This Page is re-directed from a page for deleting a post from a forum!!! Can anyone pliz modify this so that the user doesn't haf to enter the fields but redirect and delete instantly as soon as it reaches in this page!!!! wihout having to enter the name and password. Thanx

<%
s = request.querystring("s")
p = request.querystring("p")
id = request.querystring("id")
parent = request.querystring("parent")
passwort = request.form("pass")
username = request.form("user")
%>
<head>
<title>Login</title>

</head>
<body bgcolor="#ffffff">
<form method="POST" action="delete_entry.asp?id=<%=id%>&s=<%=s%>&p=<%=p%>&parent=<%=parent%>">
<table border="0" cellpadding="0" cellspacing="0" width="100" bgcolor="#ffffff" align="center">
<tr>
<td width="100%">
<table border="0" cellpadding="2" cellspacing="0" width="200" class="text">
<tr>
<td width="389" bgcolor="#000000" align="center" colspan="2"><b>Login</b></td>
</tr>
<tr>
<td width="20%" bgcolor="#FFFFFF" align="left">User</td>
<td width="80%" bgcolor="#FFFFFF" align="left">
<input type="text" name="user" size="19">
</td>
</tr>
<tr>
<td width="20%" bgcolor="#FFFFFF" align="left">Pass</td>
<td width="80%" bgcolor="#FFFFFF" align="left">
<input type="password" name="pass" size="19"></td>
</tr>
<tr>
<td width="394" bgcolor="#FFFFFF" colspan="2" align="center">
<input type="submit" value="Login" name="delete"></td>
</tr>
</table>
</td>
</tr>
</table>
</form>


<%


user = "user"
pass = "password"

response.write(parent)
response.write(","&id)
if (passwort = pass) and (username = user) and (request.form("delete") = "Login") and (p="all") then
set db = Server.CreateObject("ADODB.Connection")
connect="Driver={Microsoft Access Driver (*.mdb)}; DBQ="& server.mappath("yell.mdb")
db.Open connect
sql = "delete from postings where id = " & id & " or connected = " & id
db.Execute(sql)
db.Close
set db=Nothing
%>
<script>
opener.location.href="index.asp?s=<%=s%>";
self.close();
</script>
<%
end if
if (passwort = pass) and (username = user) and (request.form("delete") = "Login") and (p="one") then
set db = Server.CreateObject("ADODB.Connection")
connect="Driver={Microsoft Access Driver (*.mdb)}; DBQ="& server.mappath("yell.mdb")
db.Open connect
sql = "delete from postings where id = " & id
db.Execute(sql)
sql = "update postings set replies = replies -1 where id = " & parent
db.Execute(sql)
db.Close
set db=Nothing

%>
<script>
opener.location.reload();
self.close();
</script>
<%
end if
%>

</body></html>

well,
I could do things a little different,
first off, you should use cookies or session object to hold the user login information client side to they do not have to enter it again,

example

response.cookie("forum")("UserName")="&request.form("user")
response.cookie("forum")("PassWord")="&request.form("pass")

then to call them again use:

<%=request.cookie("forum")("UserName")%>


also redirect the page use
response.redirect "SomePage.asp"


hope this helps. :thumbsup:

I wouldn't store the password in a cookie, that is a very bad practice. What you should do is once the user logs in it stores say their username and it just uses that to authenticate them. That is the simpilist and easiest, however it may not be the most secure method.

"wouldn't store the password in a cookie, that is a very bad practice"

maybe you could explain why it is such a bad practice when so many sites do it including the one we're on now.

also i don't offen store passwords in cookies,, that is just what he was wanting. I just do something like

response.cookie("forum")("login")="yes".

not storing a password is not really that bad, and if u are worried about security, then store the password in md5 encoding.

"wouldn't store the password in a cookie, that is a very bad practice"

maybe you could explain why it is such a bad practice when so many sites do it including the one we're on now.
It's bad practise because a cookie identifies a machine and not a user.

It's not because something is done frequently that it is acceptable/good/secure.
md5 hashing is also quite pointless against a determined cracker, since most passwords are to weak so it's just a matter of time to match it agaist a list of hash-outputs.
besides md5 seems to be compromised (visa explicitely mentions it as a no go) so you'd better use sha1 or sha2

but more fudamently, the script is as insecure as can be. it should at least contain a lookup to see if that user has permission to delete the post which id is in the querystring + needs some querystring-checking against sql-injection + should contain a check for the number of affected rows
It also woudn't be a bad idea to move the connectionstrings to a server side include (with asp extension), place the db above the webroot, and set up a user and pwd for it.

So there are bigger holes then cookietheft and cookiecracking ...

aaaaahhhh..... u mistook my message!!! I dont want any login stuff that sure includes the cookie as well, I guess. I just want to remove them all and do the necessary stuffs without loggin in or storing as cookie.

Thanx for the message and hope to hearagain....

why is my post neglected...I really need that file to be modified so that it can do all the necessary stuffs without logging in!!!!

so you basically wan't to redirect the user ?

just add

response.redirect() or server.transfer()

in that page (no other code needs to be inside that page (except for the asp-tags of course))

some more info
http://www.codingforums.com/showthread.php?t=27722&highlight=server.transfer

why are you making it so difficult and complicated? when the user logs in create a session variable to identify the user like their userid or whatever you use to show who posted what. Then and only then, you can use a simple if/then statement to show a button to allow editing/deletion if it is that user, if it isn't that user the button isn't shown. Then on the page that does the deletion you can use that userid as part of your sql statement to ensure that it was that user.

samples below


on calling page
If rs("postedBy") = Session("user") Then
'show button or image or text for deletion
End If

on handling page
set db = Server.CreateObject("ADODB.Connection")
connect="Driver={Microsoft Access Driver (*.mdb)}; DBQ="& server.mappath("yell.mdb")
db.Open connect
sql = "DELETE FROM postings WHERE id = " & id & " AND postedBy = '" & Session("user") & "'"
db.Execute(sql)
If err.Number > 0 Then
'handle the error
Else
db.Close
set db=Nothing
'use server.transfer("index.asp?s=" & s)
'or response.redirect("index.asp?s=" & s)
End if