Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem with using a value from a form

Status
Not open for further replies.
Jahappz

Jahappz

Technical User
Jun 3, 2002
133
SE
There is 3 pages
Page 1: (login.asp)

<!--#INCLUDE file=&quot;dbase.asp&quot;-->
<%lg = request(&quot;lg&quot;)%>
<html>
<head>
<title>Login</title>
<script>
</script>
</head>
<body>
<center>
<img src=&quot;baktop1.jpg&quot; border=&quot;0&quot;>
<form method=&quot;post&quot; name=&quot;f1&quot; action=&quot;login2.asp&quot;>
<table cellpadding=5 cellspacing=0 border=0>
<tr>
<td>&nbsp;&nbsp;Användarnamn:</font></td>
<td><input type=&quot;text&quot; size=&quot;15&quot; name=&quot;username&quot; maxlength=&quot;10&quot; style=&quot;font-size:13px;font-face:arial;width:100px&quot;>&nbsp;&nbsp;</td>
</tr>
<tr>
<td>&nbsp;&nbsp;Lösenord:</font></td>
<td><input type=&quot;password&quot; size=&quot;15&quot; name=&quot;password&quot; maxlength=&quot;10&quot; style=&quot;font-size:13px;font-face:arial;width:100px&quot;>&nbsp;&nbsp;</td>
</tr>
<tr>
<td></td>
<td><input type=&quot;Submit&quot; value=&quot;Login&quot; name=&quot;submit&quot; style=&quot;font-size:13px;font-face:arial;width:80px&quot;></td>
</tr>
</table>
</form>
<%if lg=&quot;nousername&quot; then%>
<font color=red>Bad username</font>
<%elseif lg=&quot;nopassword&quot; then%>
<font color=red>Bad password</font>
<%end if%>


</center>
</body>
</html>

Page2: (login2.asp)

<% Option Explicit %>
<!--#INCLUDE file=&quot;dbase.asp&quot;-->
<%
dim conn, rs, sql
Set conn = Server.CreateObject(&quot;ADODB.Connection&quot;)
Set rs = Server.CreateObject(&quot;ADODB.Recordset&quot;)
sql = &quot;SELECT * FROM lev WHERE AfUsername ='&quot; & request(&quot;username&quot;) & &quot;'&quot;
Conn.Open dsn
rs.open sql, conn
If NOT rs.EOF Then

If request(&quot;password&quot;) = rs(&quot;password&quot;) Then
session(&quot;AfLogin&quot;) = &quot;true&quot;

Session(&quot;AfUsername&quot;) = request(&quot;username&quot;)
if Session(&quot;AfUsername&quot;) = &quot;admin&quot; then
Response.Redirect &quot;admin.asp&quot;
else
Response.Redirect &quot;lager.asp&quot;
end if
else
Session(&quot;AfLogin&quot;) = &quot;false&quot;
Response.Redirect &quot;login.asp?lg=nopassword&quot;
End If

Else
Session(&quot;AfLogin&quot;) = &quot;false&quot;
response.redirect &quot;login.asp?lg=nousername&quot;
End If%>


Page 3 : lager.asp

This page displays the results of what user that logins

sql = &quot;SELECT * FROM PULAGER Where not D1132='0' AND D18020 LIKE '%&quot; & Request.Form(&quot;Username&quot;) & &quot;%' &quot;

but it doesnt work. it shows all posts in the table instead of only the posts where the username match with the posts...

What is wrong???
 
Sort by date Sort by votes
lager.asp is attempting to read from the HTTP POST. This data is no longer there. Only login2.asp can see this data. lager.asp is called with HTTP GET when you do

Response.Redirect &quot;lager.asp&quot;

change the following line in lager.asp from:

sql = &quot;SELECT * FROM PULAGER Where not D1132='0' AND D18020 LIKE '%&quot; & Request.Form(&quot;Username&quot;) & &quot;%' &quot;

to

sql = &quot;SELECT * FROM PULAGER Where not D1132='0' AND D18020 LIKE '%&quot; & Session(&quot;AfUsername&quot;) & &quot;%' &quot;


You should also use &quot;.Item&quot; when you read data from the &quot;Request&quot; object. This makes sure you get the String value from the request instead of the pointer to the Request.Form object.

Hope this helps.
 
Upvote 0 Downvote
Or the other way is

if Session(&quot;AfUsername&quot;) = &quot;admin&quot; then
Response.Redirect &quot;admin.asp&quot;
else
Response.Redirect &quot;lager.asp?UserName=&quot;&Session(&quot;afusername&quot;)
end if


and then in the lager.asp

use request.querystring(&quot;UserName&quot;) instead of request.form(&quot;UserName&quot;)

 
Upvote 0 Downvote
you'd better not use request().
use request.querystring() and request.form(); then you are 'sure' were your values are comming from.

this login is vunarable to SQL injection and that kind of tricks:

Type in the browser:

login2.asp?username=admin' or AfUsername='foxbox' order by username desc&password=<my password>

(in case i have an id 'foxbox' and then of course i know my own password)

and the sql becomes:

SELECT * FROM lev WHERE AfUsername ='admin' or Afusername='foxbox' order by username desc&password=<my password>


now this

If request(&quot;password&quot;) = rs(&quot;password&quot;)

is true, thus
Session(&quot;AfUsername&quot;) = request(&quot;username&quot;)
' which is 'admin' . . . .



simply changing request() into request.form() is not enough, you must also replace( sql, &quot;'&quot;, &quot;''&quot;)







hth,
Foxbox
ttmug.gif
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
816
leifoet
leifoet
JScannell
  • Locked
  • Question
Border issue with Google Chrome on an Android phone
Replies
0
Views
566
JScannell
JScannell
penguinspeaks
  • Locked
  • Question
Start loop from a specified point
Replies
0
Views
489
penguinspeaks
penguinspeaks
penguinspeaks
  • Locked
  • Question
Parse a database field that is comma delimited and input the results into another table
Replies
0
Views
557
penguinspeaks
penguinspeaks
leifoet
  • Locked
  • Question
Wrong code in a href ?
Replies
1
Views
564
leifoet
leifoet

Part and Inventory Search

Sponsor

Back
Top