Re: Validate logins with ASP, MS Access and Cookies error

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Woot!, another PN customer <g>

If you are simply wanting to verify authentication, and re-dir on success,
then change;

If NOT rcSet.EOF Then
response.cookies("validated_user") = frmUID
response.write "<h1>Login successful!</h1>"
'// Forget using rcSet.Fields, and just use rcSet
'// directly
response.write "<p>Welcome " & rcSet(1) & "</p>"
else
response.write "incorrect Username and/or Password"
end if

To;

If NOT rcSet.EOF Then
Dim sRef: sRef = Request.ServerVariables("HTTP_REFERER")
Response.cookies("validated_user") = frmUID
Response.Redirect sRef
Else
Response.write "incorrect Username and/or Password"
End if

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"malcolm" <malcolm.whyte@xxxxxxxxxxxxxxxxx> wrote in message
news:444159c7$0$33896$ed2619ec@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Yes.
I used that system to do just that Mike... Not sure waht to do now as it
will not work!


Malcolm


"Mike Brind" <paxtonend@xxxxxxxxxxx> wrote in message
news:1145132830.519120.327380@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
You would only have to put [ ] brackets around the field name if you
are using a reserved word, or have an embedded space in the field name.
If "prefered_name" is the new name for that field, you can leave the
brackets off.

Wrt the new bit of code you just posted, what do you want it to
actually do? It looks to me as if that was part of a system where
people filled out a form on one page, it posted to another for
processing, then if the login was successful, it sent them back to the
first page again. Is that right? And if so, is that what you still
want to happen?

--
Mike Brind



malcolm wrote:
Thanks Mike,

So if I change my code it would look like this



"Select [prefered_name], UID From tblusers where UID = '" _

& Request.Form("UID") & "' and PWD = '" & Request.Form("PWD") &
"'"



The problem I now find with this code is the fact that my old code
worked
really well and would re-direct users to the referrer page?? How can I
do
that with this code??



The code used in my old page was



<% @language="vbscript" %>



<%

' Was this page posted to?

If UCase(Request.ServerVariables("HTTP_METHOD")) = "POST" Then

' If so, check the username/password that was entered.

If ComparePassword(Request("UID"),Request("PWD")) Then

' If comparison was good, store the user name...

Session("UID") = Request("UID")

' ...and redirect back to the original page.

Response.Redirect Session("REFERRER")

End If

End If

%>



Regards

Malcolm


"Mike Brind" <paxtonend@xxxxxxxxxxx> wrote in message
news:1145127899.468752.169210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Bad choice of field name. "Name" a reserved word in Access. Steve
Burns posted the correct answer to your question, but it would have
thrown up an error in this case.

Change it if you can, but if not, your sqlStr will have to look like
this:

"Select [name], UID From tblusers where UID = '"
_ & Request.Form("UID") & "' and PWD = '" & Request.Form("PWD") & "'"

Even then, there are other problems with the approach you are taking.
If you copy and paste the following line into the user name and
password fields in your form:

' or ''='

You will always log in successfully. This is a common SQL Injection
attack method. Also, if you have someone who's username contains an
apostophe, you will get errors. The best defence against this is to
use a saved parameter query in your Access database:

http://www.xefteri.com/articles/show.cfm?id=6

--
Mike Brind


malcolm wrote:
Name is the name of the field and the database is MS access.



"Mike Brind" <paxtonend@xxxxxxxxxxx> wrote in message
news:1145125091.697554.101780@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Which field in the database holds the user's first name? And what
type
of database are you using?

--
Mike Brind


malcolm wrote:
Thanks Guys, i have now cleaned up the code and it is working ok.
Just
one
thing I want to ask! on the login successful page it shows the
username
aas
typed into the form UID field.. what I would like to do now is
actully
return another column from the database that stores the users 1st
name
:-)

any tips

here is the code I am using now. :-)

<%@ Language="VBScript"%>

<!-- METADATA TYPE="typelib" FILE="C:\Program Files\Common
Files\System\ado\msado15.dll" -->
<!-- #include file="Connectionstring.asp" -->
<%

' variables
dim cnStr, rcSet, frmUID, frmPWD, sqlStr

'store form input into variables
frmUID = Request.Form("UID")
frmPWD = Request.Form("PWD")

'create connection and recordset objects
Set cnStr = Server.CreateObject("ADODB.Connection")

' defining database connection (connectionstring.asp)
cnStr.ConnectionString = path
cnStr.Provider = provider
cnStr.open

' execute sql and open as recordset

sqlStr = "Select * From tblusers where UID = '" _
& Request.Form("UID") & "' and PWD = '" & Request.Form("PWD") &
"'"

' Opens the returned values from the SQL as a recordset,
' ready for iteration by ASP
' validate variables against database
// If (not rcSet.BOF) and (not rcSet.EOF) then

If Len(frmUID) < 1 Then frmUID = "NULL"
If Len(frmPWD) < 1 Then frmPWD = "NULL"

Set rcSet = cnStr.Execute(sqlStr)

If NOT rcSet.EOF Then
response.cookies("validated_user") = frmUID
response.write "<h1>Login successful!</h1>"

response.write "<p>Welcome " & rcSet(0) & "</p>"
else
response.write "Incorrect Username and/or Password"
end if

cnStr.Close: Set cnStr = Nothing
Set rcSet = Nothing
%>

I had to change this code
response.write "<p>Welcome " & rcSet(1) & "</p>"
to this code
response.write "<p>Welcome " & rcSet(0) & "</p>"
so that it would display the username and not the password ;-)
not bad for a guess. :-)

