Solved

Trying to get "forgot password" to work

Posted on 2006-11-07
6
215 Views
Last Modified: 2012-08-14
Right now I have the code that is supposed to make this work, but it doesn't seem to find the right account holder in the db.  The secret question has an apostrophe in it so I have worked around that, but on this page where it pulls from the db, the code I have doesn't seem to work the same way.  I hope this isn't too confusing.  Below is my code:

'-----lost.asp

<%
Dim LostPassword

Set LostPassword = Server.CreateObject("ADODB.Connection")
ConnStr = "DRIVER={Microsoft Access Driver (*.mdb)};pwd=password;"
ConnStr = ConnStr & "DBQ=" & Server.MapPath("/dev/students.mdb")
LostPassword.Open(ConnStr)

SQLtemp = "SELECT * FROM tblAccess WHERE secret_question = '" & Replace(secret_question, "'", "''") & "' AND answer = '" & Request.Form("answer") & "' AND strEmail = '" & Request.Form("strEmail") & "'"

Set rs = LostPassword.Execute(SQLtemp)

If Request.Form("secret_question") = "" AND Request.Form("answer") = "" AND Request.Form("strEmail") = "" then
      Session("Message") = "<font face='Verdana, Arial, Helvetica' size='2' color='#008080'><b>Invalid Entry! </b></font><font face='Verdana, Arial, Helvetica' size='2' color='0000FF'>Please enter Question, Answer and E-Mail.</font>"
         Response.Redirect "/dev/forgot.asp"
      Response.End
End if

If Request.Form("secret_question") = "" then
      Session("Message") = "<font face='Verdana, Arial, Helvetica' size='2' color='#008080'><b>Invalid Entry! </b></font><font face='Verdana, Arial, Helvetica' size='2' color='0000FF'>Please select Secret Question.</font>"
         Response.Redirect "/dev/forgot.asp"
      Response.End
End if

If Request.Form("answer") = "" then
      Session("Message") = "<font face='Verdana, Arial, Helvetica' size='2' color='#008080'><b>Invalid Entry! </b></font><font face='Verdana, Arial, Helvetica' size='2' color='0000FF'>Please enter Answer.</font>"
         Response.Redirect "/dev/forgot.asp"
      Response.End
End if

If Request.Form("strEmail") = "" then
      Session("Message") = "<font face='Verdana, Arial, Helvetica' size='2' color='#008080'><b>Invalid Entry! </b></font><font face='Verdana, Arial, Helvetica' size='2' color='0000FF'>Please enter E-Mail Address.</font>"
      Response.Redirect "/dev/forgot.asp"
      Response.End
End if

If rs.eof then
      rs.Close
      LostPassword.Close
      set LostPassword = Nothing
      Session("Message") = "<b><font face='Verdana, Arial, Helvetica' size='2' color='FF0000'>Sorry! </font></b><font face='Verdana, Arial, Helvetica' size='2' color='0000FF'>No Matches Found.</font>"
      Response.Redirect "/dev/forgot.asp"
      Response.End
end if

while not rs.eof


If Request.Form("secret_question") = rs("secret_question") AND Request.Form("answer") = rs("answer") AND Request.Form("strEmail") = rs("strEmail") Then

      dim Your_Email
      Your_Email = rs("strEmail")
      dim Date_In
      Date_In = rs("Entry_Date")
      dim secret_question
      secret_question = rs("secret_question")

      Response.Cookies("strEmail") = Your_Email
      Response.Cookies("still") = Date_In

      Session.TimeOut = 20
      Session("strEmail") = "Yes"

      Response.Redirect "/dev/profile.asp?UserLoggedIn=" & Your_Email
      Response.End
Else
      Session("Message") = "<font face='Verdana, Arial, Helvetica' size='2' color='FF0000'>Incorrect Answer or E-Mail Address.</font></p>"
      Response.redirect("/dev/forgot.asp")
      Response.End
End If
   rs.MoveNext
Wend

rs.Close
LostPassword.Close
set LostPassword = Nothing

%>
0
Comment
Question by:pingeyeg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 25

Expert Comment

by:kevp75
ID: 17890483
you mention that the secret question has an apostrophe in it, but have worked around that.  Please clarify what you mean.  Did you go into the field in the database and replace it with something, are you doing this code wise?, etc...

My first guess would be that you changed it in the table, but are trying to put it in your form field for your secret question.

BTW, the single quote/apostrophe is the biggest cause of the SQL Injection attack.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 17890541
Basically what I did was when a user edits their account and makes a secret question and answer, I had the sql statement replace the ' with ''.  That way it would work.  Well now I am trying to pull that information and I believe the sql statment doesn't like the single quote in the db.  I am trying to work around that on this page.  How can I do that.
0
 
LVL 25

Expert Comment

by:kevp75
ID: 17890658
it doesn't like the single quote, because that is something that is used to escape the SQL statement.  Hence why you replace it with ''
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 1

Author Comment

by:pingeyeg
ID: 17890677
Where on this page can I place a Replace statement to replace the ' with ''?
0
 
LVL 6

Accepted Solution

by:
gete earned 500 total points
ID: 17890750
If that's the exact actual code, I think you didn't escape the intended variables. Try to modify:

SQLtemp = "SELECT * FROM tblAccess WHERE secret_question = '" & Replace(secret_question, "'", "''") & "' AND answer = '" & Request.Form("answer") & "' AND strEmail = '" & Request.Form("strEmail") & "'"

to:

SQLtemp = "SELECT * FROM tblAccess WHERE secret_question = '" & Replace(Request.Form("secret_question"), "'", "''") & "' AND answer = '" & Request.Form("answer") & "' AND strEmail = '" & Request.Form("strEmail") & "'"

As kevp75 mentioned, you need to be careful of injection in crafting inline SQL statement, i.e. you need to also escape answer and strEmail:

SQLtemp = "SELECT * FROM tblAccess WHERE secret_question = '" & Replace(Request.Form("secret_question"), "'", "''") & "' AND answer = '" & Replace(Request.Form("answer"), "'", "''") & "' AND strEmail = '" & Replace(Request.Form("strEmail"), "'", "''") & "'"

Another thing, although this comparison seems redundant due to the similarity to the SQL WHERE condition:
If Request.Form("secret_question") = rs("secret_question") AND Request.Form("answer") = rs("answer") AND Request.Form("strEmail") = rs("strEmail") Then

it can give you different result, i.e. although it passes the SQL statement (gives you Recordset), the ASP/VBScript comparison doesn't compute it as True. This is because SQL in many DBMS is case insensitive while string comparison in ASP/VBScript is case sensitive. If you want it to be case sensitive, then the ASP/VBScript code will help. If not, you can drop the ASP/VBScript comparison since the SQL already takes care of it.
0
 
LVL 25

Expert Comment

by:kevp75
ID: 17891203
your welcome, glad I could help :|
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Clear input text 15 34
Retreiving SOAP FAULT messages using classical ASP 14 48
Sending ASP to server side 8 43
Boolean 13 51
I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question