username and password validation

Discussion in 'ASP General' started by Eugene Anthony, Jun 16, 2006.

  1. Is this method of validation for password and username considered to be
    secured. In my previous post I was given a solution that uses command
    object and the values are parsed by parameters. But the solution only
    worked well for insert and delete, but not select.

    <%
    if Request.QueryString("Action") = 1 then
    username = Trim(request.form("username"))
    password = Trim(request.form("password"))
    if username <> "" and password <> "" then
    set conn = server.CreateObject("ADODB.Connection")
    conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
    Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
    conn.open
    set rs = server.CreateObject("ADODB.Recordset")
    sql = "SELECT Count(*) FROM Account WHERE username='" &
    username & "' AND password='" & password & "'"
    rs.open sql,conn,3,3
    if rs.Fields(0) = 1 then
    session("boolean") = "true"
    response.redirect "main.asp"
    else
    session("boolean") = "false"
    response.write "<center><font class='error'>Error: Invalid
    Authentication</font></center><br><br>"
    end if
    conn.close
    Set conn = nothing
    end if
    end if
    %>

    Eugene Anthony

    *** Sent via Developersdex http://www.developersdex.com ***
     
    Eugene Anthony, Jun 16, 2006
    #1
    1. Advertising

  2. well, your not requiring a case sensative password and I think your open to
    SQL injection attacks even with using a count statement so probably no



    "Eugene Anthony" <> wrote in message
    news:%...
    > Is this method of validation for password and username considered to be
    > secured. In my previous post I was given a solution that uses command
    > object and the values are parsed by parameters. But the solution only
    > worked well for insert and delete, but not select.
    >
    > <%
    > if Request.QueryString("Action") = 1 then
    > username = Trim(request.form("username"))
    > password = Trim(request.form("password"))
    > if username <> "" and password <> "" then
    > set conn = server.CreateObject("ADODB.Connection")
    > conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
    > Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
    > conn.open
    > set rs = server.CreateObject("ADODB.Recordset")
    > sql = "SELECT Count(*) FROM Account WHERE username='" &
    > username & "' AND password='" & password & "'"
    > rs.open sql,conn,3,3
    > if rs.Fields(0) = 1 then
    > session("boolean") = "true"
    > response.redirect "main.asp"
    > else
    > session("boolean") = "false"
    > response.write "<center><font class='error'>Error: Invalid
    > Authentication</font></center><br><br>"
    > end if
    > conn.close
    > Set conn = nothing
    > end if
    > end if
    > %>
    >
    > Eugene Anthony
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
     
    Kyle Peterson, Jun 16, 2006
    #2
    1. Advertising

  3. Eugene Anthony

    Mike Brind Guest

    Eugene Anthony wrote:
    > Is this method of validation for password and username considered to be
    > secured. In my previous post I was given a solution that uses command
    > object and the values are parsed by parameters. But the solution only
    > worked well for insert and delete, but not select.
    >
    > <%
    > if Request.QueryString("Action") = 1 then
    > username = Trim(request.form("username"))
    > password = Trim(request.form("password"))
    > if username <> "" and password <> "" then
    > set conn = server.CreateObject("ADODB.Connection")
    > conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
    > Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
    > conn.open
    > set rs = server.CreateObject("ADODB.Recordset")
    > sql = "SELECT Count(*) FROM Account WHERE username='" &
    > username & "' AND password='" & password & "'"
    > rs.open sql,conn,3,3
    > if rs.Fields(0) = 1 then
    > session("boolean") = "true"
    > response.redirect "main.asp"
    > else
    > session("boolean") = "false"
    > response.write "<center><font class='error'>Error: Invalid
    > Authentication</font></center><br><br>"
    > end if
    > conn.close
    > Set conn = nothing
    > end if
    > end if
    > %>
    >


    If you are uncomfortable using the command object with parameters,
    there is a much easier way to do this - use a saved parameter query.

    Open your Access database, and go to the Query tab. Choose "Create
    Query in Design View". A dialogue box appears offering you to select
    tables. Close it. In the top left corner of your menus, you see
    "SQL". Click that.

    In the new pane that just opened, type (or copy and paste):

    SELECT Count(*) FROM Account WHERE username=[p1] AND password=[p2]

    Save it as qGetUser.

    In your code do this:

    <%
    if Request.QueryString("Action") = 1 then
    p1= Trim(request.form("username"))
    p2= Trim(request.form("password"))
    if p1<> "" and p2<> "" then
    set conn = server.CreateObject("ADODB.Connection")
    conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
    Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
    conn.open
    set rs = server.CreateObject("ADODB.Recordset")
    conn.qGetUser p1,p2,rs
    If rs(0) = 1 Then
    session("boolean") = "true"
    .....
    etc

    Doing it this way means you still don't have to delimit values in
    concatenated dynamic sql (same as the command and parameters), and you
    are protected from sql injection in the same way. It's a lot less code
    that the command object version, and if you ever feel the need to
    change the name of one of your database fileds, you only have ot go to
    the database to do it - you son't have ot chase around ASP code finding
    all instances of the old field name.

