cipi
07-16-2003, 07:50 AM
Hello,
I was wondering witch is the best way to do a login form that uses a database with a table that has in it an "user","password" fields.
By "best way" I mean everithing that is related to the security of the form(sql injection etc).
I use something like:
-------------------------------------------------
username=Request.Form("username")
'Response.Write(username)
if not username="" then
var_user=replace(username, "'", "''")
end if
password=Request.Form("password")
'Response.Write(password)
if not password="" then
var_pass=replace(password, "'", "''")
end if
Set conn=server.createobject("ADODB.connection")
Set rs=server.createobject("ADODB.recordset")
conn.open "driver=.........
sql="Select * from admin where user='" & var_user & "' and pass='" & var_pass & "'"
'Response.Write(sql)
Set RS=conn.Execute(sql)
If not RS.EOF then
Session("admin")=username
Session.Timeout=300
RS.Close
Set RS=Nothing
conn.Close
Set conn=Nothing
Response.Redirect("login_ok.asp")
end if
RS.Close
Set RS=Nothing
conn.Close
Set conn=Nothing
>>>>show the form<<<<<
---------------------------
I every secure page I use something like:
admin=Session("admin")
If not admin="" then
else
Response.Redirect("login.asp")
end if
I know that doing replace ' with '' you excape some of the sql injection problem.
If there is a better way to do this or there is something wrong in my judgement plese let me know.
Is there any importance in doing the check in the same asp program or going into another page that does the same thing and redirect depending on the result?
Thanks
I was wondering witch is the best way to do a login form that uses a database with a table that has in it an "user","password" fields.
By "best way" I mean everithing that is related to the security of the form(sql injection etc).
I use something like:
-------------------------------------------------
username=Request.Form("username")
'Response.Write(username)
if not username="" then
var_user=replace(username, "'", "''")
end if
password=Request.Form("password")
'Response.Write(password)
if not password="" then
var_pass=replace(password, "'", "''")
end if
Set conn=server.createobject("ADODB.connection")
Set rs=server.createobject("ADODB.recordset")
conn.open "driver=.........
sql="Select * from admin where user='" & var_user & "' and pass='" & var_pass & "'"
'Response.Write(sql)
Set RS=conn.Execute(sql)
If not RS.EOF then
Session("admin")=username
Session.Timeout=300
RS.Close
Set RS=Nothing
conn.Close
Set conn=Nothing
Response.Redirect("login_ok.asp")
end if
RS.Close
Set RS=Nothing
conn.Close
Set conn=Nothing
>>>>show the form<<<<<
---------------------------
I every secure page I use something like:
admin=Session("admin")
If not admin="" then
else
Response.Redirect("login.asp")
end if
I know that doing replace ' with '' you excape some of the sql injection problem.
If there is a better way to do this or there is something wrong in my judgement plese let me know.
Is there any importance in doing the check in the same asp program or going into another page that does the same thing and redirect depending on the result?
Thanks