Encrypt asp password

I have a site which has a login page which then allows the user to the site.  Within the site administrators can add users and everything is great.  The original code wasnt written by me however I am the owner.

The problem is that the passwords are stored in an MS SQL database in full glory for people to see.  I need for this not to be the case.  I am guessing that I will need to encrypt/decrypt the password through the ASP code.  It doesnt need to be particularly tight - just stop prying eyes.

I have knowledge of VBA and VB but know nothing of ASP.  Below is the code for 3 files which I believe might be useful.  (signinproc.asp) is run when the user logs in.  (manageusers.asp) - well manages the users and then within that we (saveusers.asp)

What do people suggest?

Thanks in advance
//signinproc.asp


<script language="javascript" runat="server" src="opendatabase.js"></script>
<script language="javascript" runat="server" src="paramtest.js"></script>
<script language="javascript" runat="server" src="debug.js"></script>

<script language="javascript" runat="server">

function main()
{
    var userid = getformteststrparam("un",50);
    var password = getformteststrparam("pw",50);
    var dbConn,dbRec,SQL;

    if( (userid == "hidden") && (password == "hidden") )
    {
        Session("signedin") = true;
        Session("signinmessage") = "";
        Session("userid") = 0;
        Session("username") = "Back door administrator";
        Session("usertype") = 2;
        Session("isadmin") = 1;
        Response.Redirect("manageusers.asp");
    }
    
    dbConn = OpenDatabase();
        
        try {
        
            SQL = "SELECT * FROM Users WHERE (Username='" + userid + "') AND (Password='" + password + "') AND (Removed=0)";
            dbRec = Server.CreateObject("ADODB.RecordSet");
    
            dbRec.Open(SQL,dbConn,1,1);
    
            try {
            
                if(!dbRec.EOF)
                {
                    Session("signedin") = true;
                    Session("signinmessage") = "";
                    Session("userid") = Number(dbRec("UserID"));
                    Session("username") = String(dbRec("FullName"));
                    Session("usertype") = Number(dbRec("usertype"));
                    Session("isadmin") = (Number(dbRec("usertype")) == 2)?1:0;
                }
                else
                {
                    Session("signedin") = false;
                    Session("signinmessage") = "User name or password is incorrect";
                    Session("userid") = 0;
                    Session("username") = "";
                    Session("usertype") = 0;
                    Session("isadmin") = 0;
                 }
                
            } catch(e) {}

           dbRec.Close();
           
        } catch(e) {}
        
        dbConn.Close();
	   
        if(Session("signedin") == true)
            Response.Redirect("default.asp");
        else
            Response.Redirect("login.asp");

}

try {
    main();
}
catch(e)
{
    Session("signedin") = false;
    Session("signinmessage") = "User name or password is incorrect";
    Response.Redirect("login.asp");
}
</script>


//saveuser.asp


<script language="javascript" runat="server" src="opendatabase.js"></script>
<script language="javascript" runat="server" src="paramtest.js"></script>
<script language="javascript" runat="server" src="debug.js"></script>

<script language="javascript" runat="server">

function main()
{
    var dbConn,dbRec,SQL;
    var xUserID,xFullName,xUserName,xPassword,xIsAdmin,xTheatres;
    var i,tPassword;
    var isnewuser = false;

    // must be an admin and logged in
    if(!Session("isadmin") || (Session("isadmin") == 0) )
        return;
        
    xFullName   = getqueryteststrparam("fullname",50);
    xUserName   = getqueryteststrparam("username",50);
    xPassword   = getqueryteststrparam("password",30);
    xUserType   = getquerytestnumparam("usertype");
    xTheatres   = ["OFF","OFF","OFF","OFF","OFF","OFF","OFF"];
    xUserID     = parseInt(getqueryteststrparam("userid",6));

    if(xUserID==0)
        isnewuser = true;
        
    for(i=1;i<=7;i++)
        xTheatres[i] = getqueryteststrparam("theatre"+i,3);

    dbConn = OpenDatabase();

    try {

        dbRec = Server.CreateObject("ADODB.RecordSet");

        // check for duplicate a duplicate username - doesn't matter if new or old user

        SQL = "SELECT * FROM Users WHERE (Username = '" + xUserName + "') AND (Removed=0)";
        dbRec.Open(SQL,dbConn,1,1);
        
        if(!dbRec.EOF)
        {
            // if the userid is the same as the incoming one then its ok - name change
            if(xUserID != parseInt(dbRec("UserID")) )
            {
                // uh oh - duplicate user name - don't allow the save to take place
                Response.Cookies("saveduserid") = -1; // set to -1 to flag a duplicate name
                dbRec.Close();
                dbConn.Close();
                return;
            }
        }
        
        dbRec.Close();

        if(isnewuser)
            SQL = "SELECT * FROM Users WHERE 1=2";
        else
            SQL = "SELECT * FROM Users WHERE (UserId = " + xUserID + ")";
        
        dbRec.Open(SQL,dbConn,1,2);

        try {

            if(isnewuser)
            {
                try {
                    dbRec.AddNew();
                } catch(e) { DebugOutput("addnew " + e.description); throw(e); }

                try {
                    dbRec("Password") = xPassword;
                } catch(e) { DebugOutput("addnew2 " + e.description); throw(e); }
                
            }
            else
            {
                 // get the password length
                pwlength = String(dbRec("Password")).length;

                for(i=0,tPassword="";i<pwlength;i++)
                    tPassword += "@";
                    
                if(tPassword != xPassword)
                    dbRec("Password")       = xPassword; // new password

