Adding error message for invalid password

[xfile]

Hi:

I am still learning how to do the ASP pages with MS Access.

I have come up a simple logon page with ASP and using included logon.inc

It tests fine so far, but I wish to add an error message if the user enter
an incorrect password.

The following are part of codes of the include file, and can anyone please
tell me where and how can I add an error message to the codes for invalid
password?

Thanks so much...

-----------
' This function checks for a username/password combination.
Function ComparePassword(UID,PWD)
' Define your variables.
Dim strSQL, objCN, objRS
' Set up your SQL string.
strSQL = "SELECT * FROM " & USERS_TABLE & " WHERE (UID='" & UID & "' AND
PWD='" & PWD & "');"
' Create a database connection object.
Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" &
Server.MapPath(MDB_URL) & "; uid=admin; pwd="
' Run the database query.
Set objRS = objCN.Execute(strSQL)
' Set the status to true/false for the database lookup.
ComparePassword = Not(objRS.EOF)
' Close your database objects.
Set objRS = Nothing
Set objCN = Nothing
End Function
------------------------------------------

 

[MD Websunlimited]

Xfile,

First do no use .inc as an extension it can be circumvented very easily.

The solution depends upon the implementation. If the function ComparePassword is used within the processing form then you can just
display the error message. If you have to direct back to the login form then you'll have to use a session var to contain the message
for display.

Example of a page that self processes it's input

<%
'See if we are processing our input
if UCase(request.servervariables("HTTP_METHOD")) = "POST" then
if ComparePassword(request.form("UID","PID")) then
request.redirect entrypage.asp
else
ErrMsg = "Invalid UserId or Password"
end if
end if
%>
<html>
<head>
<title>
</title>
</head>
<body>
<%
if len(ErrMsg) > 0 then response.write ErrMsg
%>
<form action="thispage.asp" method="post" >
<input name="UID" .... >
<input name="PID" .... >
</form>
</body>
</html>

A note: The ComparePassword function should be more robust in that it should check that the objects being used are instanduated,
e.g., the follow code segment

Create a database connection object.
Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" & Server.MapPath(MDB_URL) & "; uid=admin; pwd="

S/B

Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
if Not objCN is Nothing then
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" & Server.MapPath(MDB_URL) & "; uid=admin; pwd="
end if

You may also use the intrinsic function IsObject versus testing for nothing.

--
Mike -- FrontPage MVP '97-'02
J-Bots 2004 102 Components For FP
http://www.websunlimited.com
FrontPage Add-ins Since '97 FP 2003 / 2002 / 2000 Compatible

 

[xfile]

Hi:

Thanks for your kind feedback.

First of all, do you mean that I shall change the extension for the include
files? i.e. from .inc to .abc? And then change all references to it as
well? Will there be any problems for page or server to recognize it?

About the password validation, I actually created a small database for
registration and then used for logon process.

The enire codes of the include page are actually as follows. Just a wild
guess, I think I shall insert something between "ComparePassword =
Not(objRS.EOF)" and Close database objects for the error message, such as
invalid user name and password combination. Thanks again for the kind help.


ComparePassword = Not(objRS.EOF)
' Close your database objects.
Set objRS = Nothing
Set objCN = Nothing
End Function


----------- Original Codes -----------------------

<%
' Do not cache this page.
Response.CacheControl = "no-cache"
' Define the name of the users table.
Const USERS_TABLE = "tb1Users"
' Define the path to the logon page.
Const LOGON_PAGE = "/websitename/logon.asp"
' Define the path to the logon database.

' Define the path to the logon database DNS: DNSName.
Const MDB_URL = "/database/abc.mdb"
' Check to see whether you have a current user name.
If Len(Session("UID")) = 0 Then
' Are you currently on the logon page?
If LCase(LOGON_PAGE) <> LCase(Request.ServerVariables("URL")) Then
' If not, set a session variable for the page that made the request...
Session("REFERRER") = Request.ServerVariables("URL")
' ...and redirect to the logon page.
Response.Redirect LOGON_PAGE
End If
End If
' This function checks for a username/password combination.
Function ComparePassword(UID,PWD)
' Define your variables.
Dim strSQL, objCN, objRS
' Set up your SQL string.
strSQL = "SELECT * FROM " & USERS_TABLE & " WHERE (UID='" & UID & "' AND
PWD='" & PWD & "');"
' Create a database connection object.
Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" &
Server.MapPath(MDB_URL) & "; uid=admin; pwd="
' Run the database query.
Set objRS = objCN.Execute(strSQL)
' Set the status to true/false for the database lookup.
ComparePassword = Not(objRS.EOF)
' Close your database objects.
Set objRS = Nothing
Set objCN = Nothing
End Function
%>
-----------------------------------------------

Xfile,

First do no use .inc as an extension it can be circumvented very easily.

