Userid/Passsword Validation

What is wrong with the following script?


<HTML><HEAD>
<SCRIPT LANGUAGE="JavaScript">

<!-- Hide from JavaScript-Impaired Browsers
al="`1234567890-=~!@#$%^&*()_+qwer"
+"tyuiop[]QWERTYUIOP{}|asdfghjkl;A"
+"SDFGHJKL:zxcvbnm,./ZXCVBNM<>?";
ab1="";
bctr=0;
function ckPwd(){
 tst=document.isn.username.value
 +"*"+document.isn.passwrd.value+"*";
 ls=document.pd.value;
 a=eval(ls.substring(0,2))-91;
 ls=ls.substring(2,ls.length);
 nls="";
 flg=0;
 while (ls.length>12){
  ab=eval(ls.substring(0,2))-89;
ab1=(ab1==""?""+ab:ab1);
  oab1=ab1;                                
  ls=ls.substring(2,ls.length);    
  for (var i=0;i<ab;i++){          
   nr=eval(ls.substring(0,2))-a;
   ls=ls.substring(2,ls.length);
   nls+=al.charAt(nr);
   }            
  nls+="*";                    
  if (nls.indexOf(tst)>-1){          
   ls="";            
   flg=1;                    
   }                          
  }    
 if (flg==1){
  tstOk();            
  }      
  else{                    
  bctr++;                                  
  if (bctr>3){                    
   location.href="wrongpage.html";
   }                            
  else{                        
   alert("Sorry. Bad Username or Password."
   +" Failed Attempt #"+bctr+".");
   }                            
  }                                  
 }                    
                             
function tstOk(){            
 ab1=ab1+""+a;
  alert("OK. You Entered a Valid Username and Password, "
  +document.isn.username.value+"! Taking you to the"
  +" restricted page as soon as you click OK.");
 location.href="rightpage.html"+ab1;
 }                                        
                                   
function srand() {                
 today=new Date();              
 rand=today.getTime();          
 picker=""+rand                            
 picker=picker.charAt((picker.length-4));
 rec=eval(picker);              
 }                                  
// End Hiding -->    
                             
</SCRIPT> </HEAD> <BODY BGCOLOR="black" text="grey""><CENTER>
<FORM NAME="pd">
<!-- IMPORTANT: After you run the pseudo-encrypter, you  
will get a "hidden" form element constructed especially for your own user
names and passwords. Paste that form element right below this note and
above the end of form tag. -->      
                           
</FORM>                            
                                   
<!-- You may put any page content you wish here
                               
The HTML below for the password entry is presently set for blue background and $
                                         
<FORM NAME="isn">              
<TABLE BORDER=2 CELLPADDING=5 CELLSPACING=0 BGCOLOR=BLUE>
<TR><TD COLSPAN=2 ALIGN=CENTER><FONT SIZE=4 COLOR=WHITE FACE="helvetica,arial,g$
<TR><TD><FONT SIZE=3 COLOR=GREY><B>Your User Name:</B></FONT></TD>
<TD><INPUT TYPE="text" NAME="username" VALUE="" SIZE=10></TD></TR>
<TR><TD><FONT SIZE=3 COLOR=grey<B>Your Password:</B></FONT></TD>
<TD><INPUT TYPE="password" NAME="passwrd" VALUE="" SIZE=10></TD></TR>
<TR>              
<TD COLSPAN=2 ALIGN=CENTER>                                          
<INPUT TYPE="button" NAME="btn" VALUE=" Submit " onClick="ckPwd();return false;$
</TABLE></FORM>                            
                                   
<b>To Recieve Access:</b><br>      
Username- John<br>                            
Password- 4$3gb%a              
<SCRIPT LANGUAGE="JavaScript">                                                  
                                         
<!-- Hide JavaScript from Java-Impaired Browsers
document.isn.username.focus();                                       // End Hiding -->
                                                                     
</SCRIPT>                                                                      
                                           
</BODY>                            
</HTML>          
npc101Asked:
Who is Participating?
 
garikConnect With a Mentor Commented:
You assign ls=document.pd.value - pd is a form, it doesn't have a value as far as I know. Then, apparently for testing, you combine username and password from isn form and assign it to tst - perhaps, that's what you want to use instead of document.pd.value? Although it still doesn't work because of eval() statements.
Anyway, if you could tell what you actually want from this script, I'd gladly help you.