            }

            dbRec("Fullname")       = xFullName;
            dbRec("Username")       = xUserName;
            dbRec("UserType")       = xUserType;
            dbRec("Removed")        = 0;
            dbRec.Update();

            xUserID = parseInt(dbRec("UserID"));
            
        } catch(e) { dbRec.Close(); DebugOutput("1)saveuser.asp error: " + e.description); throw(e); }

        dbRec.Close();

//----------------------------------------------------------------------------------
        // theatre assignments - have to erase the current ones and then repopulate

        if(!isnewuser)
        {
            try {
                SQL = "DELETE FROM Assignments WHERE UserID = " + xUserID;
                dbConn.Execute(SQL);

            } catch(e) { DebugOutput("reset user assignments error: " + e.description); throw(e); }
        }

//----------------------------------------------------------------------------------

        try {
        
        for(i=1;i<=7;i++)
        {
            if(xTheatres[i] == "ON")
            {
                SQL = "SELECT * FROM Assignments WHERE 1=2";
                dbRec.Open(SQL,dbConn,1,2);
                dbRec.AddNew();
                dbRec("UserID") = xUserID;
                dbRec("TheatreID") = i;
                dbRec.Update();
                dbRec.Close();
            }
        }

        } catch(e) { dbRec.Close(); DebugOutput("save user assignments error: " + e.description); throw(e); }

    } catch(e) { dbConn.Close(); throw(e); }

    dbConn.Close();
    Response.Cookies("saveduserid") = xUserID;

}

try { main(); } catch(e) { DebugOutput("saveuserX.asp error: " + e.description); }

</script>


//manageusers.asp


<script language="javascript" runat="server" src="opendatabase.js"></script>
<script language="javascript" runat="server" src="debug.js"></script>
<script language="javascript" runat="server">

// must be a signed in administrator to access this page at all

var gOutput     = "";
var gUserList   = "";

var username    = "";
var userid      = 0;
var srf         = false;
var menus       = "";

function main()
{
    var dbConn,dbRec,SQL;
    var row=0,col=0;
    var xuserid;
    
    if(!Session("signedin") || Session("signedin") == false)
    {
        Session("signinmessage") = "It appears your session has expired.";
        Response.Redirect("login.asp");
    }
    
    if(!Session("isadmin") || (Session("isadmin") == 0) )
    {
        Session("signinmessage") = "The page you attempted to access is available to administrators only";
        Response.Redirect("login.asp");
    }

    userid = parseInt(Session("userid"));
    username = Session("username");

    menus = username;

    if(userid != 0)
        menus += " <br/><a href='default.asp'>Equipment</a>";
        
    menus += "<br/><a href='signout.asp'>Sign out</a>";

    dbConn = OpenDatabase();

    try {
    
        SQL = "SELECT * FROM Theatres";
        dbRec = Server.CreateObject("ADODB.RecordSet");
        
        dbRec.Open(SQL,dbConn,1,1);
        
        try {
        
            while(!dbRec.EOF)
            {
            
                gOutput += "<div style='position: absolute; left: 80pt; top: " + ((row*20)+125) + "pt;'><input id='xTheatre" + dbRec("ID") + "' type='checkbox' /> " + dbRec("Name") + "</div>";
                row++;
                dbRec.MoveNext();
            }
            
        } catch(e) {}
        
        dbRec.Close();
        
    } catch(e) {}
    
    SQL = "SELECT * FROM Users WHERE (Removed = 0) ORDER BY FullName";
    dbRec.Open(SQL,dbConn,1,1);

    gUserList = "<table id='userlist' border='0' cellpadding='0' cellspacing='0' style='width: 100%'>";
    
    while(!dbRec.EOF)
    {
        xuserid = parseInt(dbRec("UserID"));
        gUserList += "<tr><td id='user"+xuserid+"' onclick='userselected(event)' onmousemove='highlightrow(event)' onmouseout='unhighlightrow(event)' style='padding: 2pt; border: 1px solid white'>" + dbRec("Fullname") + "</td></tr>";
        dbRec.MoveNext();
    }

    gUserList += "</table>";
    
    dbConn.Close();

}

try { main(); } catch(e) {}

</script>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<HEAD>
 <TITLE>Manage Users</TITLE>
 <link type="text/css" rel="stylesheet" href="ourstyles.css">
 <style>
    input {font-family: verdana, helvetica, sans-serif; font-size: 10pt}
 </style>
<script type="text/javascript" src="cookies.js"></script>
<script type="text/javascript" src="doasync.js"></script>
<script type="text/javascript" >
var highlightedrow = false;
var currentuserid = 0;
var currentuserinfo = null;

function puserinfo()
{
    this.fullname = "";
    this.username = "";
    this.password = "";
    this.userid = 0;
    this.usertype = 0;
    this.theatres = [0,0,0,0,0,0,0];
    
    return(this);
    
}

function turnoffsolidhighlight()
{
    if(currentuserid != 0 )
    {
        var obj = document.getElementById("user"+currentuserid);
        
        if(obj)
            obj.style.backgroundColor = "white";
    }
    
}

function turnonsolidhighlight(userid)
{
    var obj = document.getElementById("user"+currentuserid);

    if(obj)
        obj.style.backgroundColor = "#C4D1F7";
    