The solution depends upon the implementation. If the function
ComparePassword is used within the processing form then you can just
display the error message. If you have to direct back to the login form
then you'll have to use a session var to contain the message for display.

Example of a page that self processes it's input

<%
'See if we are processing our input
if UCase(request.servervariables("HTTP_METHOD")) = "POST" then
if ComparePassword(request.form("UID","PID")) then
request.redirect entrypage.asp
else
ErrMsg = "Invalid UserId or Password"
end if
end if
%>
<html>
<head>
<title>
</title>
</head>
<body>
<%
if len(ErrMsg) > 0 then response.write ErrMsg
%>
<form action="thispage.asp" method="post" >
<input name="UID" .... >
<input name="PID" .... >
</form>
</body>
</html>

A note: The ComparePassword function should be more robust in that it
should check that the objects being used are instanduated, e.g., the
follow code segment

Create a database connection object.
Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" &
Server.MapPath(MDB_URL) & "; uid=admin; pwd="

S/B

Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
if Not objCN is Nothing then
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" &
Server.MapPath(MDB_URL) & "; uid=admin; pwd="
end if

You may also use the intrinsic function IsObject versus testing for
nothing.

--
Mike -- FrontPage MVP '97-'02
J-Bots 2004 102 Components For FP
http://www.websunlimited.com
FrontPage Add-ins Since '97 FP 2003 / 2002 / 2000 Compatible

 

[MD Websunlimited]

Yes, I would recommend that you make it a .asp extension That way if someone found the file name they would not allowed to view the
code. It is extra insurance. There will not be any problems with using the .asp extension.

<!--#include file="myinclude.asp" --> is valid

--
Mike -- FrontPage MVP '97-'02
J-Bots 2004 102 Components For FP
http://www.websunlimited.com
FrontPage Add-ins Since '97 FP 2003 / 2002 / 2000 Compatible

Hi:

Thanks for your kind feedback.

First of all, do you mean that I shall change the extension for the include files? i.e. from .inc to .abc? And then change all
references to it as well? Will there be any problems for page or server to recognize it?

About the password validation, I actually created a small database for registration and then used for logon process.

The enire codes of the include page are actually as follows. Just a wild guess, I think I shall insert something between
"ComparePassword = Not(objRS.EOF)" and Close database objects for the error message, such as invalid user name and password
combination. Thanks again for the kind help.


ComparePassword = Not(objRS.EOF)
' Close your database objects.
Set objRS = Nothing
Set objCN = Nothing
End Function


----------- Original Codes -----------------------

<%
' Do not cache this page.
Response.CacheControl = "no-cache"
' Define the name of the users table.
Const USERS_TABLE = "tb1Users"
' Define the path to the logon page.
Const LOGON_PAGE = "/websitename/logon.asp"
' Define the path to the logon database.

' Define the path to the logon database DNS: DNSName.
Const MDB_URL = "/database/abc.mdb"
' Check to see whether you have a current user name.
If Len(Session("UID")) = 0 Then
' Are you currently on the logon page?
If LCase(LOGON_PAGE) <> LCase(Request.ServerVariables("URL")) Then
' If not, set a session variable for the page that made the request...
Session("REFERRER") = Request.ServerVariables("URL")
' ...and redirect to the logon page.
Response.Redirect LOGON_PAGE
End If
End If
' This function checks for a username/password combination.
Function ComparePassword(UID,PWD)
' Define your variables.
Dim strSQL, objCN, objRS
' Set up your SQL string.
strSQL = "SELECT * FROM " & USERS_TABLE & " WHERE (UID='" & UID & "' AND PWD='" & PWD & "');"
' Create a database connection object.
Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" & Server.MapPath(MDB_URL) & "; uid=admin; pwd="
' Run the database query.
Set objRS = objCN.Execute(strSQL)
' Set the status to true/false for the database lookup.
ComparePassword = Not(objRS.EOF)
' Close your database objects.
Set objRS = Nothing
Set objCN = Nothing
End Function
%>

 

[xfile]

Hi:

Thanks again, and I will make that change once everything is done.

But I am still troubled by trying to add an error message to the comparison,
and could you help me based on the below codes?

