As Thomas has indicated you need to relook the whole structure of your authentication
You can't just take a little from here or there and use it w/o integrating it to:
- manage the "secure" pages (check for authentication status on each page)
- manage the login (authenticate users w/ correct credentials and prevent "hacking")
- manage the users (create user credentials which let them authenticate)
You can look at
http://www.w3schools.com/asp/default.asp
Or to manage a DB w/ authentication see
http://support.microsoft.com/default.aspx?scid=321439
--
| Thanks Stefan
| I am not a web designer I created a website for myself
|
http://www.paulcmilner.co.uk/ then promised to do a web for my wife who was
| let down several times by people but it grew into a database application
| The project is now near completion except I discovered SQL injection which
| makes this login/page protection a joke.
| Can you point me in the right direction of some code/tutorial which I can
| modify so I can get back to my real job
| Thanks
| Paul M
|
|
| | > That is a pretty poor log in script w/ lots of errors (to many conditions
| > in it can fail and are undefined) and your Do loop at the
| > bottom is not necessary (it is replaced by the If Then Else I gave you)
| >
| > See my inline comments below in your code (areas starting w/ a *)
| >
| > IMHO
| > spend some time studying and understanding and VBscript and ASP code
| > before you just paste and copy
| > - hopefully the DB data does not have anything of critical security in it
| > if you use that script as you now have it
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| >
http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Dear Stefan
| > | I get this page cannot be diplayed error here is where i have put the
| > code
| > | and the rest of it
| >
| > *IMHO that's because of your poor code which sends them noplace
| >
| > | <%
| > | Dim User, Pword, strSQL
| > | User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > | Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > | strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" &
| > User
| > | & "' AND pass_word= ' " & Pword & "'"
| > |
| > | Dim Conn_Name
| > | Conn_Name = Application("databasesearch2ConnectionString")
| > | Set Conn = Server.CreateObject("ADODB.Connection")
| > | Conn.Open Conn_Name
| > | Set objRS = Server.CreateObject("ADODB.Recordset")
| > | objRS.Open strSql, Conn_Name
| > | If objRS.EOF Then
| > | 'NOT Authenticated Action here
| >
| > *This is where you would response write your Message (if it is to be
| > displayed in a validation.asp page)
| >
| > Message = "The Password you entered is either wrong or not found in our
| > database. Please press the BACK button and try again or if you have not
| > yet
| > created a username and password then click on the registration link."
| > ' above all on 1 line
| > Response.write Message 'Display the message
| >
| > | Else
| > | 'Authenticated Action here
| >
| > *This is where you would write your authenticated session variables using
| > the variable names from above (User and Pword) and
| > redirect them
| > (using your bad session variables from below only if used on other pages -
| > see comments below)
| >
| > Session("password") = Pword
| > ' Or you can use: Session("password") = objRS("pass_word")
| > Session("username") = User
| > ' Or you can use: Session("username") = objRS("user_name")
| > If session("Ori_URL")) ="" Then
| > Response.redirect "someotherpage.asp"
| > 'always send an authenticated user to some valid page
| > Else
| > Response.redirect(session("Ori_URL"))
| > End If
| >
| > | End If
| > |
| >
| > *DELETE all of this loop - replaced by the IF above
| > (and you have not opened RS - you have opened objRS in above code
| >
| > | 'Loop through the database to check for the users information
| > | Do until RS.EOF
| >
| > *Note: Poor code to use a loop when the DB should only ever find (or fail
| > to find) just 1 record in any login script
| >
| > | Pass = RS("pass_word")
| > | Name = RS("user_name")
| > | RS.MoveNext
| > | loop
| >
| > |
| > | 'Close the recordset and database connection
| >
| > *You have not opened RS so you can't close it, you have opened objRS in
| > above code
| >
| > objRS.Close
| >
| > | 'RS.Close 'DELETE
| > | Conn.Close
| > |
| > | 'If the password given is not in the database then we don't do anything.
| > | 'Otherwise, we create the session objects
| >
| > *VBscript is case sensitive so "pass" is not the same as "Pass" so this IF
| > will always fail to the Else and authenticate anyone!
| > Empty values in the form password and usernames should be checked before
| > you even attempt to open the DB
| >
| > | IF pass = "" Then
| > | Message = "The Password you entered is either wrong or not found in our
| > | database. Please press the BACK button and try again or if you have not
| > yet
| > | created a username and password then click on the registration link."