Regards
Malcolm


"Steven Burn" <somewhere@xxxxxxxxxxxxxxx> wrote in message
news:e%237BQOLYGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
Change;

sqlStr = "Select * From tblusers where UID = '" _
& Request.Form("UID") & "' and PWD = '" & Request.Form("PWD")
&
"'"

' Opens the returned values from the SQL as a recordset,
' ready for iteration by ASP
'// <<< LINE 53 >>> set rcSet = cnStr.Execute(sqlStr)
' validate variables against database
// If (not rcSet.BOF) and (not rcSet.EOF) then

'// Check before processing
If Len(frmUsername) < 1 Then frmUsername = "NULL"
If Len(frmPassword) < 1 Then frmPassword = "NULL"

To;

'// Check before processing
If Len(frmUsername) < 1 Then frmUsername = "NULL"
If Len(frmPassword) < 1 Then frmPassword = "NULL"
Response.Write "<b><i>DEBUG</i><b><br>Username: " _
& frmUID & "<br>Password: " & frmPWD
sqlStr = "Select * From tblusers where UID = '" _
& frmUID & "' and PWD = '" & frmPWD & "'"

' Opens the returned values from the SQL as a recordset,
' ready for iteration by ASP
'// <<< LINE 53 >>> set rcSet = cnStr.Execute(sqlStr)
' validate variables against database
// If (not rcSet.BOF) and (not rcSet.EOF) then

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"malcolm" <malcolm.whyte@xxxxxxxxxxxxxxxxx> wrote in message
news:4441284e$0$23185$ed2e19e4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am now presented with incorrect Username and/or Password. I
have
double
checked this.

I now have the following code in my page

<%@ Language="VBScript"%>

<!-- METADATA TYPE="typelib" FILE="C:\Program Files\Common
Files\System\ado\msado15.dll" -->
<!-- #include file="Connectionstring.asp" -->
<%
' /////////////////////////////////////
' login validation script
' © Matt Millross
' www.designplace.org
' free for use as long as copyright notice left intact
' For more scripts, visit www.designplace.org
' /////////////////////////////////////

' variables
dim cnStr, rcSet, frmUID, frmPWD, sqlStr

'store form input into variables
frmUID = Request.Form("UID")
frmPWD = Request.Form("PWD")

'create connection and recordset objects
Set cnStr = Server.CreateObject("ADODB.Connection")
'// THIS IS NOT NEEDED!
'// Set rcSet = Server.CreateObject("ADODB.Recordset")

' defining database connection (connectionstring.asp)
cnStr.ConnectionString = path
cnStr.Provider = provider
cnStr.open

' execute sql and open as recordset
'// sqlStr = "Select * From tblusers where username = '" _
'// & Request.Form("UID") & "' and password = '" &
Request.Form("PWD")
&
"'"
'// You've already stored the user/pass into a local var - use
them!
'// and NEVER use "Select * ..."
'//
'// http://aspfaq.com/show.asp?id=2096

sqlStr = "Select * From tblusers where UID = '" _
& Request.Form("UID") & "' and PWD = '" &
Request.Form("PWD")
&
"'"

' Opens the returned values from the SQL as a recordset,
' ready for iteration by ASP
'// <<< LINE 53 >>> set rcSet = cnStr.Execute(sqlStr)
' validate variables against database
// If (not rcSet.BOF) and (not rcSet.EOF) then

'// Check before processing
If Len(frmUsername) < 1 Then frmUsername = "NULL"
If Len(frmPassword) < 1 Then frmPassword = "NULL"
'// Then go...
Set rcSet = cnStr.Execute(sqlStr)

If NOT rcSet.EOF Then
response.cookies("validated_user") = frmUID
response.write "<h1>Login successful!</h1>"
'// Forget using rcSet.Fields, and just use rcSet
'// directly
response.write "<p>Welcome " & rcSet(1) & "</p>"
else
response.write "incorrect Username and/or Password"
end if

'// Don't forget to cleanup after yourself
cnStr.Close: Set cnStr = Nothing
Set rcSet = Nothing
%>


Regards
Malcolm


"malcolm" <malcolm.whyte@xxxxxxxxxxxxxxxxx> wrote in message
news:4441273b$0$23177$ed2e19e4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
UID and PWD are the 2 fields in my database that hold the
information.

I have now changed the code

"Mike Brind" <paxtonend@xxxxxxxxxxx> wrote in message
news:1145119070.271743.314040@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

malcolm wrote:
Hi, while trying to validate username and password on login
form
I
am
presented with the following error message


Microsoft JET Database Engine error '80040e10'

No value given for one or more required parameters.

/vdateUsr.asp, line 53

The 2 fields within the database are text fields (UID) and
(PWD)
these
are
spelt correctly!


<snip>
sqlStr = "Select * From tblusers where username = '" _
& Request.Form("UID") & "' and password = '" &
Request.Form("PWD")
&
"'"


No - they're not spelt correctly. In your SQL statement you
refer
to
two fields called username and password, yet you said they are
called
UID and PWD. Which is correct?

--
Mike Brind











.