checking code and adding security level

I want to create a connection to access file.
i created some asp files. the first i called authenticate.asp where
you enter your login name and password.
The validate.asp is the main file that contains the script and redirect you to other pages .
the code is here below:
 
<% Language=VBScript %>
<%Response.Buffer = true%>
<%Response.Expires = 0
Dim strLogin
Dim strPW
Dim objConn, strSQL, objRS as recordset
strLogin = Request.Form("login")
strPW = Request.Form("pw")            
Set objConn = Server.CreateObject("ADODB.Connection")      
Set db = DBEngine.Workspaces(0).OpenDatabase(app.path & "\users.mdb" )
'Set rs = Server.CreateObject("ADODB.Recordset")
'conn.open "DBQ="users.mdb" & ";Driver={Microsoft Access Driver (*.mdb)};"      
      sqltemp="select * from users WHERE login = '" & _
     strLogin  & "' AND Password = '" & _
     strPW  & "'"
            sqltemp=sqltemp & strLogin & "'"
            Set objRS=objConn.execute(sqltemp)
%>
<!-- If the login is not in the database, then attempt fails with msg -->      
<%If  objRS.eof then%>
   <font size = '2' face = 'arial'>There is no user with the Login: <font size = '3' face = 'arial'><strong>
  <%=strLogin%></strong></font> in our database.</font><br>   <font size = '1' face = 'arial'>Did you misstype your login? Try <font size = '2' face ='arial'><A href='notvalidated.asp'>not authorized</a></font>
   <%response.end
end if
<!---- End of login Check ----><!---- Beginning of PW Check --><!---- If PW found then attempt succeeds and gives details with msg -->
If  objRS("Password")=strPW and objRS("Login") = strLogin then
session("bolAuthenticated")= True  
session("name") = objRS("Login")  
session("securitylevel")=objRS("security_level")  
session("pw") = objRS("password")
response.write " You are logged in as " %> <%=session("name")%>
<br>

   <%Response.write "Security Level= " & session("securitylevel")
  Response.Write "<a href='download.asp'>" & "<br>" & "click here to access the admin screen" & "</a>"%>
  <%session("bolAuthenticated") = true
  else%>
<!--- If PW not found then attempt fails with msg -->
 <font size = '3' face='arial'color = 'red'><strong>Password Unrecognized</strong></font><br>
  <font size = '1' face = 'arial'>Did you misstype your Password? Try <font size = '2' face ='arial'><A href='notvalidated.asp'>wrong password</a></font>
  <%response.end
  end if
<!---- End of PW Check ---->
objRS.close
objConn.close
set objRS=nothing
set objConn=nothing
%>
<HTML>
<HEAD>
</HEAD>
<BODY>
</BODY>
</HTML>
in addition i have 3 degrees of security (i named it a,b,c in access) . now i have to write something like that :
IF  session ("securitylevel")=objRS ("A")
Response.redirect "/page1.asp
IF session ("securitylevel")=objRS ("B")
Response.redirect "/page2.asp
else
Response.redirect "/page3.asp
I know what i have to write but i don't know how to write it and where to put it in the script
thanks
dsmarketAsked:
Who is Participating?
 
bagi112599Connect With a Mentor Commented:
Looks like you have to run 2 query:
1. to find out if there any user with
login as strLogin
2. if yes, to find out if password
for strLogin mtches with submitted
password strPW
So, change following your code

sqltemp="select * from users WHERE login = '" & _
     strLogin  & "' AND Password = '" & _
     strPW  & "'"
sqltemp=sqltemp & strLogin & "'"

into

sqltemp="select * from users WHERE login = '" & _
     strLogin  & "'"

and run a second query as:

sqltemp="select * from users WHERE login = '" & _
     strLogin  & "' AND Password = '" & _
     strPW  & "'"

Good luck




0
 
dsmarketAuthor Commented:
i forgot to mention that the code doesn't work altough i tried many times.
whats wrong in it?
0
 
md_harrisCommented:
This is the Authentication page I use (slightly modified) when ever I do a "Secure" site. It's Short and simple and works very well. The Login page submits to this page then is redirected either back to the login page in the case of a bad username/pw or to the main site in the case of a good username/pw. It also prevents multiple login attemps.


<%
'--- pagename: authenticate.asp
Dim rst
Dim strSQL
Dim dsn

dsn="dsn=whatever"

'------ Start a count for to keep track of multiple login attemps ---------
if session("count")>0 then
      session("count")=session("count")+1
else
      session("count")=1
end if

'---- create and open the rs with values form the login page text fields
Set rst = CreateObject("ADODB.Recordset")
strSQL = "SELECT password, Login, securelev  FROM  users WHERE ((Login='"& request.form("login") &" ') AND (password='" & request.form("pw") & "'));"

rst.Open strSQL, dsn

If rst.EOF AND rst.BOF then
      '------- No records returned so this user is not in the DB
      session("key")="bad"  '--set the key to an improper value just to be safe

      '--- He gets five chances to login then send him to the hampsterdance!!!!
      if session("count")>5 then response.redirect("http://www.hampsterdance.com/")      
      '-- if he didn't go to the hampsterdance set up the fail string
      Session("Message1")="Login Incorrect.  Please try again. "
      rst.Close
      set rst = nothing
      '--- send em back to the login page       
      Response.Redirect("Login.asp")      
Else
      '--- user is a valid user so set a unique key for him      
      session("key")="thekey" & session.sessionid
      session("count")=0
      session("securelev")=cstr(rst("securelev")) '--track the secure level through site
            '-- send them to the site
      if cstr(rst("securelev"))="A" then Response.Redirect("startpage1.asp")
      if cstr(rst("securelev"))="B" then Response.Redirect("startpage2.asp")
      if cstr(rst("securelev"))="C" then Response.Redirect("startpage3.asp")      
end if

rst.Close
set rst = nothing
%>


The following asp needs to be on every page in the "secure" area of the site to check the users "key":

<%
if session("key")<>"thekey" & session.sessionid then Response.Redirect("Login.asp")
%>

The following code need to be on the login.asp page to display the bad login message:

<%
response.write session("message1")
session("message1")=""  'clear the error message
%>
0
 
dsmarketAuthor Commented:
to md harris
i'm very sorry but it seemed that your code doesn't work. i get an error :
" Microsoft VBScript compilation error '800a0400'

Expected statement

/shalitd/authenticate.asp, line 4

\par Dim rst"
how can i fix it ?
thanks
0
 
md_harrisCommented:
dsmarket,

It Works fine for me. Are you sure that you cut/paste it correctly?
0
All Courses

From novice to tech pro — start learning today.