PLUGGING VALUES INTO URL TO VERIFY - HELP !!! 1

kingjjx · Jun 26, 2002

Hi, I was wondering if anyone can help me with this quickly.

I created a log in button where our customers can jsut click the button and it will log them in this members page.

The code looks like this:

<FORM NAME="CFForm_1" ACTION="

http://dynamic.dynojet.com/cfml/test_login/login_action.cfm"

METHOD=POST >
<INPUT TYPE="hidden" NAME="username" value="dan"><br>
<INPUT TYPE="hidden" NAME="password" value="dynojet"><br>
<input type="SUBMIT" value="Login" name="login">
</FORM>

As you can see, the username= dan .. and password= dynojet

What I want now, is inserting this in the URL instead of creating a button with hidden values.
Example would be something that looks like this:

http://www.dynojet.com/cfml/winpep/authenticate.cfm?username=DAN password=DYNOJET’

How will the URL look like if I want to do it this way ? (it will be passed to a page called login_action) that looks like this:

<cfif NOT IsDefined ('form.username')>
<cflocation url="login_button.cfm" addtoken="No">
</cfif>

<cfquery name="gilwayb" datasource="AuthorizedUsers">
SELECT *
FROM Users
WHERE USERNAME = '#FORM.username#'
AND PASSWORD = '#FORM.password#'
</cfquery>

<CFSET Session.LoggedIn = "1">
<CFSET Session.Fname = "#gilwayb.FName#">

<CFIF gilwayb.RecordCount IS 0>
<cflocation url="noentry.cfm" addtoken="No">
<CFSET StructClear(Session)>
<cfelse>
<CFSET Session.LoggedIn = "1">
<cflocation url="welcome.cfm" addtoken="No">
</cfif>

thanks
-jon

pcorreia · Jun 27, 2002

The delimiter between name/value pairs is an ampersand, so it would look like this:

http://www.dynojet.com/cfml/winpep/authenticate.cfm?username=DAN&password=DYNOJET

Be aware, though, that you're opening the floodgates for hacking your database by passing variables unchecked into your database. Imagine what would happen if someone passed the following form values to your page:

Code:

<input type=&quot;hidden&quot; name=&quot;username&quot; value=&quot;dan&quot;>
<input type=&quot;hiddne&quot; name=&quot;password&quot; value=&quot;' or 1=1; drop table users; --&quot;>

If the account that you use to log in to your database server had the privileges, a malicious user has just deleted your users table. I strongly encourage you to check all variables before you pass them into a query. For more information, read the following article:

http://www.webmasterbase.com/article.php?aid=794

kingjjx · Jun 27, 2002

hey, so what would the CFQUERY in in authenticate.cfm look like ??

I thought I got it but it didnt work.
I tried using :

<CFQUERY NAME="Check_User" DATASOURCE="AuthorizedUsers">
SELECT * FROM Users WHERE username= #URL.username# and password=#URL.password#
</cfquery>

PLEASE HELP !

pcorreia · Jun 27, 2002

Code:

<CFQUERY NAME=&quot;Check_User&quot; DATASOURCE=&quot;AuthorizedUsers&quot;>
SELECT * FROM Users WHERE username= '#URL.username#' and password='#URL.password#'
</cfquery>

kingjjx · Jun 27, 2002

Hey, thats also what I thought would work .. but its giving me this error:

Error Diagnostic Information
ODBC Error Code = 07001 (Wrong number of parameters)

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.

Hint: The cause of this error is usually that your query contains a reference to a field which does not exist. You should verify that the fields included in your query exist and that you have specified their names correctly.

WHAT DO YOU THINK IS WRONG ??

kingjjx · Jun 27, 2002

HEY, I GOT THIS TO WORK .. SO THANKS FOR YOUR HELP.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

PLUGGING VALUES INTO URL TO VERIFY - HELP !!! 1

kingjjx

Programmer

pcorreia

Programmer

kingjjx

Programmer

pcorreia

Programmer

kingjjx

Programmer

kingjjx

Programmer

Similar threads

Part and Inventory Search

Sponsor