| >
| > *What does this Message string do?
| > - nothing unless you Response write it to the page
| >
| > | Else
| >
| > | Session("password") = Pass
| > | Session("username") = Name
| >
| > Poor "security" to drag the username and password along a session
| > variables
| > - that means, unless you kill the session varibles, any one else w/ access
| > to the PC may be able to get in until the sesssion times
| > out or browser is closed (session killed)
| > - Change the code on your other pages to not use them
| >
| > |
| > | 'Now we will check to see it there is a session object for an original
| > URL.
| > | 'This would have been created (as you will see later) if the user first
| > tried
| > | 'to visit a protected page. If so, we send them there. If not, we stay
| > here.
| > | IF Session("Ori_URL") = "" Then 'do nothing
| >
| > Poor code approach - they are stuck on a page w/ no where to go if
| > Session("Ori_URL") doesn't exist
| > - what if they came from the log in page will you send them back there?
| > - send them someplace other than back to the log in page or the validation
| > page if they are authenticated
| >
| > | Else
| >
| > | Response.redirect(session("Ori_URL"))
| >
| > See my above If statement
| >
| > | End IF
| > | End IF
| > | %>
| > |
| > |
| > | Paul M
| > |
| > |
| > | | > | > Change it to
| > | >
| > | > <%
| > | > Dim User, Pword, strSQL
| > | > User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > | > Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > | > strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" &
| > | > User & "' AND pass_word= ' " & Pword & "'"
| > | >
| > | > Dim Conn_Name
| > | > Conn_Name = Application("removed for this post ConnectionString")
| > | > Set Conn = Server.CreateObject("ADODB.Connection")
| > | > Conn.Open Conn_Name
| > | > Set objRS = Server.CreateObject("ADODB.Recordset")
| > | > objRS.Open strSql, Conn_Name
| > | > If objRS.EOF Then
| > | > 'NOT Authenticated Action here
| > | > Else
| > | > 'Authenticated Action here
| > | > End If
| > | > %>
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | >
http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Hi
| > | > | Thomas
| > | > | I have tried all the different ways I can think of but I cant get
| > this
| > | > to
| > | > | work. Here is the section of code that I am tryng to change to
| > | > incorporate
| > | > | you asp into
| > | > |
| > | > | <%
| > | > | 'First we create a connection object
| > | > | Set Conn = Server.CreateObject("ADODB.Connection")
| > | > |
| > | > | 'Next, we open the connection object by calling the connection
| > string
| > | > | 'that FrontPage created and stored in the global.asa file when the
| > | > "store"
| > | > | 'connection was created
| > | > | Conn.Open Application("removed for this post ConnectionString")
| > | > |
| > | > | 'Then we create a record set object and a SQL statement
| > | > | Set RS = Conn.Execute ("SELECT user_name, pass_word From Results
| > WHERE
| > | > | user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
| > | > | Request.Form("pass_word") & "'")
| > | > |
| > | > | Thanks Thomas
| > | > |
| > | > |
| > | > | | > | > | > Thank you so much Thomas
| > | > | > Paul M
| > | > | >
| > | > | > | > | > | >> User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > | > | >> Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > | > | >>
| > | > | >>
| > | > | >> SELECT * FROM LoginTableName WHERE user_name='" & User & "' AND
| > | > | >> pass_word= '" & Pword & "'"
| > | > | >>
| > | > | >> --
| > | > | >> ==============================================
| > | > | >> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | >> ==============================================
| > | > | >> If you feel your current issue is a results of installing
| > | > | >> a Service Pack or security update, please contact
| > | > | >> Microsoft Product Support Services:
| > | > | >>
http://support.microsoft.com
| > | > | >> If the problem can be shown to have been caused by a
| > | > | >> security update, then there is usually no charge for the call.
| > | > | >> ==============================================
| > | > | >>
| > | > | >> | > | > | >>> Hi Thomas
| > | > | >>> Is it so even if you can use the password protected pages again
| > | > without
| > | > | >>> having to login?
