PDA

Click to See Complete Forum and Search --> : protected pages

swstos
03-13-2003, 05:36 PM
hi...

i am trying to make web pages protected.

I have a table which has the usernames and passwords.

I created the login screen and in another web page (called authentication) i wrote the code to compare the username and password of the login screen with those in the database.

But something goes wrong and is doing nothing.

The code i wrote in the authentication.asp is below:

<%
Dim strUsername, strPassword
strUsername = Request("username")
strPassword = Request("password")

Dim rsUsers

set rsUsers = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT * FROM admin WHERE name = '" & strUsername & "';"

rsUsers.Open strSQL, objConn

WHILE NOT rsUsers.EOF
' if doctor's login details found

If rsUsers("name") = Request.form("strUsername") THEN

Response.Redirect "memberpage.asp"
Else
Response.Write "Access Denied!"

END IF
WEND
%>


can please anyone tell me what is wrong...? :confused:
swstos
03-14-2003, 08:30 AM
the connection works... and the sql query works because i did debug and it showed me the proper results...

the problem i think must be in the line below
If rsUsers("name") = Request.form("strUsername") THEN

but i can't figure it out...

Thanks in advance...:confused:
Ribeyed
03-14-2003, 01:12 PM
hi,
why do you have a ";" at the end of your sql?
If its not doning anything then is maybe because your recordset is being returned empty, therefore any code in the while not rs.eof will not run.
YOu are also doing a sql query to find a record that is equal to the value from your form which should be enough but later down in your code you are again checking to see if any record is returned is it the same as the value requested from the form.
You are saying search the database for a record in the admin table where the admin tables field name is equal to the username that the user has submitted. This is fine, but you don't need to again check if the records name returned from the sql is the same as what the user submitted, if it wasn't it wouldn't have been returned. However i don't seem to see where you check for the password as well. This doesn't need any more code apart from a slight change in the sql. You also don't have to loop through a record set if you know your sql will only return 1 record.

I would change the code to this:


strSQL = "SELECT * FROM admin WHERE admin.name = '" & strUsername & "' AND admin.password = '"&strPassword&"'"
rsUsers.Open strSQL, objConn

If rsUsers = "" then
resposne.write "no records found"
else
Response.Redirect "memberpage.asp"
end if


Hope this helps
Ribeyed
03-14-2003, 09:41 PM
ok thanks Dave:)