...

View Full Version : ASP validation script



sagat
09-02-2004, 06:24 PM
hi all this is my validation script. It produces no errors but it cannot redirect and reject bad user details:

<%
Response.Expires = -1000 'Makes the browser not cache this page
Response.Buffer = True 'Buffers the content so our Response.Redirect will work

Dim Error_Msg

login = Request.Form("login")
If login = "logout" Then
Session("UserLoggedIn") = ""
ShowLogin
Else
If Session("UserLoggedIn") = "true" Then
AlreadyLoggedIn
Else
If login = "true" Then
CheckLogin
Else
ShowLogin
End If
End If
End If

Sub ShowLogin
Response.Write(Error_Msg & "<br>")
%>
<%
End Sub

Sub AlreadyLoggedIn
%>

<%
End Sub

Sub CheckLogin
Dim Conn, cStr, sql, RS, username, userpwd
username = Request.Form("username")
userpwd = Request.Form("userpwd")
Set Conn = Server.CreateObject("ADODB.Connection")
cStr = "DRIVER={Microsoft Access Driver (*.mdb)};"
cStr = cStr & "DBQ=" & Server.MapPath("netteh.mdb") & ";"
Conn.Open(cStr)
sql = "select username from UserTable where username = '" & LCase(username) & "'"
sql = sql & " and userpwd = '" & LCase(userpwd) & "'"
Set RS = Conn.Execute(sql)
If RS.BOF And RS.EOF Then
Error_Msg = "Login Failed. Try Again."
ShowLogin
Else
Session("UserLoggedIn") = "true"

Response.redirect "frontpage.asp"

End If
End Sub
%>

A1ien51
09-02-2004, 07:33 PM
when you call a sub shouldn't it be

ShowLogin()

Eric

miranda
09-03-2004, 04:50 AM
A1ien51 if he had used the keyword Call when calling the sub, then yes he would have had to use the parenthesis . However to call it by just using the name like so ShowLogin is fine. had he used Call ShowLogin() then he would have needed the parenthesis.

Now on to sagat's code. I see one thing that makes me wonder if it is even getting to the showlogin code. try commenting out the code like I show and let me know if it gets there. Notice that I removed some code as it is redundant and it isnt needed.



login = Request.Form("login")
If login = "logout" Then
Session("UserLoggedIn") = ""
ShowLogin
Else
'If Session("UserLoggedIn") = "true" Then
' AlreadyLoggedIn
'Else
CheckLogin
'End If
End If


Now I have a question. Why would you check for username and password in one statement? It would be more user friendly to check for username in the SQL statement and then if that matches check to see that the password given is the same as the password stored. Also why limit your security by using the lCase function on the password??? I would think that you would want your users to use a combination of upper and lowercase as well as digits and exclamation to make passwords harder to guess.

glenngv
09-03-2004, 01:52 PM
Actually Access (and also MS SQL) is case-insensitive so doing LCase doesn't matter. And I agree that you should not include the password in the WHERE clause.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum