ChrisW2
asked on
Protecting ASP pages with a login
Hi,
I am trying to protect all my asp files with a login function. The function means that anyone trying to access any of the protected asp pages can't gain access unless they are logged in, and if they try to do so are taken straight to the login page. When i run the code though i receive this error.
Error Type:
Request object, ASP 0102 (0x80004005)
The function expects a string as input.
/logon.asp, line 5
Here is the code that runs the protection function.
<%
Set Conn = Server.CreateObject("ADODB
Conn.Open Application("Database1_Con
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = " & Request.Form(username)& " AND password =" & Request.Form(password) & ";")
Do until RS.EOF
Pass = RS("password")
Name = RS("username")
RS.MoveNext
loop
RS.Close
Conn.Close
IF Pass = "" Then
Message = "The Password you entered is either wrong or not found in our database. Please press the back button and try again."
Else
Session("password") = Pass
Session("username") = Name
IF Session("Ori_URL") = "" Then 'do nothing
Else
Response.redirect(session(
End IF
End IF
%>
My knowledge of sql is very limited, and i can't see why this doesn't work. It seems to link in with my access database fine but fall down at the Set RS line. Any help would be fantastic as regardless of what combination of code i try i can't get it to work.
I am trying to protect all my asp files with a login function. The function means that anyone trying to access any of the protected asp pages can't gain access unless they are logged in, and if they try to do so are taken straight to the login page. When i run the code though i receive this error.
Error Type:
Request object, ASP 0102 (0x80004005)
The function expects a string as input.
/logon.asp, line 5
Here is the code that runs the protection function.
<%
Set Conn = Server.CreateObject("ADODB
Conn.Open Application("Database1_Con
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = " & Request.Form(username)& " AND password =" & Request.Form(password) & ";")
Do until RS.EOF
Pass = RS("password")
Name = RS("username")
RS.MoveNext
loop
RS.Close
Conn.Close
IF Pass = "" Then
Message = "The Password you entered is either wrong or not found in our database. Please press the back button and try again."
Else
Session("password") = Pass
Session("username") = Name
IF Session("Ori_URL") = "" Then 'do nothing
Else
Response.redirect(session(
End IF
End IF
%>
My knowledge of sql is very limited, and i can't see why this doesn't work. It seems to link in with my access database fine but fall down at the Set RS line. Any help would be fantastic as regardless of what combination of code i try i can't get it to work.
Add single quotes to your SELECT statement
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = '" & Request.Form(username)& "' AND password ='" & Request.Form(password) & "';")
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = '" & Request.Form(username)& "' AND password ='" & Request.Form(password) & "';")
ASKER
Hi,
Thanks for the prompt response. I tried this:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form(username)&; "' AND password ='" &; Request.Form(password) &; "';")
And received the following error:
Error Type:
Microsoft VBScript compilation (0x800A03EA)
Syntax error
/logon.asp, line 5, column 91
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form(username)&; "' AND password ='" &; Request.Form(password) &; "';")
Any ideas?
Thanks for the prompt response. I tried this:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form(username)&; "' AND password ='" &; Request.Form(password) &; "';")
And received the following error:
Error Type:
Microsoft VBScript compilation (0x800A03EA)
Syntax error
/logon.asp, line 5, column 91
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form(username)&; "' AND password ='" &; Request.Form(password) &; "';")
Any ideas?
You need single quotes around the username as well.
ASKER
Tried this:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form("username") &; "' AND password ='" &; Request.Form("password") &; "';")
And received the following error:
Error Type:
Microsoft VBScript compilation (0x800A03EA)
Syntax error
/logon.asp, line 5, column 94
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form("username") &; "' AND password ='" &; Request.Form("password") &; "';")
Is that what you meant?
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form("username") &; "' AND password ='" &; Request.Form("password") &; "';")
And received the following error:
Error Type:
Microsoft VBScript compilation (0x800A03EA)
Syntax error
/logon.asp, line 5, column 94
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form("username") &; "' AND password ='" &; Request.Form("password") &; "';")
Is that what you meant?
You should not build your SQL statement in code. There are a number of reason not to do it that way, two of which are;
1. You are open to SQL injection attacks,
2. You will have problems with unfiltered string parameters, which is why ryancys was doing a replace on your form field values. (However, by doing a replace on the password, he is changing the value.)
It is much better and safer to use parameterized SQL. The parameters can not be executable SQL code so you are not liikely to have an SQL injection attack, and you do not have to worry about filtering the input for single quotes, like O'Brian.
<!--#include virtual="include/adovbs.in
Dim param, cmd, conn, rs
Set cmd = Server.CreateObject("ADODB
Set RS = Server.CreateObject("ADODB
Set conn = Server.CreateObject("ADODB
conn.open *** your connection string ***
Set cmd.ActiveConnection = conn
cmd.CommandText = "SELECT password FROM tblMember WHERE username = @username"
Set param = cmd.CreateParameter("@user
cmd.Parameters.Append param
RS.Open cmd
if NOT(RS.BOF AND RS.EOF) then
if RS("password")=Request.For
Session("login")=true
end if
end if
Regards,
Rod
1. You are open to SQL injection attacks,
2. You will have problems with unfiltered string parameters, which is why ryancys was doing a replace on your form field values. (However, by doing a replace on the password, he is changing the value.)
It is much better and safer to use parameterized SQL. The parameters can not be executable SQL code so you are not liikely to have an SQL injection attack, and you do not have to worry about filtering the input for single quotes, like O'Brian.
<!--#include virtual="include/adovbs.in
Dim param, cmd, conn, rs
Set cmd = Server.CreateObject("ADODB
Set RS = Server.CreateObject("ADODB
Set conn = Server.CreateObject("ADODB
conn.open *** your connection string ***
Set cmd.ActiveConnection = conn
cmd.CommandText = "SELECT password FROM tblMember WHERE username = @username"
Set param = cmd.CreateParameter("@user
cmd.Parameters.Append param
RS.Open cmd
if NOT(RS.BOF AND RS.EOF) then
if RS("password")=Request.For
Session("login")=true
end if
end if
Regards,
Rod
extra ; ??
try:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form("username") &; "' AND password ='" &; Request.Form("password") & "';")
try:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = "& Request.Form("username") &; "' AND password ='" &; Request.Form("password") & "';")
And back to your latest error:
It is:
"SELECT * From tblMember WHERE username = '"& Request.Form("username") & "' AND password ='" &; Request.Form("password") & "';"
not
"SELECT * From tblMember WHERE username = "& Request.Form("username") &; "' AND password ='" &; Request.Form("password") &; "';")
You are missing the left single quote for username and you have illegal semicolons after the second and third ampersands.
It is:
"SELECT * From tblMember WHERE username = '"& Request.Form("username") & "' AND password ='" &; Request.Form("password") & "';"
not
"SELECT * From tblMember WHERE username = "& Request.Form("username") &; "' AND password ='" &; Request.Form("password") &; "';")
You are missing the left single quote for username and you have illegal semicolons after the second and third ampersands.
oops, re-post, try:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = " & Request.Form("username") & "' AND password ='" & Request.Form("password") & "' ")
or:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = " & Replace(Request.Form("user
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = " & Request.Form("username") & "' AND password ='" & Request.Form("password") & "' ")
or:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = " & Replace(Request.Form("user
ASKER
What code dfo i include in the file adovbs.inc? Or is that it, and i then place <!--#include virtual="include/adovbs.in
The code looks like this at the moment:
<!--#include virtual="include/adovbs.in
<%
Dim param, cmd, conn, rs
Set cmd = Server.CreateObject("ADODB
Set RS = Server.CreateObject("ADODB
Set conn = Server.CreateObject("ADODB
conn.open Application("Database1_Con
Set cmd.ActiveConnection = conn
cmd.CommandText = "SELECT password FROM tblMember WHERE username = @username"
Set param = cmd.CreateParameter("@user
cmd.Parameters.Append param
RS.Open cmd
if NOT(RS.BOF AND RS.EOF) then
if RS("password")=Request.For
Session("login")=true
end if
end if
%>
Is that along the right lines?
The code looks like this at the moment:
<!--#include virtual="include/adovbs.in
<%
Dim param, cmd, conn, rs
Set cmd = Server.CreateObject("ADODB
Set RS = Server.CreateObject("ADODB
Set conn = Server.CreateObject("ADODB
conn.open Application("Database1_Con
Set cmd.ActiveConnection = conn
cmd.CommandText = "SELECT password FROM tblMember WHERE username = @username"
Set param = cmd.CreateParameter("@user
cmd.Parameters.Append param
RS.Open cmd
if NOT(RS.BOF AND RS.EOF) then
if RS("password")=Request.For
Session("login")=true
end if
end if
%>
Is that along the right lines?
seems like many re-post here.. sorry about that, try this instead:
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = '" & Request.Form(username) & "' AND password = '" & Request.Form(password) & "' ")
or:
Set RS = Conn.Execute("SELECT * From tblMember WHERE username = '" & Replace(Request.Form("user
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = '" & Request.Form(username) & "' AND password = '" & Request.Form(password) & "' ")
or:
Set RS = Conn.Execute("SELECT * From tblMember WHERE username = '" & Replace(Request.Form("user
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I do not know where adovbs.inc is on your web server. Usually, it is outside of the web root where ever the ADO files were installed and you will need to put a copy in your web folder.
<%
'-------------------------
' Microsoft ADO
' ADO constants include file for VBScript
'-------------------------
'---- CursorTypeEnum Values ----
Const adOpenForwardOnly = 0
Const adOpenKeyset = 1
Const adOpenDynamic = 2
Const adOpenStatic = 3
'---- CursorOptionEnum Values ----
Const adHoldRecords = &H00000100
Const adMovePrevious = &H00000200
Const adAddNew = &H01000400
Const adDelete = &H01000800
Const adUpdate = &H01008000
Const adBookmark = &H00002000
Const adApproxPosition = &H00004000
Const adUpdateBatch = &H00010000
Const adResync = &H00020000
Const adNotify = &H00040000
Const adFind = &H00080000
Const adSeek = &H00400000
Const adIndex = &H00800000
'---- LockTypeEnum Values ----
Const adLockReadOnly = 1
Const adLockPessimistic = 2
Const adLockOptimistic = 3
Const adLockBatchOptimistic = 4
'---- ExecuteOptionEnum Values ----
Const adAsyncExecute = &H00000010
Const adAsyncFetch = &H00000020
Const adAsyncFetchNonBlocking = &H00000040
Const adExecuteNoRecords = &H00000080
Const adExecuteStream = &H00000400
'---- ConnectOptionEnum Values ----
Const adAsyncConnect = &H00000010
'---- ObjectStateEnum Values ----
Const adStateClosed = &H00000000
Const adStateOpen = &H00000001
Const adStateConnecting = &H00000002
Const adStateExecuting = &H00000004
Const adStateFetching = &H00000008
'---- CursorLocationEnum Values ----
Const adUseServer = 2
Const adUseClient = 3
'---- DataTypeEnum Values ----
Const adEmpty = 0
Const adTinyInt = 16
Const adSmallInt = 2
Const adInteger = 3
Const adBigInt = 20
Const adUnsignedTinyInt = 17
Const adUnsignedSmallInt = 18
Const adUnsignedInt = 19
Const adUnsignedBigInt = 21
Const adSingle = 4
Const adDouble = 5
Const adCurrency = 6
Const adDecimal = 14
Const adNumeric = 131
Const adBoolean = 11
Const adError = 10
Const adUserDefined = 132
Const adVariant = 12
Const adIDispatch = 9
Const adIUnknown = 13
Const adGUID = 72
Const adDate = 7
Const adDBDate = 133
Const adDBTime = 134
Const adDBTimeStamp = 135
Const adBSTR = 8
Const adChar = 129
Const adVarChar = 200
Const adLongVarChar = 201
Const adWChar = 130
Const adVarWChar = 202
Const adLongVarWChar = 203
Const adBinary = 128
Const adVarBinary = 204
Const adLongVarBinary = 205
Const adChapter = 136
Const adFileTime = 64
Const adPropVariant = 138
Const adVarNumeric = 139
Const adArray = &H2000
'---- FieldAttributeEnum Values ----
Const adFldMayDefer = &H00000002
Const adFldUpdatable = &H00000004
Const adFldUnknownUpdatable = &H00000008
Const adFldFixed = &H00000010
Const adFldIsNullable = &H00000020
Const adFldMayBeNull = &H00000040
Const adFldLong = &H00000080
Const adFldRowID = &H00000100
Const adFldRowVersion = &H00000200
Const adFldCacheDeferred = &H00001000
Const adFldIsChapter = &H00002000
Const adFldNegativeScale = &H00004000
Const adFldKeyColumn = &H00008000
Const adFldIsRowURL = &H00010000
Const adFldIsDefaultStream = &H00020000
Const adFldIsCollection = &H00040000
'---- EditModeEnum Values ----
Const adEditNone = &H0000
Const adEditInProgress = &H0001
Const adEditAdd = &H0002
Const adEditDelete = &H0004
'---- RecordStatusEnum Values ----
Const adRecOK = &H0000000
Const adRecNew = &H0000001
Const adRecModified = &H0000002
Const adRecDeleted = &H0000004
Const adRecUnmodified = &H0000008
Const adRecInvalid = &H0000010
Const adRecMultipleChanges = &H0000040
Const adRecPendingChanges = &H0000080
Const adRecCanceled = &H0000100
Const adRecCantRelease = &H0000400
Const adRecConcurrencyViolation = &H0000800
Const adRecIntegrityViolation = &H0001000
Const adRecMaxChangesExceeded = &H0002000
Const adRecObjectOpen = &H0004000
Const adRecOutOfMemory = &H0008000
Const adRecPermissionDenied = &H0010000
Const adRecSchemaViolation = &H0020000
Const adRecDBDeleted = &H0040000
'---- GetRowsOptionEnum Values ----
Const adGetRowsRest = -1
'---- PositionEnum Values ----
Const adPosUnknown = -1
Const adPosBOF = -2
Const adPosEOF = -3
'---- BookmarkEnum Values ----
Const adBookmarkCurrent = 0
Const adBookmarkFirst = 1
Const adBookmarkLast = 2
'---- MarshalOptionsEnum Values ----
Const adMarshalAll = 0
Const adMarshalModifiedOnly = 1
'---- AffectEnum Values ----
Const adAffectCurrent = 1
Const adAffectGroup = 2
Const adAffectAllChapters = 4
'---- ResyncEnum Values ----
Const adResyncUnderlyingValues = 1
Const adResyncAllValues = 2
'---- CompareEnum Values ----
Const adCompareLessThan = 0
Const adCompareEqual = 1
Const adCompareGreaterThan = 2
Const adCompareNotEqual = 3
Const adCompareNotComparable = 4
'---- FilterGroupEnum Values ----
Const adFilterNone = 0
Const adFilterPendingRecords = 1
Const adFilterAffectedRecords = 2
Const adFilterFetchedRecords = 3
Const adFilterConflictingRecords
'---- SearchDirectionEnum Values ----
Const adSearchForward = 1
Const adSearchBackward = -1
'---- PersistFormatEnum Values ----
Const adPersistADTG = 0
Const adPersistXML = 1
'---- StringFormatEnum Values ----
Const adClipString = 2
'---- ConnectPromptEnum Values ----
Const adPromptAlways = 1
Const adPromptComplete = 2
Const adPromptCompleteRequired = 3
Const adPromptNever = 4
'---- ConnectModeEnum Values ----
Const adModeUnknown = 0
Const adModeRead = 1
Const adModeWrite = 2
Const adModeReadWrite = 3
Const adModeShareDenyRead = 4
Const adModeShareDenyWrite = 8
Const adModeShareExclusive = &Hc
Const adModeShareDenyNone = &H10
Const adModeRecursive = &H400000
'---- RecordCreateOptionsEnum Values ----
Const adCreateCollection = &H00002000
Const adCreateStructDoc = &H80000000
Const adCreateNonCollection = &H00000000
Const adOpenIfExists = &H02000000
Const adCreateOverwrite = &H04000000
Const adFailIfNotExists = -1
'---- RecordOpenOptionsEnum Values ----
Const adOpenRecordUnspecified = -1
Const adOpenOutput = &H00800000
Const adOpenAsync = &H00001000
Const adDelayFetchStream = &H00004000
Const adDelayFetchFields = &H00008000
Const adOpenExecuteCommand = &H00010000
'---- IsolationLevelEnum Values ----
Const adXactUnspecified = &Hffffffff
Const adXactChaos = &H00000010
Const adXactReadUncommitted = &H00000100
Const adXactBrowse = &H00000100
Const adXactCursorStability = &H00001000
Const adXactReadCommitted = &H00001000
Const adXactRepeatableRead = &H00010000
Const adXactSerializable = &H00100000
Const adXactIsolated = &H00100000
'---- XactAttributeEnum Values ----
Const adXactCommitRetaining = &H00020000
Const adXactAbortRetaining = &H00040000
'---- PropertyAttributesEnum Values ----
Const adPropNotSupported = &H0000
Const adPropRequired = &H0001
Const adPropOptional = &H0002
Const adPropRead = &H0200
Const adPropWrite = &H0400
'---- ErrorValueEnum Values ----
Const adErrProviderFailed = &Hbb8
Const adErrInvalidArgument = &Hbb9
Const adErrOpeningFile = &Hbba
Const adErrReadFile = &Hbbb
Const adErrWriteFile = &Hbbc
Const adErrNoCurrentRecord = &Hbcd
Const adErrIllegalOperation = &Hc93
Const adErrCantChangeProvider = &Hc94
Const adErrInTransaction = &Hcae
Const adErrFeatureNotAvailable = &Hcb3
Const adErrItemNotFound = &Hcc1
Const adErrObjectInCollection = &Hd27
Const adErrObjectNotSet = &Hd5c
Const adErrDataConversion = &Hd5d
Const adErrObjectClosed = &He78
Const adErrObjectOpen = &He79
Const adErrProviderNotFound = &He7a
Const adErrBoundToCommand = &He7b
Const adErrInvalidParamInfo = &He7c
Const adErrInvalidConnection = &He7d
Const adErrNotReentrant = &He7e
Const adErrStillExecuting = &He7f
Const adErrOperationCancelled = &He80
Const adErrStillConnecting = &He81
Const adErrInvalidTransaction = &He82
Const adErrUnsafeOperation = &He84
Const adwrnSecurityDialog = &He85
Const adwrnSecurityDialogHeader = &He86
Const adErrIntegrityViolation = &He87
Const adErrPermissionDenied = &He88
Const adErrDataOverflow = &He89
Const adErrSchemaViolation = &He8a
Const adErrSignMismatch = &He8b
Const adErrCantConvertvalue = &He8c
Const adErrCantCreate = &He8d
Const adErrColumnNotOnThisRow = &He8e
Const adErrURLIntegrViolSetColum
Const adErrURLDoesNotExist = &He8f
Const adErrTreePermissionDenied = &He90
Const adErrInvalidURL = &He91
Const adErrResourceLocked = &He92
Const adErrResourceExists = &He93
Const adErrCannotComplete = &He94
Const adErrVolumeNotFound = &He95
Const adErrOutOfSpace = &He96
Const adErrResourceOutOfScope = &He97
Const adErrUnavailable = &He98
Const adErrURLNamedRowDoesNotExi
Const adErrDelResOutOfScope = &He9a
Const adErrPropInvalidColumn = &He9b
Const adErrPropInvalidOption = &He9c
Const adErrPropInvalidValue = &He9d
Const adErrPropConflicting = &He9e
Const adErrPropNotAllSettable = &He9f
Const adErrPropNotSet = &Hea0
Const adErrPropNotSettable = &Hea1
Const adErrPropNotSupported = &Hea2
Const adErrCatalogNotSet = &Hea3
Const adErrCantChangeConnection = &Hea4
Const adErrFieldsUpdateFailed = &Hea5
Const adErrDenyNotSupported = &Hea6
Const adErrDenyTypeNotSupported = &Hea7
Const adErrProviderNotSpecified = &Hea9
Const adErrConnectionStringTooLo
'---- ParameterAttributesEnum Values ----
Const adParamSigned = &H0010
Const adParamNullable = &H0040
Const adParamLong = &H0080
'---- ParameterDirectionEnum Values ----
Const adParamUnknown = &H0000
Const adParamInput = &H0001
Const adParamOutput = &H0002
Const adParamInputOutput = &H0003
Const adParamReturnValue = &H0004
'---- CommandTypeEnum Values ----
Const adCmdUnknown = &H0008
Const adCmdText = &H0001
Const adCmdTable = &H0002
Const adCmdStoredProc = &H0004
Const adCmdFile = &H0100
Const adCmdTableDirect = &H0200
'---- EventStatusEnum Values ----
Const adStatusOK = &H0000001
Const adStatusErrorsOccurred = &H0000002
Const adStatusCantDeny = &H0000003
Const adStatusCancel = &H0000004
Const adStatusUnwantedEvent = &H0000005
'---- EventReasonEnum Values ----
Const adRsnAddNew = 1
Const adRsnDelete = 2
Const adRsnUpdate = 3
Const adRsnUndoUpdate = 4
Const adRsnUndoAddNew = 5
Const adRsnUndoDelete = 6
Const adRsnRequery = 7
Const adRsnResynch = 8
Const adRsnClose = 9
Const adRsnMove = 10
Const adRsnFirstChange = 11
Const adRsnMoveFirst = 12
Const adRsnMoveNext = 13
Const adRsnMovePrevious = 14
Const adRsnMoveLast = 15
'---- SchemaEnum Values ----
Const adSchemaProviderSpecific = -1
Const adSchemaAsserts = 0
Const adSchemaCatalogs = 1
Const adSchemaCharacterSets = 2
Const adSchemaCollations = 3
Const adSchemaColumns = 4
Const adSchemaCheckConstraints = 5
Const adSchemaConstraintColumnUs
Const adSchemaConstraintTableUsa
Const adSchemaKeyColumnUsage = 8
Const adSchemaReferentialConstra
Const adSchemaTableConstraints = 10
Const adSchemaColumnsDomainUsage
Const adSchemaIndexes = 12
Const adSchemaColumnPrivileges = 13
Const adSchemaTablePrivileges = 14
Const adSchemaUsagePrivileges = 15
Const adSchemaProcedures = 16
Const adSchemaSchemata = 17
Const adSchemaSQLLanguages = 18
Const adSchemaStatistics = 19
Const adSchemaTables = 20
Const adSchemaTranslations = 21
Const adSchemaProviderTypes = 22
Const adSchemaViews = 23
Const adSchemaViewColumnUsage = 24
Const adSchemaViewTableUsage = 25
Const adSchemaProcedureParameter
Const adSchemaForeignKeys = 27
Const adSchemaPrimaryKeys = 28
Const adSchemaProcedureColumns = 29
Const adSchemaDBInfoKeywords = 30
Const adSchemaDBInfoLiterals = 31
Const adSchemaCubes = 32
Const adSchemaDimensions = 33
Const adSchemaHierarchies = 34
Const adSchemaLevels = 35
Const adSchemaMeasures = 36
Const adSchemaProperties = 37
Const adSchemaMembers = 38
Const adSchemaTrustees = 39
Const adSchemaFunctions = 40
Const adSchemaActions = 41
Const adSchemaCommands = 42
Const adSchemaSets = 43
'---- FieldStatusEnum Values ----
Const adFieldOK = 0
Const adFieldCantConvertValue = 2
Const adFieldIsNull = 3
Const adFieldTruncated = 4
Const adFieldSignMismatch = 5
Const adFieldDataOverflow = 6
Const adFieldCantCreate = 7
Const adFieldUnavailable = 8
Const adFieldPermissionDenied = 9
Const adFieldIntegrityViolation = 10
Const adFieldSchemaViolation = 11
Const adFieldBadStatus = 12
Const adFieldDefault = 13
Const adFieldIgnore = 15
Const adFieldDoesNotExist = 16
Const adFieldInvalidURL = 17
Const adFieldResourceLocked = 18
Const adFieldResourceExists = 19
Const adFieldCannotComplete = 20
Const adFieldVolumeNotFound = 21
Const adFieldOutOfSpace = 22
Const adFieldCannotDeleteSource = 23
Const adFieldReadOnly = 24
Const adFieldResourceOutOfScope = 25
Const adFieldAlreadyExists = 26
Const adFieldPendingInsert = &H10000
Const adFieldPendingDelete = &H20000
Const adFieldPendingChange = &H40000
Const adFieldPendingUnknown = &H80000
Const adFieldPendingUnknownDelet
'---- SeekEnum Values ----
Const adSeekFirstEQ = &H1
Const adSeekLastEQ = &H2
Const adSeekAfterEQ = &H4
Const adSeekAfter = &H8
Const adSeekBeforeEQ = &H10
Const adSeekBefore = &H20
'---- ADCPROP_UPDATECRITERIA_ENU
Const adCriteriaKey = 0
Const adCriteriaAllCols = 1
Const adCriteriaUpdCols = 2
Const adCriteriaTimeStamp = 3
'---- ADCPROP_ASYNCTHREADPRIORIT
Const adPriorityLowest = 1
Const adPriorityBelowNormal = 2
Const adPriorityNormal = 3
Const adPriorityAboveNormal = 4
Const adPriorityHighest = 5
'---- ADCPROP_AUTORECALC_ENUM Values ----
Const adRecalcUpFront = 0
Const adRecalcAlways = 1
'---- ADCPROP_UPDATERESYNC_ENUM Values ----
Const adResyncNone = 0
Const adResyncAutoIncrement = 1
Const adResyncConflicts = 2
Const adResyncUpdates = 4
Const adResyncInserts = 8
Const adResyncAll = 15
'---- MoveRecordOptionsEnum Values ----
Const adMoveUnspecified = -1
Const adMoveOverWrite = 1
Const adMoveDontUpdateLinks = 2
Const adMoveAllowEmulation = 4
'---- CopyRecordOptionsEnum Values ----
Const adCopyUnspecified = -1
Const adCopyOverWrite = 1
Const adCopyAllowEmulation = 4
Const adCopyNonRecursive = 2
'---- StreamTypeEnum Values ----
Const adTypeBinary = 1
Const adTypeText = 2
'---- LineSeparatorEnum Values ----
Const adLF = 10
Const adCR = 13
Const adCRLF = -1
'---- StreamOpenOptionsEnum Values ----
Const adOpenStreamUnspecified = -1
Const adOpenStreamAsync = 1
Const adOpenStreamFromRecord = 4
'---- StreamWriteEnum Values ----
Const adWriteChar = 0
Const adWriteLine = 1
'---- SaveOptionsEnum Values ----
Const adSaveCreateNotExist = 1
Const adSaveCreateOverWrite = 2
'---- FieldEnum Values ----
Const adDefaultStream = -1
Const adRecordURL = -2
'---- StreamReadEnum Values ----
Const adReadAll = -1
Const adReadLine = -2
'---- RecordTypeEnum Values ----
Const adSimpleRecord = 0
Const adCollectionRecord = 1
Const adStructDoc = 2
%>
<%
'-------------------------
' Microsoft ADO
' ADO constants include file for VBScript
'-------------------------
'---- CursorTypeEnum Values ----
Const adOpenForwardOnly = 0
Const adOpenKeyset = 1
Const adOpenDynamic = 2
Const adOpenStatic = 3
'---- CursorOptionEnum Values ----
Const adHoldRecords = &H00000100
Const adMovePrevious = &H00000200
Const adAddNew = &H01000400
Const adDelete = &H01000800
Const adUpdate = &H01008000
Const adBookmark = &H00002000
Const adApproxPosition = &H00004000
Const adUpdateBatch = &H00010000
Const adResync = &H00020000
Const adNotify = &H00040000
Const adFind = &H00080000
Const adSeek = &H00400000
Const adIndex = &H00800000
'---- LockTypeEnum Values ----
Const adLockReadOnly = 1
Const adLockPessimistic = 2
Const adLockOptimistic = 3
Const adLockBatchOptimistic = 4
'---- ExecuteOptionEnum Values ----
Const adAsyncExecute = &H00000010
Const adAsyncFetch = &H00000020
Const adAsyncFetchNonBlocking = &H00000040
Const adExecuteNoRecords = &H00000080
Const adExecuteStream = &H00000400
'---- ConnectOptionEnum Values ----
Const adAsyncConnect = &H00000010
'---- ObjectStateEnum Values ----
Const adStateClosed = &H00000000
Const adStateOpen = &H00000001
Const adStateConnecting = &H00000002
Const adStateExecuting = &H00000004
Const adStateFetching = &H00000008
'---- CursorLocationEnum Values ----
Const adUseServer = 2
Const adUseClient = 3
'---- DataTypeEnum Values ----
Const adEmpty = 0
Const adTinyInt = 16
Const adSmallInt = 2
Const adInteger = 3
Const adBigInt = 20
Const adUnsignedTinyInt = 17
Const adUnsignedSmallInt = 18
Const adUnsignedInt = 19
Const adUnsignedBigInt = 21
Const adSingle = 4
Const adDouble = 5
Const adCurrency = 6
Const adDecimal = 14
Const adNumeric = 131
Const adBoolean = 11
Const adError = 10
Const adUserDefined = 132
Const adVariant = 12
Const adIDispatch = 9
Const adIUnknown = 13
Const adGUID = 72
Const adDate = 7
Const adDBDate = 133
Const adDBTime = 134
Const adDBTimeStamp = 135
Const adBSTR = 8
Const adChar = 129
Const adVarChar = 200
Const adLongVarChar = 201
Const adWChar = 130
Const adVarWChar = 202
Const adLongVarWChar = 203
Const adBinary = 128
Const adVarBinary = 204
Const adLongVarBinary = 205
Const adChapter = 136
Const adFileTime = 64
Const adPropVariant = 138
Const adVarNumeric = 139
Const adArray = &H2000
'---- FieldAttributeEnum Values ----
Const adFldMayDefer = &H00000002
Const adFldUpdatable = &H00000004
Const adFldUnknownUpdatable = &H00000008
Const adFldFixed = &H00000010
Const adFldIsNullable = &H00000020
Const adFldMayBeNull = &H00000040
Const adFldLong = &H00000080
Const adFldRowID = &H00000100
Const adFldRowVersion = &H00000200
Const adFldCacheDeferred = &H00001000
Const adFldIsChapter = &H00002000
Const adFldNegativeScale = &H00004000
Const adFldKeyColumn = &H00008000
Const adFldIsRowURL = &H00010000
Const adFldIsDefaultStream = &H00020000
Const adFldIsCollection = &H00040000
'---- EditModeEnum Values ----
Const adEditNone = &H0000
Const adEditInProgress = &H0001
Const adEditAdd = &H0002
Const adEditDelete = &H0004
'---- RecordStatusEnum Values ----
Const adRecOK = &H0000000
Const adRecNew = &H0000001
Const adRecModified = &H0000002
Const adRecDeleted = &H0000004
Const adRecUnmodified = &H0000008
Const adRecInvalid = &H0000010
Const adRecMultipleChanges = &H0000040
Const adRecPendingChanges = &H0000080
Const adRecCanceled = &H0000100
Const adRecCantRelease = &H0000400
Const adRecConcurrencyViolation = &H0000800
Const adRecIntegrityViolation = &H0001000
Const adRecMaxChangesExceeded = &H0002000
Const adRecObjectOpen = &H0004000
Const adRecOutOfMemory = &H0008000
Const adRecPermissionDenied = &H0010000
Const adRecSchemaViolation = &H0020000
Const adRecDBDeleted = &H0040000
'---- GetRowsOptionEnum Values ----
Const adGetRowsRest = -1
'---- PositionEnum Values ----
Const adPosUnknown = -1
Const adPosBOF = -2
Const adPosEOF = -3
'---- BookmarkEnum Values ----
Const adBookmarkCurrent = 0
Const adBookmarkFirst = 1
Const adBookmarkLast = 2
'---- MarshalOptionsEnum Values ----
Const adMarshalAll = 0
Const adMarshalModifiedOnly = 1
'---- AffectEnum Values ----
Const adAffectCurrent = 1
Const adAffectGroup = 2
Const adAffectAllChapters = 4
'---- ResyncEnum Values ----
Const adResyncUnderlyingValues = 1
Const adResyncAllValues = 2
'---- CompareEnum Values ----
Const adCompareLessThan = 0
Const adCompareEqual = 1
Const adCompareGreaterThan = 2
Const adCompareNotEqual = 3
Const adCompareNotComparable = 4
'---- FilterGroupEnum Values ----
Const adFilterNone = 0
Const adFilterPendingRecords = 1
Const adFilterAffectedRecords = 2
Const adFilterFetchedRecords = 3
Const adFilterConflictingRecords
'---- SearchDirectionEnum Values ----
Const adSearchForward = 1
Const adSearchBackward = -1
'---- PersistFormatEnum Values ----
Const adPersistADTG = 0
Const adPersistXML = 1
'---- StringFormatEnum Values ----
Const adClipString = 2
'---- ConnectPromptEnum Values ----
Const adPromptAlways = 1
Const adPromptComplete = 2
Const adPromptCompleteRequired = 3
Const adPromptNever = 4
'---- ConnectModeEnum Values ----
Const adModeUnknown = 0
Const adModeRead = 1
Const adModeWrite = 2
Const adModeReadWrite = 3
Const adModeShareDenyRead = 4
Const adModeShareDenyWrite = 8
Const adModeShareExclusive = &Hc
Const adModeShareDenyNone = &H10
Const adModeRecursive = &H400000
'---- RecordCreateOptionsEnum Values ----
Const adCreateCollection = &H00002000
Const adCreateStructDoc = &H80000000
Const adCreateNonCollection = &H00000000
Const adOpenIfExists = &H02000000
Const adCreateOverwrite = &H04000000
Const adFailIfNotExists = -1
'---- RecordOpenOptionsEnum Values ----
Const adOpenRecordUnspecified = -1
Const adOpenOutput = &H00800000
Const adOpenAsync = &H00001000
Const adDelayFetchStream = &H00004000
Const adDelayFetchFields = &H00008000
Const adOpenExecuteCommand = &H00010000
'---- IsolationLevelEnum Values ----
Const adXactUnspecified = &Hffffffff
Const adXactChaos = &H00000010
Const adXactReadUncommitted = &H00000100
Const adXactBrowse = &H00000100
Const adXactCursorStability = &H00001000
Const adXactReadCommitted = &H00001000
Const adXactRepeatableRead = &H00010000
Const adXactSerializable = &H00100000
Const adXactIsolated = &H00100000
'---- XactAttributeEnum Values ----
Const adXactCommitRetaining = &H00020000
Const adXactAbortRetaining = &H00040000
'---- PropertyAttributesEnum Values ----
Const adPropNotSupported = &H0000
Const adPropRequired = &H0001
Const adPropOptional = &H0002
Const adPropRead = &H0200
Const adPropWrite = &H0400
'---- ErrorValueEnum Values ----
Const adErrProviderFailed = &Hbb8
Const adErrInvalidArgument = &Hbb9
Const adErrOpeningFile = &Hbba
Const adErrReadFile = &Hbbb
Const adErrWriteFile = &Hbbc
Const adErrNoCurrentRecord = &Hbcd
Const adErrIllegalOperation = &Hc93
Const adErrCantChangeProvider = &Hc94
Const adErrInTransaction = &Hcae
Const adErrFeatureNotAvailable = &Hcb3
Const adErrItemNotFound = &Hcc1
Const adErrObjectInCollection = &Hd27
Const adErrObjectNotSet = &Hd5c
Const adErrDataConversion = &Hd5d
Const adErrObjectClosed = &He78
Const adErrObjectOpen = &He79
Const adErrProviderNotFound = &He7a
Const adErrBoundToCommand = &He7b
Const adErrInvalidParamInfo = &He7c
Const adErrInvalidConnection = &He7d
Const adErrNotReentrant = &He7e
Const adErrStillExecuting = &He7f
Const adErrOperationCancelled = &He80
Const adErrStillConnecting = &He81
Const adErrInvalidTransaction = &He82
Const adErrUnsafeOperation = &He84
Const adwrnSecurityDialog = &He85
Const adwrnSecurityDialogHeader = &He86
Const adErrIntegrityViolation = &He87
Const adErrPermissionDenied = &He88
Const adErrDataOverflow = &He89
Const adErrSchemaViolation = &He8a
Const adErrSignMismatch = &He8b
Const adErrCantConvertvalue = &He8c
Const adErrCantCreate = &He8d
Const adErrColumnNotOnThisRow = &He8e
Const adErrURLIntegrViolSetColum
Const adErrURLDoesNotExist = &He8f
Const adErrTreePermissionDenied = &He90
Const adErrInvalidURL = &He91
Const adErrResourceLocked = &He92
Const adErrResourceExists = &He93
Const adErrCannotComplete = &He94
Const adErrVolumeNotFound = &He95
Const adErrOutOfSpace = &He96
Const adErrResourceOutOfScope = &He97
Const adErrUnavailable = &He98
Const adErrURLNamedRowDoesNotExi
Const adErrDelResOutOfScope = &He9a
Const adErrPropInvalidColumn = &He9b
Const adErrPropInvalidOption = &He9c
Const adErrPropInvalidValue = &He9d
Const adErrPropConflicting = &He9e
Const adErrPropNotAllSettable = &He9f
Const adErrPropNotSet = &Hea0
Const adErrPropNotSettable = &Hea1
Const adErrPropNotSupported = &Hea2
Const adErrCatalogNotSet = &Hea3
Const adErrCantChangeConnection = &Hea4
Const adErrFieldsUpdateFailed = &Hea5
Const adErrDenyNotSupported = &Hea6
Const adErrDenyTypeNotSupported = &Hea7
Const adErrProviderNotSpecified = &Hea9
Const adErrConnectionStringTooLo
'---- ParameterAttributesEnum Values ----
Const adParamSigned = &H0010
Const adParamNullable = &H0040
Const adParamLong = &H0080
'---- ParameterDirectionEnum Values ----
Const adParamUnknown = &H0000
Const adParamInput = &H0001
Const adParamOutput = &H0002
Const adParamInputOutput = &H0003
Const adParamReturnValue = &H0004
'---- CommandTypeEnum Values ----
Const adCmdUnknown = &H0008
Const adCmdText = &H0001
Const adCmdTable = &H0002
Const adCmdStoredProc = &H0004
Const adCmdFile = &H0100
Const adCmdTableDirect = &H0200
'---- EventStatusEnum Values ----
Const adStatusOK = &H0000001
Const adStatusErrorsOccurred = &H0000002
Const adStatusCantDeny = &H0000003
Const adStatusCancel = &H0000004
Const adStatusUnwantedEvent = &H0000005
'---- EventReasonEnum Values ----
Const adRsnAddNew = 1
Const adRsnDelete = 2
Const adRsnUpdate = 3
Const adRsnUndoUpdate = 4
Const adRsnUndoAddNew = 5
Const adRsnUndoDelete = 6
Const adRsnRequery = 7
Const adRsnResynch = 8
Const adRsnClose = 9
Const adRsnMove = 10
Const adRsnFirstChange = 11
Const adRsnMoveFirst = 12
Const adRsnMoveNext = 13
Const adRsnMovePrevious = 14
Const adRsnMoveLast = 15
'---- SchemaEnum Values ----
Const adSchemaProviderSpecific = -1
Const adSchemaAsserts = 0
Const adSchemaCatalogs = 1
Const adSchemaCharacterSets = 2
Const adSchemaCollations = 3
Const adSchemaColumns = 4
Const adSchemaCheckConstraints = 5
Const adSchemaConstraintColumnUs
Const adSchemaConstraintTableUsa
Const adSchemaKeyColumnUsage = 8
Const adSchemaReferentialConstra
Const adSchemaTableConstraints = 10
Const adSchemaColumnsDomainUsage
Const adSchemaIndexes = 12
Const adSchemaColumnPrivileges = 13
Const adSchemaTablePrivileges = 14
Const adSchemaUsagePrivileges = 15
Const adSchemaProcedures = 16
Const adSchemaSchemata = 17
Const adSchemaSQLLanguages = 18
Const adSchemaStatistics = 19
Const adSchemaTables = 20
Const adSchemaTranslations = 21
Const adSchemaProviderTypes = 22
Const adSchemaViews = 23
Const adSchemaViewColumnUsage = 24
Const adSchemaViewTableUsage = 25
Const adSchemaProcedureParameter
Const adSchemaForeignKeys = 27
Const adSchemaPrimaryKeys = 28
Const adSchemaProcedureColumns = 29
Const adSchemaDBInfoKeywords = 30
Const adSchemaDBInfoLiterals = 31
Const adSchemaCubes = 32
Const adSchemaDimensions = 33
Const adSchemaHierarchies = 34
Const adSchemaLevels = 35
Const adSchemaMeasures = 36
Const adSchemaProperties = 37
Const adSchemaMembers = 38
Const adSchemaTrustees = 39
Const adSchemaFunctions = 40
Const adSchemaActions = 41
Const adSchemaCommands = 42
Const adSchemaSets = 43
'---- FieldStatusEnum Values ----
Const adFieldOK = 0
Const adFieldCantConvertValue = 2
Const adFieldIsNull = 3
Const adFieldTruncated = 4
Const adFieldSignMismatch = 5
Const adFieldDataOverflow = 6
Const adFieldCantCreate = 7
Const adFieldUnavailable = 8
Const adFieldPermissionDenied = 9
Const adFieldIntegrityViolation = 10
Const adFieldSchemaViolation = 11
Const adFieldBadStatus = 12
Const adFieldDefault = 13
Const adFieldIgnore = 15
Const adFieldDoesNotExist = 16
Const adFieldInvalidURL = 17
Const adFieldResourceLocked = 18
Const adFieldResourceExists = 19
Const adFieldCannotComplete = 20
Const adFieldVolumeNotFound = 21
Const adFieldOutOfSpace = 22
Const adFieldCannotDeleteSource = 23
Const adFieldReadOnly = 24
Const adFieldResourceOutOfScope = 25
Const adFieldAlreadyExists = 26
Const adFieldPendingInsert = &H10000
Const adFieldPendingDelete = &H20000
Const adFieldPendingChange = &H40000
Const adFieldPendingUnknown = &H80000
Const adFieldPendingUnknownDelet
'---- SeekEnum Values ----
Const adSeekFirstEQ = &H1
Const adSeekLastEQ = &H2
Const adSeekAfterEQ = &H4
Const adSeekAfter = &H8
Const adSeekBeforeEQ = &H10
Const adSeekBefore = &H20
'---- ADCPROP_UPDATECRITERIA_ENU
Const adCriteriaKey = 0
Const adCriteriaAllCols = 1
Const adCriteriaUpdCols = 2
Const adCriteriaTimeStamp = 3
'---- ADCPROP_ASYNCTHREADPRIORIT
Const adPriorityLowest = 1
Const adPriorityBelowNormal = 2
Const adPriorityNormal = 3
Const adPriorityAboveNormal = 4
Const adPriorityHighest = 5
'---- ADCPROP_AUTORECALC_ENUM Values ----
Const adRecalcUpFront = 0
Const adRecalcAlways = 1
'---- ADCPROP_UPDATERESYNC_ENUM Values ----
Const adResyncNone = 0
Const adResyncAutoIncrement = 1
Const adResyncConflicts = 2
Const adResyncUpdates = 4
Const adResyncInserts = 8
Const adResyncAll = 15
'---- MoveRecordOptionsEnum Values ----
Const adMoveUnspecified = -1
Const adMoveOverWrite = 1
Const adMoveDontUpdateLinks = 2
Const adMoveAllowEmulation = 4
'---- CopyRecordOptionsEnum Values ----
Const adCopyUnspecified = -1
Const adCopyOverWrite = 1
Const adCopyAllowEmulation = 4
Const adCopyNonRecursive = 2
'---- StreamTypeEnum Values ----
Const adTypeBinary = 1
Const adTypeText = 2
'---- LineSeparatorEnum Values ----
Const adLF = 10
Const adCR = 13
Const adCRLF = -1
'---- StreamOpenOptionsEnum Values ----
Const adOpenStreamUnspecified = -1
Const adOpenStreamAsync = 1
Const adOpenStreamFromRecord = 4
'---- StreamWriteEnum Values ----
Const adWriteChar = 0
Const adWriteLine = 1
'---- SaveOptionsEnum Values ----
Const adSaveCreateNotExist = 1
Const adSaveCreateOverWrite = 2
'---- FieldEnum Values ----
Const adDefaultStream = -1
Const adRecordURL = -2
'---- StreamReadEnum Values ----
Const adReadAll = -1
Const adReadLine = -2
'---- RecordTypeEnum Values ----
Const adSimpleRecord = 0
Const adCollectionRecord = 1
Const adStructDoc = 2
%>
You should follow rdivilbiss advice on parameterized SQL.
The first code you've shown here can be hacked in about 20 sec' without any special software.
It is preferable to take the time to learn it rather than putting user's input directly into the SQL statement.
The first code you've shown here can be hacked in about 20 sec' without any special software.
It is preferable to take the time to learn it rather than putting user's input directly into the SQL statement.
You really think it would take that long? Are you a slow typer <smile>
Slow Connection? o_O
Hello Dear,
try this code I hope with this code you protected your asp pages ...........
<%
loginname=trim(request.for
password=trim(request.form
set con=server.createobject("a
Con.Open "YOUR CONNECTION STRING"
Set rs=Server.CreateObject("AD
rs.CurSorType=AdOpenStatic
rs.Open "SELECT * from login",con
if lcase(trim(loginname))=rs(
session("loginname")=lcase
response.redirect "otherpage.asp"
else
loginname=""
password=""
end if
%>
when you get the session("looginname"), according to the above code then you pass session("loginname") to everypage and check the session("loginname") to every asp page.
If you got any error then please write me.
chandresh.k6@gmail.com
try this code I hope with this code you protected your asp pages ...........
<%
loginname=trim(request.for
password=trim(request.form
set con=server.createobject("a
Con.Open "YOUR CONNECTION STRING"
Set rs=Server.CreateObject("AD
rs.CurSorType=AdOpenStatic
rs.Open "SELECT * from login",con
if lcase(trim(loginname))=rs(
session("loginname")=lcase
response.redirect "otherpage.asp"
else
loginname=""
password=""
end if
%>
when you get the session("looginname"), according to the above code then you pass session("loginname") to everypage and check the session("loginname") to every asp page.
If you got any error then please write me.
chandresh.k6@gmail.com
Chandresh_k6,
that's not gonna to work properly if:
1. your table got more than 1 record (bcos you not include where condition in your sql statement)
2. your table has no record (error handling issue)
just my $0.02
that's not gonna to work properly if:
1. your table got more than 1 record (bcos you not include where condition in your sql statement)
2. your table has no record (error handling issue)
just my $0.02
ASKER
Cheers for all the help guys. Finally got it working with the code which ryancys supplied and a portion added in afterwards by myself to take the user to the originally requested page. Thanks again guys.
Set RS = Conn.Execute ("SELECT * From tblMember WHERE username = " & Request.Form(username)& " AND password =" & Request.Form(password) & ";")
to:
Set RS = Conn.Execute("SELECT * From tblMember WHERE username = " & Replace(Request.Form("user
?