}

function highlightrow(evt)
{
    if(!highlightedrow)
    {
        if(!evt)
//            if(window.event)
                evt = event;

        var element = evt.srcElement ? evt.srcElement : evt.target || evt.currentTarget;
        
        element.style.border = "1px solid #C4D1F7";
        element.style.cursor = "default";
    }
}

function unhighlightrow(evt)
{
    if(!highlightedrow)
    {
        if(!evt)
//            if(window.event)
                evt = event;

        var element = evt.srcElement ? evt.srcElement : evt.target || evt.currentTarget;
        element.style.border = "1px solid white";
    }
}

function userselected(evt)
{
    // get id from the rowid
    var userid;
    var element;
    
    if (!checkforchanges())
        return;

    evt = arguments[0] || event;

    var element = evt.srcElement ? evt.srcElement : evt.target || evt.currentTarget;
    turnoffsolidhighlight();
    userid = parseInt(String(element.id).substring(4))
    currentuserid = userid;
    turnonsolidhighlight(userid);

    sendrequest("getuser.asp?uid=" + userid,usercheck,"userinfo");
}

var tempo = "";

function usercheck()
{
    var x,i;
    var userid;
    var obj;
    var xPassword = "";

    x = getCookie("userinfo");
    
    // for IE - an alert here makes it work - some kind of timing issue with the cookie
    
    if(x == null)
    {
        setTimeout(usercheck,500); // every half second
        return;
    }

    var userinfo = String(unescape(x));
    var useridpos = userinfo.indexOf("'UserID'");

    if(useridpos == -1)
    {
        setTimeout(usercheck,500); // every half second
        return;
    }
    
    userid = parseInt(userinfo.substring(useridpos+9));

    tempo += "userid = " + userid;
    
    if( (userid==0) || (userid != currentuserid) )
    {
        setTimeout(usercheck,500); // every half second
        return;
    }

//    alert(tempo);
    
    // {'fullname':'thefullname','theatres':'[1,5,3,2]','pwlength':'5','usertype':'1','username':'theusersname','UserID":123}
    
    eval( "var temp = " + userinfo );
    
    if(currentuserinfo)
        delete currentuserinfo;
        
    currentuserinfo = new puserinfo();

    currentuserinfo.fullname = temp.fullname;
    currentuserinfo.username = temp.username;
    currentuserinfo.usertype = temp.usertype;
    
    for(i=0;i<7;i++)
        currentuserinfo.theatres[i] = 0;
    
    obj = document.getElementById("xFullName"); obj.value = temp.fullname;
    obj = document.getElementById("xUserName"); obj.value = temp.username;

    for(i=1;i<=7;i++)
    {
        obj = document.getElementById("xTheatre"+i);
        obj.checked = false;
//        obj.disabled = (parseInt(temp.usertype)==1)?"disabled":"";
    }
    
    for(i=0;i<temp.theatres.length;i++)
    {
        obj = document.getElementById("xTheatre"+temp.theatres[i]);
        obj.checked = true;
        currentuserinfo.theatres[parseInt(temp.theatres[i])-1] = 1;
    }
    
    for(i=0;i<temp.pwlength;i++)
        xPassword += "@";

    obj = document.getElementById("xPassword"); obj.value = xPassword;
    obj = document.getElementById("xPassword2"); obj.value = xPassword;
    currentuserinfo.password = xPassword;
    
    obj = document.getElementById("xUserType");
    obj.selectedIndex = temp.usertype;

    setCookie("userinfo","0",0); // erase the cookie
}

function clearform()
{
    var i;
    var obj;
    
    document.getElementById("xFullName").value = "";
    document.getElementById("xUserName").value = ""
    document.getElementById("xPassword").value = "";
    document.getElementById("xPassword2").value = "";
    document.getElementById("xUserType").selectedIndex = 0;

    for(i=1;i<=7;i++)
    {
        obj = document.getElementById("xTheatre"+i);
        obj.checked = false;
//        obj.disabled = "";
    }
        
    if(currentuserinfo)
        delete currentuserinfo;
        
    currentuserinfo = new puserinfo();

    // unhighlight everything
    turnoffsolidhighlight();
    
}

function copyuserinfo()
{
    var i,obj;
    
    if(currentuserinfo)
        delete currentuserinfo;

    currentuserinfo = new puserinfo();

    currentuserinfo.fullname = document.getElementById("xFullName").value;
    currentuserinfo.username = document.getElementById("xUserName").value;
    currentuserinfo.password = document.getElementById("xPassword").value;
    
    for(i=1;i<=7;i++)
    {
        obj = document.getElementById("xTheatre"+i);
        currentuserinfo.theatres[i-1] = (obj.checked)?1:0;
    }
    
    obj = document.getElementById("xUserType");
    currentuserinfo.usertype = obj.selectedIndex;
}

function checkforchanges()
{
    var i;
    var promptstring = "This user's information has changed. Do you wish to continue?";
    
    if(currentuserinfo==null)
    {
        currentuserinfo = new puserinfo();
        return(true);
    }

    if (String(currentuserinfo.fullname).valueOf() != String(document.getElementById("xFullName").value).valueOf())
        return (confirm(promptstring));

    if (String(currentuserinfo.username).valueOf() != String(document.getElementById("xUserName").value).valueOf())
        return(confirm(promptstring));

    var usertype = document.getElementById("xUserType").selectedIndex;
    
    if( currentuserinfo.usertype != usertype ) // if both false or both true then there is no change
        return(confirm(promptstring));

    for(i=0;i<7;i++)
    {
        var istheatrechecked = document.getElementById("xTheatre"+(i+1)).checked;
        
        if( (currentuserinfo.theatres[i] == 1) != istheatrechecked )
            return(confirm(promptstring));
    }