| > | > | >>> The fields I use are "user_name" and "pass_word" these are the
| > | > fields
| > | > | >>> the query searches
| > | > | >>> I would really appreciate it it you could help by showing your
| > | > example
| > | > | >>> with my fields in as i don't quete grasp some of the names you
| > use
| > | > Pword
| > | > | >>> or password and where to substitute my field names
| > | > | >>> Thanks Thomas
| > | > | >>> I only discovered sql injection today and i find it worying
| > | > | >>> Paul M
| > | > | >>>
| > | > | >>> | > | > | >>>>I don't understand why the logonvalidate.asp page is written to
| > loop
| > | > | >>>>thru the recordset, as the only thing that needs to happen is
| > that
| > | > | >>>>login/password combination is valid, and then set a session to
| > | > indicate
| > | > | >>>>login status and then redirect the user to protected content,
| > etc.
| > | > | >>>>
| > | > | >>>> There is no reason to store the username or password in a
| > session.
| > | > | >>>>
| > | > | >>>> --
| > | > | >>>> ==============================================
| > | > | >>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | >>>> ==============================================
| > | > | >>>> If you feel your current issue is a results of installing
| > | > | >>>> a Service Pack or security update, please contact
| > | > | >>>> Microsoft Product Support Services:
| > | > | >>>>
http://support.microsoft.com
| > | > | >>>> If the problem can be shown to have been caused by a
| > | > | >>>> security update, then there is usually no charge for the call.
| > | > | >>>> ==============================================
| > | > | >>>>
| > | > | >>>> | > | > | >>>>> Thanks Thomas
| > | > | >>>>> The main issue is some third party script that I use to
| > password
| > | > | >>>>> protect pages
| > | > | >>>>>
http://www.frontpagehowto.com/newpassword/default.asp#logon
| > | > | >>>>> I need to validate the logonvalidate.asp so it wont accept
| > | > certain
| > | > | >>>>> chars
| > | > | >>>>> I can put 'or 'a'='a in the username and password field and
| > it
| > | > | >>>>> accepts this as a valid username or password
| > | > | >>>>> Paul M
| > | > | >>>>>
| > | > | >>>>> | > | > | >>>>>> Paul, the main issue when using Access would be at a minimum,
| > the
| > | > | >>>>>> single quote, as SQL Injection is dependent on the database
| > and
| > | > the
| > | > | >>>>>> driver.
| > | > | >>>>>>
| > | > | >>>>>> This is what I generally use:
| > | > | >>>>>>
| > | > | >>>>>> User = Trim(Replace(Request.Form("UserID"), "'", "''"))
| > | > | >>>>>> Pword = Trim(Replace(Request.Form("Password"), "'", "''"))
| > | > | >>>>>>
| > | > | >>>>>> SELECT * FROM LoginTable WHERE Login='" & User & "' AND
| > Password=
| > | > '"
| > | > | >>>>>> & Pword & "'"
| > | > | >>>>>>
| > | > | >>>>>> --
| > | > | >>>>>> ==============================================
| > | > | >>>>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | >>>>>> ==============================================
| > | > | >>>>>> If you feel your current issue is a results of installing
| > | > | >>>>>> a Service Pack or security update, please contact
| > | > | >>>>>> Microsoft Product Support Services:
| > | > | >>>>>>
http://support.microsoft.com
| > | > | >>>>>> If the problem can be shown to have been caused by a
| > | > | >>>>>> security update, then there is usually no charge for the
| > call.
| > | > | >>>>>> ==============================================
| > | > | >>>>>>
| > | > | >>>>>> | > | > | >>>>>>> Hi
| > | > | >>>>>>> This is still driving me mad
| > | > | >>>>>>> I have a form Which with username and password fields.the
| > form
| > | > | >>>>>>> submits to a login validation asp script
| > | > | >>>>>>> To stop SQL injection I need to Filter out server side
| > character
| > | > | >>>>>>> like single quote, double quote, slash, back slash, semi
| > colon,
| > | > | >>>>>>> extended character like NULL, carry return, new line, etc,
| > | > | >>>>>>> I know I need to add some validation asp script to the
| > | > validation
| > | > | >>>>>>> asp page but I have been looking on the web and I can't find
| > any
| > | > | >>>>>>> tutorials
| > | > | >>>>>>> Please help this one is driving me insane
| > | > | >>>>>>> Paul M
| > | > | >>>>>>>
| > | > | >>>>>>
| > | > | >>>>>>
| > | > | >>>>>
| > | > | >>>>>
| > | > | >>>>
| > | > | >>>>
| > | > | >>>
| > | > | >>>
| > | > | >>
| > | > | >>
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
