    SELECT *
    FROM tblMember
    WHERE MemberName = '#form.username#'
</cfquery>   

<cfif Compare(trim(form.password),qValidLogin.Password) EQ 0>
     :
     :
</cfif>

Also... just a note... it's generally a bad idea, even in low-exposure applications, to store passwords as plain text in your database. It's usually a good idea to encrypt the password somehow... and then decrypt it to compare it against the user's input. Encrypting it isn't terribly easy, though. Simply using CF's encrypt() and/or decrypt() functions on your login.cfm page would expose the encryption seed to anyone viewing the code for that page. You may be able to get away with creating a Custom Tag that calls encrypt/decrypt and placing that Custom Tag in a directory that only you and ColdFusion have read access to. But it doesn't prevent someone from calling that same Custom Tag outside your app and decrypting passwords.

While you may think that your app doesn't need to be that secure, you have to remember that a lot of people (stupidly) use the same password for multiple logins around the internet... and by exposing their password on your app, you may be exposing the password that they happen to use for their bank account or some other more sensitive information.


-Carl

 

[maximos]

Thanks Carl, that helped alot