//    document.getElementById("xPassword").value = "";
//    document.getElementById("xPassword2").value = "";

    return(true);
}

function addnewuser()
{
    // check for changes and prompt??
    if(checkforchanges())
    {
        clearform();
        currentuserid = 0; // this lets us know its a new add
    }
}

function insertuser(fullname,userid)
{
    var usertable = document.getElementById("userlist");
    var x;
    var temp;
    // find out which row we need to use - alphabetically by name
    var therows = usertable.rows;
    var thecells;
    var thename = String(fullname).toLowerCase().valueOf();
    
    for(x=0;x<therows.length;x++)
    {
        thecells = therows[x].cells;
        temp = String(thecells[0].innerHTML).toLowerCase().valueOf();
        
        if(thename < temp)
            break;
    }

    var irow,icell;
    irow = usertable.insertRow(x);
    icell = irow.insertCell(0);
    icell.id = "user" + userid;
    icell.style.border = "1px solid white";
    icell.onclick = userselected;
    icell.onmousemove = highlightrow;
    icell.onmouseout = unhighlightrow;
    icell.style.padding = "2pt";
    icell.innerHTML = fullname;
}

function saveuser()
{
    // verify that fields have been filled - check password fields for equivalency
    if(!validatefields())
        return;
        
    var data = "saveuser.asp?userid=" + currentuserid;

    data += "&fullname=" + document.getElementById("xFullName").value;
    data += "&username=" + document.getElementById("xUserName").value;
    data += "&password=" + document.getElementById("xPassword").value;
    data += "&usertype=" + document.getElementById("xUserType").selectedIndex;

    for(i=1;i<=7;i++)
        data += "&theatre" + i + "=" + ((document.getElementById("xTheatre"+i).checked)?"ON":"OFF");

    if(currentuserid == 0)
        sendrequest(data,checkfornewuser,"saveduserid");
    else
        sendrequest(data,checkforsave,"saveduserid");
    
}

function checkforsave()
{
    // watch for -1 which means duplicate username
    var xUserID = getCookie("saveduserid");

    if(xUserID == null)
    {
        setTimeout(checkforsave,500); // every half second
        return;
    }
    
    if(xUserID == -1)
    {
        alert("The username is already being used. Please try again");
        return;
    }

    copyuserinfo(); // so we can test for changes
    
    // if the user's full name has changed then the list must be updated.
    
    // find XUserID - look at the name and see if it matches
    // if it does not match then delete the row and insert a new one
    
    var obj = document.getElementById("user"+xUserID);
    
    if(obj)
    {
        var text = obj.innerHTML;
        var fullname = document.getElementById("xFullName").value;
        
        if(text != fullname)
        {
            deletetablerow(xUserID);
            insertuser(fullname,xUserID);
            turnonsolidhighlight(xUserID);
        }
    }
}

function checkfornewuser()
{
    var xUserID = getCookie("saveduserid");

    if(xUserID == null)
    {
        setTimeout(checkfornewuser,500); // every half second
        return;
    }

    if(xUserID == -1)
    {
        alert("The username is already being used. Please try again");
        return;
    }
    
    turnoffsolidhighlight();
    
    currentuserid = xUserID;
    insertuser(document.getElementById("xFullName").value,xUserID);
    turnonsolidhighlight(xUserID);
    copyuserinfo(); // so we can test for changes
    // take information and insert into table
    setCookie("saveduserid","0",0); // erase the cookie
}

function deleteuser()
{
    if(currentuserid != 0 )
    {
        if(confirm("Are you sure you want to delete this user?"))
            sendrequest("deleteuser.asp?userid="+currentuserid,checkfordelete,"deleteduserid");
    }
}

function deletetablerow(userid)
{
    var usertable = document.getElementById("userlist");
    var x;
    var temp;

    var therows = usertable.rows;
    var thecells;

    for(x=0;x<therows.length;x++)
    {
        thecells = therows[x].cells;

        if( parseInt(String(thecells[0].id).substring(4)) == userid )
        {
            irow = usertable.deleteRow(x);
            break;
        }
    }

}

function checkfordelete()
{
    var xUserID = getCookie("deleteduserid");

    if( (xUserID == null) || (currentuserid != xUserID) )
    {
        setTimeout(checkfordelete,500); // every half second
        return;
    }
    
    // erase the current user and remove from the list
    clearform();
    deletetablerow(currentuserid);
    currentuserid = 0;
}

function validatefields()
{
    var temp;
    var pass1,pass2;
    
    // there must be a name here
    temp = String(document.getElementById("xFullName").value);
    
    if(temp.length==0)
    {
        alert("Please enter your full name.");
        return(false);
    }

    temp = String(document.getElementById("xUserName").value);
    
    if(temp.length < 6)
    {
        alert("Please enter a user name of at least 6 characters.");
        return(false);
    }

    pass1 = String(document.getElementById("xPassword").value);

    if(pass1.length < 6)
    {
        alert("Please enter a password of at least 6 characters.");
        return(false);
    }
    
    pass2 = String(document.getElementById("xPassword2").value);

    if(pass1.valueOf() != pass2.valueOf() )
    {
        alert("The passwords do not match please try again.");
        return(false);
    }
    
    return(true);
    
}

function filterKeyPress(evt)
{
    var keyCode,Char;
    var i;

    if(window.event){
        keyCode = window.event.keyCode;
        evt = window.event;
    }
    else
        if (evt)
            keyCode = evt.which;
        else
            return(true);

//    inputField = evt.srcElement ? evt.srcElement : evt.target || evt.currentTarget;

    Char = String.fromCharCode(keyCode);
    
    if( (Char == "'") || (Char == '"') )
        return(false);

    return(true);

}

function selectUserType()
{
    // disable theatre buttons and ghost the text
    var obj;
    var selectedIndex;
    
    obj = document.getElementById("xUserType");
    selectedIndex = obj.selectedIndex;
    
    for(i=1;i<=7;i++)
    {
        obj = document.getElementById("xTheatre"+i);
//        obj.disabled = (selectedIndex==1)?"disabled":"";
    }
}

</script>
<title>User Manager</title>
</HEAD>
<BODY style="font-family: verdana, helvetica, sans-serif; font-size: 10pt" onload="clearform()">
<img src='images/delfontmackintosh.jpg'>
<div style='position: absolute; left: 190px; top: 17px; padding-top: 0px; width: 437pt' class='theatrename'>User Manager</div>
<div id="username" class="username"><%=menus %></div>
<div style="position: absolute; left: 190px; top: 67px">
<div style="position: absolute; left: 0pt; top: 0pt; width: 180pt; height: 295pt; border: 1px solid black; overflow-y: scroll">
<%=gUserList%>
</div>

<div style="position: absolute; left: 195pt; top: 00pt; width: 240pt; height: 295pt; border: 1px solid black" >

<div style="position: absolute; left: 10pt; top: 13pt;">Full name:</div>
<div style="position: absolute; left: 10pt; top: 33pt;">User name:</div>
<div style="position: absolute; left: 10pt; top: 53pt;">Password:</div>
<div style="position: absolute; left: 10pt; top: 73pt;">Password:</div>
<div style="position: absolute; left: 10pt; top: 98pt;">Role:</div>
<div style="position: absolute; left: 10pt; top: 125pt;">Theatres:</div>

<div style="position: absolute; left: 80pt; top: 10pt;"><input id="xFullName" type="text" style="width: 150pt" /></div>
<div style="position: absolute; left: 80pt; top: 30pt;"><input onKeyPress="return filterKeyPress(event)" id="xUserName" type="text" style="width: 150pt" maxlength=50/></div>
<div style="position: absolute; left: 80pt; top: 50pt;"><input onKeyPress="return filterKeyPress(event)" id="xPassword" type="password" style="width: 150pt" maxlength=30/></div>
<div style="position: absolute; left: 80pt; top: 70pt;"><input onKeyPress="return filterKeyPress(event)" id="xPassword2" type="password" style="width: 150pt" maxlength=30/></div>

<div style="position: absolute; left: 80pt; top: 95pt;">
<select onchange="selectUserType()" id="xUserType" style="width: 153pt">
<option value="0">Theatre Staff</option>
<option value="1">Contractor</option>
<option value="2">Administrator</option>
</select>
</div>


<div style="position: absolute; left: 80pt; top: 117pt; width: 150pt; height: 1pt; background-color: darkgray"></div>
<%=gOutput%>

<div style="position: absolute; left: 10pt; top: 265pt; width: 220pt; height: 1pt; background-color: darkgray"></div>

<div style="position: absolute; left: 10pt; top: 270pt">
<button onclick="addnewuser()" style="padding-right: 10pt">Clear</button>
<button onclick="deleteuser()">Delete</button>
</div>
<button onclick="saveuser()" style="position: absolute; right: 10pt; top: 270pt">Save</button>
</div>
</div>
</BODY>
</HTML>

Open in new window

LVL 1
simonwaitAsked:
Who is Participating?
 
simonwaitAuthor Commented:
I asked a programmer to take a look and they got it working.  The mentioned that they couldnt with the md5.js suppied but used another one instead which is attached
md5.js
0
 
hieloCommented:
>> I am guessing that I will need to encrypt/decrypt the password through the ASP code
Why do you think you need to be able to decrypt the password? Do you have a legitimate need for it? Typically, if all you want/need is an encrypted password and md5 algorithm will suffice. You can find an implementation here:
http://pajhome.org.uk/crypt/md5/
0
 
simonwaitAuthor Commented:
Hielo

Im guessing that the saveuser.asp will encrypt the password and add it to the database.  Do I not then need to get the signinproc.asp to call the encrypted value from the database, decrypt it and then check that the decrypted value and the value entered in the login are the same?  Maybe Im not quite getting something.

Cheers

Simon
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
hieloCommented:
>>Do I not then need to get the signinproc.asp to call the encrypted value from the database, decrypt it and then check that the decrypted value and the value entered in the login are the same?
That is absolutely correct - you do NOT need to decrypt the password :)

Let's say the password is "hello". When you save it initially, you first compute the md5 of the password (using to tool on the link I provided above you get):
5d41402abc4b2a76b9719d911017c592

So that is what is atually stored on the db. Now, when the user is attempting to login, you just take the user's input and compute the md5 of that input
var userInput = MD5( Request.Form("password") )

assuming the user correctly typed "hello", then userInput will also have:
5d41402abc4b2a76b9719d911017c592
Now the query will be no different from what you are already doing. The db already has the MD5 and you just computed the MD5 of what the user just typed. IF these match then the password is correct. You don't need to decrypt anything.