    Saved parameter queries work just as easily for inserts and updates
    too.

    --
    Mike Brind
     
    Mike Brind, Jun 16, 2006
    #3
  4. In asp I did this:

    <%
    if Request.QueryString("Action") = 1 then
    on error resume next
    p1 = Trim(request.form("username"))
    p2 = Trim(request.form("password"))
    if username <> "" and password <> "" then
    set conn = Server.CreateObject("ADODB.Connection")
    conn.open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &
    Server.MapPath("/db/upload/stelladb.mdb") & ";"
    set rs = Server.CreateObject("ADODB.Recordset")
    conn.qGetUser p1,p2,rs
    if rs(0) = 1 then
    session("boolean") = "true"
    response.redirect "main.asp"
    else
    session("boolean") = "false"
    response.write "<center><font class='error'>Error: Invalid
    authentication</font></center><br><br>"
    end if
    if Err.number <> 0 then
    Response.Write(Err.number & ":" & Err.Description & "<br>")
    end if
    on Error goto 0
    conn.close
    Set conn = nothing
    end if
    end if
    %>


    and in ms access I created the sql query:

    SELECT Count(*) FROM Account WHERE username=[p1] AND password=[p2]


    but when I access the page its going into a loop.

    Eugene Anthony

    *** Sent via Developersdex http://www.developersdex.com ***
     
    Eugene Anthony, Jun 17, 2006
    #4
  5. I did test qGetUser in MS Access, supplied the values and it works.
    However using asp it is going into a loop.

    Eugene Anthony

    *** Sent via Developersdex http://www.developersdex.com ***
     
    Eugene Anthony, Jun 17, 2006
    #5
  6. Eugene Anthony

    Mike Brind Guest

    Eugene Anthony wrote:
    > I did test qGetUser in MS Access, supplied the values and it works.
    > However using asp it is going into a loop.
    >
    >


    Get rid of on error resume next to see where it goes wrong. On Error
    Resume Next has no place in code until it has been fully tested and is
    working properly. It hides errors.

    Look, the easiest way I find to produce ASP pages is the following:

    1. Add Option Explicit statement to the top of a page.
    2. Produce ASP code without any html
    3. Test and debug
    4. Once it's working as it should, add error handling
    5. Test and debug
    6. Add html (or move tested code to html page already constructed)
    7. Test and debug.
    8. Once working and ready for deployment, remove Option Explicit
    statement

    What's the name of the page you have put this code in? Is it main.asp?
    Where is the loop? On the Redirect?

    --
    Mike Brind
     
    Mike Brind, Jun 17, 2006
    #6
  7. This is the complete code for login.asp. inc_Common.asp contains all the
    variable.


    <%Option Explicit%>
    <!--#INCLUDE FILE="inc_Common.asp" -->
    <%
    if Request.QueryString("Action") = 1 then
    'on error resume next
    p1 = Trim(request.form("username"))
    p2 = Trim(request.form("password"))
    if username <> "" and password <> "" then
    set conn = Server.CreateObject("ADODB.Connection")
    conn.open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &
    Server.MapPath("/db/upload/stelladb.mdb") & ";"
    set rs = Server.CreateObject("ADODB.Recordset")
    conn.qGetUser p1,p2,rs
    if rs(0) = 1 then
    session("boolean") = "true"
    response.redirect "main.asp"
    else
    session("boolean") = "false"
    response.write "<center><font class='error'>Error: Invalid
    authentication</font></center><br><br>"
    end if
    ' if Err.number <> 0 then
    ' Response.Write(Err.number & ":" & Err.Description & "<br>")
    ' end if
    'on Error goto 0
    conn.close
    Set conn = nothing
    end if
    end if
    %>
    <html>
    <head>
    <title>Login</title>
    </head>
    <body bgcolor="#FFFFFF">
    <center>
    <table width="291" border="0" cellpadding="0" cellspacing="0"
    height="20">
    <tr>
    <td class="header" width="420"><font
    class="PopTitle"><center>Login</center></font></td>
    </tr>
    <tr>
    <td height="50">
    <br>
    <center>
    <form name="form1" method="post" action="login.asp?Action=1">
    <table border="0" cellpadding="2" cellspacing="0" width="223">
    <tr>
    <td width="150">Username</td>
    <td width="148">
    <input type="text" name="username"
    style="background:FFFFF9; border:1px solid; size="20" size="20">
    </td>
    </tr>
    <tr>
    <td width="150">Password</td>
    <td width="148">
    <input type="password" name="password"
    style="background:FFFFF9; border:1px solid; size="20" size="20">
    </td>
    </tr>
    <tr>
    <td width="298" colspan="2">
    <table border="0" cellpadding="2" cellspacing="0"
    width="100%">
    <tr>
    <td width="25%"></td>
    <td width="25%">
    <input type="Submit" style="background:EEEEEE;
    border:1px solid; " value="Submit" name="Submit">
    </td>
    <td width="22%">
    <input type="Reset" value="Reset"
    style="background:EEEEEE; border:1px solid; " size="20" name="Reset">
    </td>
    <td width="28%"></td>
    </tr>
    </table>
    </td>
    </tr>
    </table>
    </form>
    </center>
    </td>
    </tr>
    </table>
    </center>
    </body>
    </html>


