Question about login script

Hi,

I have a login page. Where user enters an email and password. Then I;m
checking if user account is active or not. Before a user can login, he needs
to activate his account. If the account is active then Active field is set
to yes (1) otherwise to no (0).

If the user’s account is active then I check whether this is user’s first
visit or not. If it is user’s first visit then I redirect user to
‘newuser.asp’ page otherwise to ‘returnuser.asp’.

If the user’s account is not active then I send the user to login page with
‘default.asp?pw=0’

For some reason the SQL statement

strSQL = "SELECT * FROM testusers " & "WHERE E_Mail='" &
Request.Form("txtEmail") & "' AND Password = '" & Request.Form("txtUserPass")
& "' AND Active = 1 ;"

is not working because I can see that the user’s account is active, email
and password all exist in the database but the script keeps directing the
user to loginpage as if the record doesn’t exist.

The SQL query that above statemtn produces is,

SELECT * FROM testusers WHERE E_Mail='green2004@xxxxxxxxxx' AND Password =
'joegreen' AND Active = 1 ;

I am not able to find the mistake I am making. Can someone help me please.

Thanks,

Joe


<%
'Using a DSN connection.
Dim objConn
Dim objRS

Set objConn = Server.CreateObject("ADODB.Connection")
'objConn.ConnectionString = "DSN=PKMSolutionEval"
objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;" & _
"Data Source=E:\ databases\test.mdb;"

Set objRS=Server.CreateObject("ADODB.Recordset")
'objRS.Open "testusers", objConn
strSQL = "SELECT * FROM testusers " & "WHERE E_Mail='" &
Request.Form("txtEmail") & "' AND Password = '" & Request.Form("txtUserPass")
& "' AND Active = 1 ;"
objRS.Open strSQL, objConn, adOpenForwardOnly, adLockReadOnly, adCmdText

If Not objRS.EOF And Not objRS.BOF Then

If objRS.Fields("First_Visit") = "True" Then
'first time visitor
strSQL = "UPDATE dndusers SET First_Visit = 0 WHERE E_Mail='" &
Request.Form("txtEmail") & "' AND Password = '" & Request.Form("txtUserPass")
& "';"
Set updateCmd = Server.CreateObject("ADODB.Command")
With updateCmd
.ActiveConnection = objConn
.CommandText = strSQL
.Execute
End With
objRS.Close()

objConn.Close()
Set objConn = Nothing

Response.Redirect("newuser.asp")
Else
'retruning user
objRS.Close()

objConn.Close()
Set objConn = Nothing

Response.Redirect("returnuser.asp")
End If
Else
'user don't exisit
objRS.Close()
objConn.Close()
Set objConn = Nothing

Response.Redirect("default.asp?pw=0")

End If

objConn.Close()
Set objConn = Nothing

%>

.

Relevant Pages

  • Re: Question about login script
    ... "Joe" wrote: ... > Is something wrong with my SQL statement? ... >>> I have a login page. ... he needs to activate his account. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Weakness introduced by denying remote logins on AIX, possibly others
    ... AIX 4.3.3 and AIX 5.1, ... is possible to remotely enumerate the passwords of a known AIX account. ... believed to be in the response from the login program after authentication ... Give accounts that have been restricted from remote logins strong passwords. ...
    (Security-Basics)
  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)
  • WinXP laptop, simple-style login conn to Win2000 share, error
    ... So, to simplify matters, add all machines to the domain. ... local machine accounts) to keep track of... ... the local account information. ... the "pushbutton login") and configure the Laptops to auto ...
    (microsoft.public.windowsxp.security_admin)
  • Dexia website security alert
    ... A few days ago I sent a mail to the Dexia bank about their ... one is for the online banking account and one is for some ... The problem with the "members' login" was that a) it was ... selected the wrong login by mistake your username and password were ...
    (Security-Basics)