Regards,
Hielo
0
 
simonwaitAuthor Commented:
oh yeah!  Simple when you take a step back.  Will check in a bit
0
 
hieloCommented:
>> Simple when you take a step back.
Exactly :)
0
 
simonwaitAuthor Commented:
I now understand the concept but it just doesnt seem to work.  Have tried all sorts but get errors ranging from it just not storing a user or not encrypting to completely stuffing the connection to the database  
0
 
hieloCommented:
>> it just not storing a user,..., to completely stuffing the connection to the database
I don't know what you mean by that, but if the connection is giving you problems, then you won't be able to update the db. So this should be your first priority

>> ...not encrypting
You need to focus on one problem at a time. You say it's not encrypting. Create a new ASP file (encryptionTest.asp) and put the following in it:

<script language="javascript" runat="server" src="md5.js"></script>
<script language="javascript" runat="server">
var str=["hello","greetings"];
for( var i in str)
{
	Response.Write("<p>"+ hex_md5(str[i]) + "</p>");
}
</script>

verify your results with the output of the example on the link I gave you above.

If it is not encrypting, instead of using <script runat="server"...> use the <!--#include..> directive to import the file and put your asp code in between <% and  %> tags/enclosures:
<!--#include file="md5.js" -->
<%
var str=["hello","greetings"];
for( var i in str)
{
	Response.Write("<p>"+ hex_md5(str[i]) + "</p>");
}
%>


Based on the original files you copied above, in:

saveuser.asp you will need to:
  a. include the md5.js file

  b. change this:
      xPassword   = getqueryteststrparam("password",30);

      to this:
      xPassword   = hex_md5(getqueryteststrparam("password",30));

signinproc.asp you will need to:
  a. include the md5.js file
  b. in your main() function, IMMEDIATELY BEFORE:
     dbConn = OpenDatabase();

     add the following:
     password = hex_md5(password);

     So, your main() will start as follows:

function main()
{
    var userid = getformteststrparam("un",50);
    var password = getformteststrparam("pw",50);
    var dbConn,dbRec,SQL;

    if( (userid == "hidden") && (password == "hidden") )
    {
        Session("signedin") = true;
        Session("signinmessage") = "";
        Session("userid") = 0;
        Session("username") = "Back door administrator";
        Session("usertype") = 2;
        Session("isadmin") = 1;
        Response.Redirect("manageusers.asp");
    }
    password = hex_md5(password);
    dbConn = OpenDatabase();
...
}

Open in new window

0
 
simonwaitAuthor Commented:
So I created EncryptionTest.asp and ran it which produced the two correct hashes for hello and greetings.  I then tried saveuser.asp and inserted the code at the top of my code and your adjusted line but it once uploaded it doesnt actually save anything to the db.  Below is now my current code for saveusers.asp
<script language="javascript" runat="server" src="opendatabase.js"></script>
<script language="javascript" runat="server" src="paramtest.js"></script>
<script language="javascript" runat="server" src="md5.js"></script>
<script language="javascript" runat="server">

<script language="javascript" runat="server">

function main()

{
    var dbConn,dbRec,SQL;
    var xUserID,xFullName,xUserName,xPassword,xIsAdmin,xTheatres;
    var i,tPassword;
    var isnewuser = false;

    // must be an admin and logged in
    if(!Session("isadmin") || (Session("isadmin") == 0) )
        return;
        
    xFullName   = getqueryteststrparam("fullname",50);
    xUserName   = getqueryteststrparam("username",50);
    xPassword   = hex_md5(getqueryteststrparam("password",30));
    xUserType   = getquerytestnumparam("usertype");
    xTheatres   = ["OFF","OFF","OFF","OFF","OFF","OFF","OFF"];
    xUserID     = parseInt(getqueryteststrparam("userid",6));

    if(xUserID==0)
        isnewuser = true;
        
    for(i=1;i<=7;i++)
        xTheatres[i] = getqueryteststrparam("theatre"+i,3);

    dbConn = OpenDatabase();

    try {

        dbRec = Server.CreateObject("ADODB.RecordSet");

        // check for duplicate a duplicate username - doesn't matter if new or old user

        SQL = "SELECT * FROM Users WHERE (Username = '" + xUserName + "') AND (Removed=0)";
        dbRec.Open(SQL,dbConn,1,1);
        
        if(!dbRec.EOF)
        {
            // if the userid is the same as the incoming one then its ok - name change
            if(xUserID != parseInt(dbRec("UserID")) )
            {
                // uh oh - duplicate user name - don't allow the save to take place
                Response.Cookies("saveduserid") = -1; // set to -1 to flag a duplicate name
                dbRec.Close();
                dbConn.Close();
                return;
            }
        }
        
        dbRec.Close();

        if(isnewuser)
            SQL = "SELECT * FROM Users WHERE 1=2";
        else
            SQL = "SELECT * FROM Users WHERE (UserId = " + xUserID + ")";
        
        dbRec.Open(SQL,dbConn,1,2);

        try {

            if(isnewuser)
            {
                try {
                    dbRec.AddNew();
                } catch(e) { DebugOutput("addnew " + e.description); throw(e); }

                try {
                    dbRec("Password") = xPassword;
                } catch(e) { DebugOutput("addnew2 " + e.description); throw(e); }
                
            }
            else
            {
                 // get the password length
                pwlength = String(dbRec("Password")).length;

                for(i=0,tPassword="";i<pwlength;i++)
                    tPassword += "@";
                    
                if(tPassword != xPassword)
                    dbRec("Password")       = xPassword; // new password

            }

            dbRec("Fullname")       = xFullName;
            dbRec("Username")       = xUserName;
            dbRec("UserType")       = xUserType;
            dbRec("Removed")        = 0;
            dbRec.Update();

            xUserID = parseInt(dbRec("UserID"));
            
        } catch(e) { dbRec.Close(); DebugOutput("1)saveuser.asp error: " + e.description); throw(e); }

        dbRec.Close();

//----------------------------------------------------------------------------------
        // theatre assignments - have to erase the current ones and then repopulate

        if(!isnewuser)
        {
            try {
                SQL = "DELETE FROM Assignments WHERE UserID = " + xUserID;
                dbConn.Execute(SQL);

            } catch(e) { DebugOutput("reset user assignments error: " + e.description); throw(e); }
        }

//----------------------------------------------------------------------------------

        try {
        
        for(i=1;i<=7;i++)
        {
            if(xTheatres[i] == "ON")
            {
                SQL = "SELECT * FROM Assignments WHERE 1=2";
                dbRec.Open(SQL,dbConn,1,2);
                dbRec.AddNew();
                dbRec("UserID") = xUserID;
                dbRec("TheatreID") = i;
                dbRec.Update();
                dbRec.Close();
            }
        }

        } catch(e) { dbRec.Close(); DebugOutput("save user assignments error: " + e.description); throw(e); }

    } catch(e) { dbConn.Close(); throw(e); }

    dbConn.Close();
    Response.Cookies("saveduserid") = xUserID;

}

try { main(); } catch(e) { DebugOutput("saveuserX.asp error: " + e.description); }
%>
</script>

Open in new window

0
 
hieloCommented:
Is your last post a copy and paste from saveusers.asp? What you posted ends with:
%>
</script>

get rid of the "%>". If you are going to be using <script runat="server"> blocks, you can't mix it with <%...%>
0
 
simonwaitAuthor Commented:
Removed the "%>" but still no joy im afraid
0
 
simonwaitAuthor Commented:
for what its worth if i comment out the

xPassword   = hex_md5(getqueryteststrparam("password",30));

and put back with

xPassword   = getqueryteststrparam("password",30);

the problem is still there however when I remove

<script language="javascript" runat="server" src="md5.js"></script>
<script language="javascript" runat="server">

it saves to the db just not with encryption obviously
0
 
hieloCommented:
Every <script> tag must have a matching </script> .  So, on post ID:31036742, get rid of line 4 since line 6 matches with </script> at the very end.
0
 
simonwaitAuthor Commented:
Tried that but still no joy unfotunatly
0
 
hieloCommented:
Then add Response.Write() statements that would help you figure out what sections/blocks of code are being executed and which ones are not.

This type of feedback:
>>Tried that but still no joy unfotunatly

is not useful to anyone.
<script language="javascript" runat="server" src="opendatabase.js"></script>
<script language="javascript" runat="server" src="paramtest.js"></script>
<script language="javascript" runat="server" src="md5.js"></script>


<script language="javascript" runat="server">

function main()

{
    var dbConn,dbRec,SQL;
    var xUserID,xFullName,xUserName,xPassword,xIsAdmin,xTheatres;
    var i,tPassword;
    var isnewuser = false;

    // must be an admin and logged in
    if(!Session("isadmin") || (Session("isadmin") == 0) )
        return;
        
    xFullName   = getqueryteststrparam("fullname",50);
    xUserName   = getqueryteststrparam("username",50);
    xPassword   = hex_md5(getqueryteststrparam("password",30));
    xUserType   = getquerytestnumparam("usertype");
    xTheatres   = ["OFF","OFF","OFF","OFF","OFF","OFF","OFF"];
    xUserID     = parseInt(getqueryteststrparam("userid",6));

    if(xUserID==0)
        isnewuser = true;
        
    for(i=1;i<=7;i++)
        xTheatres[i] = getqueryteststrparam("theatre"+i,3);

    dbConn = OpenDatabase();

    try {

        dbRec = Server.CreateObject("ADODB.RecordSet");

        // check for duplicate a duplicate username - doesn't matter if new or old user

        SQL = "SELECT * FROM Users WHERE (Username = '" + xUserName + "') AND (Removed=0)";
        dbRec.Open(SQL,dbConn,1,1);
        
        if(!dbRec.EOF)
        {
            // if the userid is the same as the incoming one then its ok - name change
            if(xUserID != parseInt(dbRec("UserID")) )
            {
                // uh oh - duplicate user name - don't allow the save to take place
                Response.Cookies("saveduserid") = -1; // set to -1 to flag a duplicate name
                dbRec.Close();
                dbConn.Close();
                return;
            }
        }
        
        dbRec.Close();

        if(isnewuser)
            SQL = "SELECT * FROM Users WHERE 1=2";
        else
            SQL = "SELECT * FROM Users WHERE (UserId = " + xUserID + ")";
        Response.Write("<br>Line 63: executing " + SQL)
        dbRec.Open(SQL,dbConn,1,2);

        try {

            if(isnewuser)
            {
                try {
                    dbRec.AddNew();
                } catch(e) { DebugOutput("addnew " + e.description); throw(e); }

                try {
                    dbRec("Password") = xPassword;
                } catch(e) { DebugOutput("addnew2 " + e.description); throw(e); }
                
            }
            else
            {
		  	Response.Write("<br>Line 81: existing user found")
                 // get the password length
                pwlength = String(dbRec("Password")).length;

                for(i=0,tPassword="";i<pwlength;i++)
                    tPassword += "@";
                    
                if(tPassword != xPassword)
			 {
			 Response.Write("<br>Line 90: ...attempting to save " + xPassword)
                    dbRec("Password")       = xPassword; // new password
			}

