navigation
a webmaster learning community
     Home    Register     Search      Help      Login    
Sponsors

Shopping Cart Software
Ecommerce software integrated into Frontpage, Dreamweaver and Golive templates. No monthly fees and available in ASP and PHP versions.

Website Templates
We also have a wide selection of Dreamweaver, Expression Web and Frontpage templates as well as webmaster tools and CSS layouts.

Frontpage website templates
Creative Website Templates for FrontPage, Dreamweaver, Flash, SwishMax

Search Forums
 

Advanced search
Recent Posts

 Todays Posts
 Most Active posts
 Posts since last visit
 My Recent Posts
 Mark posts read

 

Secure Database Login

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
Users viewing this topic: none
Printable Version 

All Forums >> Web Development >> ASP and Database >> Secure Database Login 		Page: [1]
 
Mav44

 

Posts: 122
Joined: 6/25/2006
Status: offline

  		Secure Database Login - 7/27/2008 17:20:41   
Since I got hit with the SQL Mass Injection I have be trying to make my site more secure.

Is the following a secure way to login to my database or should I add more qualifiers??? I am now concerend about someone trying to pass script into my username or password.

<%
Username="my_user_name"
Password="my_password"
' if any of the variables do not match, create error message
if Request.Form("login") <> Username or Request.Form("password") <> Password then
MsgErr = "<h3>Authorization Failed.</h3>"
Response.Write MsgErr
' if correct, set the session variable and proceed
Else
Session("someStringValue") = true
' redirect
If Len(Request("requester")) > 0 Then
Response.Redirect (Request("requester"))
Else
Response.Redirect "protected.asp"
End if
End if
%>
<html>
<head>
<title>Results -- Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>

<body bgcolor="#FFFFFF">
<FORM ACTION="login.asp" METHOD="post" onsubmit="return FrontPage_Form1_Validator(this)" language="JavaScript" name="FrontPage_Form1">
<h3>Login</h3>
<TABLE BORDER=0>
<TR>
<TD ALIGN="right">User name:</TD>
<TD>
 <!--webbot bot="Validation" s-data-type="String" b-allow-letters="TRUE" i-maximum-length="6" --><INPUT TYPE="text" NAME="login" size="10" VALUE='' maxlength="6"/></TD>
</TR>
<TR>
<TD ALIGN="right">Password:</TD>
<TD>
<INPUT TYPE="password" NAME="password" size="10" VALUE='' maxlength="7"/></TD>
</TR>
<TR>
<TD><input TYPE="hidden" NAME="requester" VALUE="<%=Server.HtmlEncode(Request("requester"))%>"></TD>
<TD></TD>
</TR>
<TR>
<TD align="left"><INPUT TYPE="submit" VALUE="Login"/></TD>
<TD></TD>
</TR>
</TABLE>
</FORM>
</body>
</html>
TexasWebDevelopers

 

Posts: 202
Joined: 2/22/2002
From:
Status: offline

  		RE: Secure Database Login - 7/30/2008 13:52:17   
This is how we do it. Take out the sql connection bit if you are not using a database to store your user name and password. 
<%
    my_user_name = trim(request.form("my_user_name) 
   my_password =  trim(request.form("my_password")  
    if isValidString(my_user_name) = True AND isValidString(my_password) = True  then
    Set Con = Server.CreateObject("ADODB.Connection")
    Con.Open strCon
    sql = "Select userID, nickName, my_password, isAdmin, email from mysite_Members "
    sql = sql & " WHERE  email = '"& my_user_name & "' AND my_password = '"& my_password & "' AND editor = 1 AND active = 0 "
    set rec = Con.execute(sql)
        if rec.eof then
        response.Write("<h1>Login failed !</h1>"&vbnewline)                
        else
        Session("userID") = rec("userID")
        Session("nickName") = rec("nickName")
        Session("email") = rec("email")
        Session("my_password") = rec("my_password")
        Session("isAdmin") = rec("isAdmin")
        response.redirect "default.asp"
        end if
    rec.close
    set rec = nothing
    Con.close
    set Con = nothing    

    end if    
    end if
    
Function IsValidString(sValidate)
    Dim sInvalidChars
    Dim bTemp
    Dim i 
    ' Disallowed characters
    sInvalidChars = "!#$%^&*()=+{}[]|\\;?><'"
    for i = 1 To Len(sInvalidChars)
        if InStr(sValidate, Mid(sInvalidChars, i, 1)) > 0 then bTemp = True
        if bTemp then Exit For
    next
    for i = 1 to Len(sValidate)
        if Asc(Mid(sValidate, i, 1)) = 160 then bTemp = True
        if bTemp then Exit For
    next


    if not bTemp then
        bTemp = InStr(sValidate, "..") > 0
    end if
    if not bTemp then
        bTemp = InStr(sValidate, "  ") > 0
    end if
    if not bTemp then
        bTemp = (len(sValidate) <> len(Trim(sValidate)))
    end if 'Addition for leading and trailing spaces

    ' if any of the above are true, invalid string
    IsValidString = Not bTemp
End Function
%>

(in reply to Mav44)
Page:   [1]

All Forums >> Web Development >> ASP and Database >> Secure Database Login 		Page: [1]
Jump to: 1





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Back to top

  Microsoft Corporation in no way endorses or is affiliated with "OutFront."
  OutFront is published and edited by Thomas Brunt.
  440 Great Circle Dr., St. Matthews, SC 29135.
  © 2008 All Rights Reserved
  Click here to view our privacy statement.