Shall I add something between the following?

 

[Ronx]

On the logon.asp page (the one that displays the logon form) there is code
at the top similar to: (if I am using the same article...)

<%
'was this page posted to?
if UCase(Request.ServerVariables("HTTP_METHOD")) = "POST" then
'If so, check username and password
If ComparePassword(Request("UID"),Request("PWD")) then
'If OK, store username
Session("UID") = Request("UID")
Response.Redirect Session("REFERRER")
end if
end if
%>

Change to:
<%
Dim iBpwd
iBpwd = 0
'was this page posted to?
if UCase(Request.ServerVariables("HTTP_METHOD")) = "POST" then
'If so, check username and password
If ComparePassword(Request("UID"),Request("PWD")) then
'If OK, store username
Session("UID") = Request("UID")
Response.Redirect Session("REFERRER")
else
'set flag for invalid logon
iBpwd = 1
end if
end if
%>

The in the body of the page add:

<%
'if logon was invalid
if iBpwd>0 then
%>
<p>Logon Failed message goes here</p>
<%
end if
%>

For best security, do not try to tell the user whether the password or
userid failed, just that the logon failed.

 

[xfile]

Hi:

Thanks for the kind reply and I will try this and feedback the result.

I'll just mention logon failed and not to mention which one is it.

THANKS FOR ALL AND HAPPY NEW YEAR

 

[xfile]

Hi:

It works

Thank you so much.

I guess I have learned this is about the variable "iBpwd" which I will find
more information from the net about it.

Also for your information, we are using the same article (but I don't
remember where did I get it since I have spent a lot of time on research).

However, after many tests, I have changed the "Response.Redirect" to
"server.transfer" for the correct logon, for, if I remember it correctly, it
can work better in my environment (hosted IIS 6 with Win 2003 sever).

Anyway, just to share also.

THANKS SO MUCH

 

[Ronx]

You will not find any information on the internet about iBpwd. This is a
simple VbScript variable of my own - integerBadPassword. It is used as a
flag to tell later code whether the logon was good (iBpwd = 0) or bad (iBpwd
= 1). You can change it to anything.

 

[xfile]

Indeed, I did not find anything similar.

Thanks again, and now it works perfectly.

I even modified a relatively big security bug on the first draft which I did
not realize, and that is if the user did not enter anything at all and click
"Submit", the page will redirect them to the "protected" page.

On the initial tests, I did not even try this and did not know about it
until later on.

I tried very hard for solving it but somehow, Response.Redirect seems won't
work well here (maybe just I am not knowing how to do it).

Anyway, thanks for FP 2003 webbot, I finally accomplished by using
"validate" function of the build-in webbot and set it as "required" field.
So users won't be able to click Submit button when fields are empty.

Just to share and thanks for the kind help for which I am very happy for the
good start of the year.

PS: After testing everything, I will also change those include files as
suggested by others as well.

Best wishes for everything coming to you.

 

[Jon Spivey]

Hi,
One could break that script in 2 seconds, obviously I won't post up exactly
how. The problem is putting form fields right into a sql statement - this is
always dangerous. I'd write the script like this
<%
u = trim(replace(request.form("username"), "'", "")) ' for clarity that's
replace(double quote - single quote - double quote, double quote - double
quote)
p = trim(replace(request.form("password"), "'", ""))
set oRs=server.createobject("adodb.recordset")
oRs.open "SELECT * FROM " & USERS_TABLE & " WHERE UID = '" & u & "' AND Pass
= '" & p & "'", ConnectionString
if oRs.eof then
' login failed - show message
else
' login succeded - redirect and set session var
end if
%>

This will be much safer

 

[xfile]

Hi:

Thanks also for your kind suggestion.

I have to admit that the "protected" area is nothing really important, but
really for a "privilege" that members can read some information. The
purpose is to ask member to register so that we can obtain their information
for providing services and contents more tailored to them.

That's why I started out with some relatively simple registration and logon.
But I am sure the time when more security mechanism is needed.

Therefore, I really appreciate your sharing, and I will study, try, and port
it upon completion.

But I have to also admit, guess you can tell by my messages, that I am
really a beginner for ASP and database, so I have to take time even to
digest your statements

But thanks again, and really appreciate everyone so kind.

 

[xfile]

Hi:

Thanks for the suggestions from all of you.

Just an update, I have changed the include file to .asp and it works well.

Have not changed the new codes as mentioned, since I would change it
altogether after my database problem has been solved.

But thanks again.