            }

            dbRec("Fullname")       = xFullName;
            dbRec("Username")       = xUserName;
            dbRec("UserType")       = xUserType;
            dbRec("Removed")        = 0;
            dbRec.Update();

            xUserID = parseInt(dbRec("UserID"));
            
        } catch(e) { dbRec.Close(); DebugOutput("1)saveuser.asp error: " + e.description); throw(e); }

        dbRec.Close();

//----------------------------------------------------------------------------------
        // theatre assignments - have to erase the current ones and then repopulate

        if(!isnewuser)
        {
            try {
		  	Response.Writ("<br>Line 114: Deleting "+xUserID+" from Assignments")
                SQL = "DELETE FROM Assignments WHERE UserID = " + xUserID;
                dbConn.Execute(SQL);

            } catch(e) { DebugOutput("reset user assignments error: " + e.description); throw(e); }
        }

//----------------------------------------------------------------------------------

        try {
        
        for(i=1;i<=7;i++)
        {
            if(xTheatres[i] == "ON")
            {
                SQL = "SELECT * FROM Assignments WHERE 1=2";
                dbRec.Open(SQL,dbConn,1,2);
                dbRec.AddNew();
                dbRec("UserID") = xUserID;
                dbRec("TheatreID") = i;
                dbRec.Update();
                dbRec.Close();
            }
        }

        } catch(e) { dbRec.Close(); DebugOutput("save user assignments error: " + e.description); throw(e); }

    } catch(e) { dbConn.Close(); throw(e); }

    dbConn.Close();
    Response.Cookies("saveduserid") = xUserID;

}

try { main(); } catch(e) { DebugOutput("saveuserX.asp error: " + e.description); }

</script>

Open in new window

0
 
hieloCommented:
Did you get a chance to try the updated code above?
0
 
simonwaitAuthor Commented:
Tried it but still with the same result.  Where are these Response.Write statements actually shown?  I basically have the same result.  Enter the new user data, click save there is a quick flash and the persons data is added to the current user list.  When I refresh that list however it isnt there and the database never shows the data
0
 
hieloCommented:
>>Where are these Response.Write statements actually shown?
If you are running the pages as ajax requests, then they would be in the responseText of the ajax object.
If you are calling/executing your pages directly from the browser (either by submitting forms or clicking links) then the result would be shown as part of the result when you attempt to save the data.

Do you have a url?
0
 
simonwaitAuthor Commented:
Yes there is - I have had to use a different database and connection for security reasons but if you go to

http://www.simonwait.me/DMTNewmans/login.asp,
login using ExpertExchange as both user id and password

then navigate to manage users.  In there you will find the page for adding a user.  It is when you click save that the saveuser.asp code comes into play.  Obviously I will need to delete the credentials as soon as possible to put the database back.  I have checked that this issue still happens on the new database so either its a coincidence or it is not a problem with the db or connection to it.

Thanks for you help
0
 
simonwaitAuthor Commented:
Ah - I think I may have a clue - Ive noticed that all the variables such as xUserName and xFullName are sent to the db as objects but once the password is put through the md5 javascript it is a string.  Going to try converting the string to an object (with the help of a popular search engine) and see what happens
0
 
hieloCommented:
I am looking at this now. I just noticed a new entry "simonwait". You said:
"In there you will find the page for adding a user"

So if I go to manageusers.asp, there is NO "add" person correct. To add a person I need to fill in the info and click save?
0
 
simonwaitAuthor Commented:
yes thats correct
0
 
hieloCommented:
is the problem that the password is not saved when:
a. updating a record?
b. adding a new record?
c. Both
0
 
simonwaitAuthor Commented:
Both.  I have managed to do it while debugging on visual studio and iis setup but I only started using them today so still trying to understand what I'm seeing
0
 
simonwaitAuthor Commented:
So my iis version now works consistently, but when I upload to remote server it doesnt?
0
 
hieloCommented:
From what I have managed to trace thus far, it appears that this:
sendrequest("getuser.asp?uid=" + userid,usercheck,"userinfo");

ultiamately contacts getuser.asp?uid=17

for ExpertExchange account, BUT that particular asp page is not returning anything. I placed an alert in usercheck and it shows up blank.
0
 
simonwaitAuthor Commented:
Is there a way that the object which is initially entered into the md5 javascript can remain an object and not be converted to a string (and retain the length data)  I think that is contributing to the problem
0
 
hieloCommented:
disregard post ID:31385704. I now realize that you end up with a blank page because the data is "returned" via a cookie!

>>Is there a way that the object which is initially entered into the md5 javascript can remain an object and not be converted to a string (and retain the length data)  I think that is contributing to the problem
Can you clarify? I don't follow. The hex_md5() function expect as input a string (not an Object) and then returns a string as well. So you should be assigning the result of hex_md5 to some variable. IF you need to use this result across multiple files, then perhaps saving it to Session variable might help.
0
 
simonwaitAuthor Commented:
Up until a couple of days ago I had a copy of the site running on iis with me debugging through visual studio.  when i stepped through andwatched the locals window, xFullName and xUserName would be set as objects when the variable was set.  When it then came to the xPassword this would be an object through the paramtest stage and would then go into hex_md5() as an object.  it would then however come out as a string.  This seemed to work OK on iis but when I uploaded to my godaddy server it wouldnt work.  I was guessing that this was in the jump from object to string?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.