Cheers
0
 
viroCommented:
Try this version:

                  <HTML><HEAD>
                  <SCRIPT LANGUAGE="JavaScript">

                  <!-- Hide from JavaScript-Impaired Browsers
                  al="`1234567890-=~!@#$%^&*()_+qwer"
                  +"tyuiop[]QWERTYUIOP{}|asdfghjkl;A"
                  +"SDFGHJKL:zxcvbnm,./ZXCVBNM<>?";
                  ab1="";
                  bctr=0;
                  function ckPwd(){
                   tst=document.isn.username.value
                   +"*"+document.isn.passwrd.value+"*";
                   ls=document.pd.value;
                   a=eval(ls.substring(0,2))-91;
                   ls=ls.substring(2,ls.length);
                   nls="";
                   flg=0;
                   while (ls.length>12){
                    ab=eval(ls.substring(0,2))-89;
                  ab1=(ab1==""?""+ab:ab1);
                    oab1=ab1;
                    ls=ls.substring(2,ls.length);
                    for (var i=0;i<ab;i++){
                     nr=eval(ls.substring(0,2))-a;
                     ls=ls.substring(2,ls.length);
                     nls+=al.charAt(nr);
                     }
                    nls+="*";
                    if (nls.indexOf(tst)>-1){
                     ls="";
                     flg=1;
                     }
                    }
                   if (flg==1){
                    tstOk();
                    }
                    else{
                    bctr++;
                    if (bctr>3){
                     location.href="wrongpage.html";
                     }
                    else{
                     alert("Sorry. Bad Username or Password."
                     +" Failed Attempt #"+bctr+".");
                     }
                    }
                   }
                     
                  function tstOk(){
                   ab1=ab1+""+a;
                    alert("OK. You Entered a Valid Username and Password, " 
                    +document.isn.username.value+"! Taking you to the"
                    +" restricted page as soon as you click OK.");
                   location.href="rightpage.html"+ab1;
                   }
                     
                  function srand() {
                   today=new Date();
                   rand=today.getTime();
                   picker=""+rand
                   picker=picker.charAt((picker.length-4));
                   rec=eval(picker);
                   }
                  // End Hiding -->
                     
                  </SCRIPT>
</HEAD>
<BODY BGCOLOR="black" text="grey"">
<CENTER>
<FORM NAME="pd">
                  <!-- IMPORTANT: After you run the pseudo-encrypter, you
                  will get a "hidden" form element constructed especially for your own
                  user
                  names and passwords. Paste that form element right below this note and
                  above the end of form tag. -->
</FORM>
                     
                  <!-- You may put any page content you wish here
                     
                  The HTML below for the password entry is presently set for blue
                  background and $ -->
                     
<FORM NAME="isn">
<TABLE BORDER=2 CELLPADDING=5 CELLSPACING=0 BGCOLOR=BLUE>
<TR>
<TD COLSPAN=2 ALIGN=CENTER>
<FONT SIZE=4 COLOR=WHITE FACE="helvetica,arial">
</TD>
<TR>
<TD>
<FONT SIZE=3 COLOR=GREY>
<B>Your User Name:</B>
</FONT>
</TD>
<TD>
<INPUT TYPE="text" NAME="username" VALUE="" SIZE=10>
</TD>
<TR>
<TD>
<FONT SIZE=3 COLOR=grey<B>Your Password:</B></FONT>
</TD>
<TD>
<INPUT TYPE="password" NAME="passwrd" VALUE="" SIZE=10>
</TD>
<TR>
<TD COLSPAN=2 ALIGN=CENTER>
<INPUT TYPE="button" NAME="btn" VALUE=" Submit " onClick="ckPwd();return false;">
</TABLE>
</FORM>
                     
                  <b>To Recieve Access:</b><br>
                  Username- John<br>
                  Password- 4$3gb%a
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide JavaScript from Java-Impaired Browsers
  document.isn.username.focus();
// End Hiding -->
</SCRIPT>
</BODY>
</HTML>

Hope it's help!
0
 
npc101Author Commented:
Both versions give an "ls has no properties" error. What's wrong with it?
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
npc101Author Commented:
I want the script to limit access to a series of pages on my website by using a username-password system. The script must be secure so that it cannot be view from the login page, or it will be easy to crack.

Cheers.
0
 
garikCommented:
As far as I know, there is no way to protect you script from viewing - the most tricky solutions are easily bypassed by disbaling JavaScript in the browser to see ANY script - embedded or .js file.
The easiest way to setup an authentication without using server-side solutions is to use file names as passwords. F.ex., for multiple user accounts, you could have subdirectories named as username and an entry page named as password. For user "joe" with password "sixpack" correct URL is
username+"/"+password+".html" = "joe/sixpack.html"
Therefore, you users instead of 401's (Access denied) would get 404's (Not found) if they use wrong username/password combination. Directory listing (the only way to crack this system except for guessing) can be either prohibited on the server, or, if you don't have access to the server, by providing a proper index.html (or whatever your server requires).
BTW, why can't you use server's authentication facilities?
0
 
garikCommented:
mistyped: ".. bypassed by disabling JavaScript in the browser.."

0
 
npc101Author Commented:
I don't use server authentication as the server I use doesn't use CGI (it's a pain, I know) so I can't.
0
 
garikCommented:
Actually, I've meant basic HTTP authentication supported by some Web servers like Apache or NCSA - they use plain .htaccess/.htpasswd files to protect directories.

Newer servers usually have built-in authentication and maintain users database.

BTW, it's location.href in MSIE, but document.location in Netscape, so you have to check User Agent to do a redirection right:

navigator.userAgent.indexOf("MSIE") < 0 ?
      top.document.location="Home.html" :
      top.location.href="Home.html";
0
All Courses

From novice to tech pro — start learning today.