    Eugene Anthony

    *** Sent via Developersdex http://www.developersdex.com ***
     
    Eugene Anthony, Jun 17, 2006
    #7
  8. I found the error:

    In my <!--#INCLUDE FILE="inc_Common.asp" -->

    I have this code

    <%
    if session("boolean") = "false" or session("boolean") = "" then
    response.redirect "login.asp"
    end if
    %>

    and this caused the problem.

    Eugene Anthony

    *** Sent via Developersdex http://www.developersdex.com ***
     
    Eugene Anthony, Jun 17, 2006
    #8
  9. Justin Piper wrote:
    > By directly embedding the values of the ``username`` and ``password``
    > variables in your SQL statement, you are effectively executing
    > arbitrary code supplied by the client. Instead, you should use the
    > ADO Command object to pass arguments to a query.
    >
    > Set cmd = CreateObject("ADODB.Command")
    > With cmd
    > Set .ActiveConnection = conn
    > .CommandType = adCmdText
    > .CommandText = "SELECT COUNT(*) FROM Account WHERE username=?
    > AND password=?"
    > .Parameters.Append cmd.CreateParameter("username", adVarChar,
    > adParamInput, 50, username)
    > .Parameters.Append cmd.CreateParameter("password", adVarChar,
    > adParamInput, 50, password)
    > Set rst = .Execute()
    > End With
    >


    It can be done more simply than this, especially with Jet which does not
    support output or return parameters:
    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows [MVP], Jun 17, 2006
    #9
  10. Justin Piper wrote:
    >> 8. Once working and ready for deployment, remove Option
    >> Explicit statement

    >
    > I've never heard such advice. What do you gain by doing this?


    A few CPU cycles. And probably a bad habit.

    As Eric Lippert has written[1], VBScript performance is vastly improved when
    variables are explicitly declared. I have seen suggestions[2] that removing
    Option Explicit from your code eliminates one parsing step during script
    execution and does not harm performance as long as the script would function
    with the declaration intact.

    IMO, if you are that desperate for performance improvement, VBScript is the
    wrong language for you anyway.




    [1] http://groups.google.com/groups?oi=djq&selm=an_558784968
    [2] Among others,
    http://groups.google.com/group/microsoft.public.scripting.vbscript/msg/3ec1546e3958ec80?hl=en


    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms.
     
    Dave Anderson, Jun 19, 2006
    #10
  11. Justin Piper wrote:
    > I can't even see how it would work. If omitting Option
    > Explicit causes the parser to skip the pass where it checks
    > for declared variables, then it wouldn't have an opportunity
    > to build the name tables Eric describes, and it would have
    > to fall back on the hunt-all-over-everywhere strategy. It
    > sounds like complete bunk to me.


    I don't think it's possible for the parser to not parse the script, Option
    Explicit or not. I have read Lippert's post carefully, and I don't see
    anything to suggest that. And I believe this sentence suggests the opposite:

    "By forcing you to declare locals, Option Explicit makes you write
    faster code."

    Lippert seems to be saying that it is the variable declaration, and not the
    Option Explicit directive, that matters.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms.
     
    Dave Anderson, Jun 19, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Arjen
    Replies:
    2
    Views:
    4,229
    Joe Fallon
    Apr 18, 2004
  2. =?Utf-8?B?RGFiYmxlcg==?=

    username & password validation

    =?Utf-8?B?RGFiYmxlcg==?=, Aug 6, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    2,609
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Aug 6, 2006
  3. AAaron123
    Replies:
    2
    Views:
    2,192
    AAaron123
    Jan 16, 2009
  4. AAaron123
    Replies:
    1
    Views:
    1,348
    Oriane
    Jan 16, 2009
  5. Shailesh Patel
    Replies:
    0
    Views:
    462
    Shailesh Patel
    Nov 8, 2006
Loading...

Share This Page