www.webdeveloper.com
Results 1 to 2 of 2

Thread: asp login

  1. #1
    Join Date
    Jul 2003
    Posts
    11

    asp login

    Hello,

    I was wondering witch is the best way to do a login form that uses a database with a table that has in it an "user","password" fields.

    By "best way" I mean everithing that is related to the security of the form(sql injection etc).

    I use something like:
    -------------------------------------------------
    Code:
    username=Request.Form("username")
    'Response.Write(username)
    if not username="" then
    var_user=replace(username, "'", "''")
    end if
    
    password=Request.Form("password")
    'Response.Write(password)
    if not password="" then
    var_pass=replace(password, "'", "''")
    end if
    
    Set conn=server.createobject("ADODB.connection")
    Set rs=server.createobject("ADODB.recordset")
    conn.open "driver=.........
    sql="Select * from admin where user='" & var_user & "' and pass='" & var_pass & "'"
    'Response.Write(sql) 
    Set RS=conn.Execute(sql)
    
    If not RS.EOF then 
    Session("admin")=username
    Session.Timeout=300
    RS.Close
    Set RS=Nothing
    conn.Close
    Set conn=Nothing
    Response.Redirect("login_ok.asp")
    end if
    
    RS.Close
    Set RS=Nothing
    conn.Close
    Set conn=Nothing
    
    >>>>show the form<<<<<
    ---------------------------

    I every secure page I use something like:


    Code:
    admin=Session("admin")
    If not admin="" then 
    else 
    Response.Redirect("login.asp") 
    end if
    I know that doing replace ' with '' you excape some of the sql injection problem.

    If there is a better way to do this or there is something wrong in my judgement plese let me know.
    Is there any importance in doing the check in the same asp program or going into another page that does the same thing and redirect depending on the result?
    Thanks

  2. #2
    Join Date
    Jul 2003
    Posts
    11
    I'm sure it works. I use in this way the replace function for almost a year.
    But, what do you mean by "are you sure it works". Where, in what condition?

    I begun using the replace ' with '' because I got sql error when using values like "D'Augustino". So I needed to replace the ' with ''.From what I know Access and MySql know that '' means ' and in the database you will have ' .

    A few weeks ago I discovered what sql injection is, and one way of protect the aplication from this kind of attack was to use replace ' with '' other wise someone could enter somethig like > ' or 1=1' < (something like this anyway) and enter the site without even needing a password.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles