Secure login using Classic ASP and SQL db not working
Posted on 2006-05-04
I’m trying to add a secure login to my home page. After the user submits the username and password they are directed to a page unique to that user. Basically many users will have the same username and password that is unique to an on going project. The page returned is a PDF that has information about the ongoing project. The data isn’t sensitive just trying to direct end users to the correct information a little easier. Also in the future this login feature may be incorporated to other users and access if things work out.
I’m using Classic ASP and a SQL data base. I’m able to display the input text boxes on the home page and enter username and password. When I click the submit button it returns me to the home page and leaves the username in the username text box.
I have a form on the home page with the action (ACTION=”login”) that calls a page named login.asp where my code resides that performs the check against the database. I have a table named (“dev_login”) with the columns.
Can someone look through my syntax and give me a pointer or two on how to make this work?
Here is my code for the login form displayed on the home page
<FORM ACTION="login.asp" METHOD="post">
<TD VALIGN="Top"><asp:TextBox ID="txtUsername" runat="server" Columns="15" MaxLength="50" Width="145" /></TD>
<TD VALIGN="Top"><asp:TextBox ID="txtPassword" runat="server" Columns="15" MaxLength="50" TextMode="Password" Width="145" /></TD>
<TD VALIGN="Top"><INPUT TYPE="submit" VALUE="Login"></TD>
Below is the code in my login.asp page.
Response.Buffer = True
Dim objConn, objRS, errormsg
Session.Contents("status") = ""
Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS = objConn.Execute("SELECT * FROM dev_login WHERE Username = '" & Request.Form("txtUsername") & "" and Password = '" & Request.Form("txtPassword") & "'")
if not objRS.EOF Then
Session.Contents("status") = objRS(2)
redir = objRS(3)
or: redir = objRS("destination")
errormsg = "Sorry, but the username does not exist or the password was incorrect."
'we want to close our recordset before redirecting. asp does not always clean itself up very good
set objRS = Nothing
Set objConn = Nothing
if errormsg = "" then
response.redirect( redir )