cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

help with asp ... security levels

pqer
Explorer ,
Mar 29, 2007 Mar 29, 2007
I made a change to the security level for the end user. i add a security feature by adding 12345 to their security level.

<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%
'check to see if the page is submitted
Dim validLogin
Dim strErrorMessage
Dim intLevel
Dim sLevel

If (Request.Form("uname")<>"") Then
'user has submitted the form
'get the entered values and hit the database
Dim strUserName
Dim strPassword

'going to use an implicit connection, no connection object needed
Dim objRS
strUserName = UCase(Request.Form("uname"))
strPassword = UCase(Request.Form("pwd"))

response.write("strUserName")

'prepare the RS
Set objRS = Server.CreateObject("ADODB.Recordset")
'set the sql statement
objRS.Source = "SELECT * FROM tblEmployee WHERE strEmpUserName = '" & strUserName & "' AND strEmpPassword = '" & strPassword & "'"
' heres the implicit connection
objRS.ActiveConnection = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\Inetpub\db\IMPCustomers.mdb"
objRS.CursorType = 0
objRS.CursorLocation = 3
objRS.Open

'check for EOF
If(objRS.EOF) Then
'no records matched, invalid login
Response.Redirect("invalidLogin.asp")
'strErrorMessage = "Invalid Login. Try Again."
validLogin = false
Else
'added intLevel to add more security on 3/29/07
intLevel = Cint(objRS("intEmpSecurityLevel"))
intLevel = intLevel + 12345
sLevel = intLevel
'valid login, set session variables
Session("username") = UCase(strUserName)
Session("userpass") = UCase(strPassword)
Session("sLevel") = sLevel
'Session("sLevel") = objRS("intEmpSecurityLevel") - changed to add more security on 3/29/07
Session("fn") = objRS("strEmpFN")
'release the RS
Set objRS.ActiveConnection = Nothing
Set objRS = nothing
'redirect off this page
Response.Redirect("custSearch.asp")
End If
End If
%>

I'm now having trouble removing the 12345 from their security level in the custSearch.asp.

<%@LANGUAGE="VBSCRIPT"%>
<%Option Explicit%>
<%

Dim strUserName
Dim strPassword
Dim intSLevel
Dim isum
Dim intS
Dim intNewSLevel
Dim sLevel
Dim strFN
Dim strErrorMessage
Dim strError

'get pass parameters
strUserName = Session("username")
strPassword = Session("userpass")
intSLevel = Session("sLevel")
'add on 3/29/07 for security
'get the security level
isum = sLevel
'take isum which contains sLevel and subtract 12345 from it
isum = isum - 12345
'now intS equals security level in the db
intS = isum
'put into a session
Session("intS") = intS

strFN = Session("fn")
strErrorMessage = ("strError")

'If strErrorMessage = "" Then
'strError = "There is no customer with that last name."
'End If

%>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=" http://www.w3.org/1999/xhtml">
<head>
<title>Employee Intranet - Customer Database, Search for a particular customer.</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />

<link rel="stylesheet" type="text/css" href="../css/pop_style.css" />
<link rel="stylesheet" type="text/css" href="../css/forms.css" />

<style type="text/css">
/* HMTL selectors start here */
h2 {
margin-bottom:15px;
}

p {
margin-bottom:20px;
}

hr {
border:thin;
border-color:#CCCCCC;
border-style:dotted;
width:100%;
text-align:center;
}

table {
width:300;
align:center;
cellpadding:2px;
cellspacing:2px;
margin-left:30%;
}

td {
font-size:14px;
font-style:normal;
font-weight:normal;
border:0;
padding:0;
}

/* HMTL selectors start here */

/* ID selectors start */
#mainText {
height:400px;
font-family:Arial, Helvetica, sans-serif;
font-size:14px;
text-align:left;
margin-left:1%;
margin-right:1%;
padding: 10px 5px;
word-spacing:1px;
letter-spacing:1px;
}


/* id ends here */
</style>

<script language="JavaScript" type="text/JavaScript">
<!-- function MM_reloadPage(init) { //reloads the window if Nav4 resized if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) { document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload(); } MM_reloadPage(true); //-->
</script>
</head>

<body>
<!-- CASCADING POPUP MENUS v5.2 by Angus Turnbill http://www.twinhelix.com -->
<script language="javascript" type="text/javascript" src="../js/pop_core.js"></script>
<script language="javascript" type="text/javascript" src="../js/pop_data.js"></script>

<!-- border begins here -->
<div id="border">

<!-- second nav start here -->
<div id="secNavBar"><a href="../index.htm">Home</a>  |  <a href="../htm/quality.htm">Quality</a>  |  <a href="../htm/contactUs.htm">Contact Us</a>  | <a href="../htm/siteMap.htm"> Site Map</a></div>

<!-- logo starts here -->
<div id="logo">
<img src="../art/NewLogo.jpg" alt="Logo of IMPulse NC, INC." usemap="#Map" />
<map name="Map" id="Map">
<area shape="rect" coords="5,3,280,74" href="../index.htm" alt="Return to home page" />
</map>
</div>

<!-- primary navigation div tags starts here -->
<div id="priNav">
<a id="home" name="home" style="visibility:hidden;">Home</a>
<!-- primary navigation div tags ends here -->
</div>

<!-- main text starts here -->
<div id="mainText">
<h2>Customer Database </h2>

<p style="font-size:14px;font-style:normal;font-weight:normal;">Welcome <%=strFN%></p>

<p style="font-size:14px;font-style:normal;font-weight:normal;">Please search for a customer by using the fields below. You can use one field or multiple fields for your search.</p>
<!-- signIn form starts here -->
<div id="signIn">
<div id="CSearch">
<table>
<form action="results.asp" method="post" name="search" id="search">
<tr>
<td width="98" height="29">Last Name:</td>
<td width="150" tabindex="1"><input type="text" name="clname" size="25" maxlength="25" /></td>
</tr>
<tr>
<td height="30">First Name:</td>
<td tabindex="2"><input type="text" size="25" maxlength="25" name="cfname" /></td>
</tr>
<tr>
<td height="30">Company:</td>
<td tabindex="3"><input type="text" size="25" maxlength="25" name="ccomp" /></td>
</tr>
<tr>
<td height="48" colspan="2" tabindex="4">
<input type="submit" name="login" value="Submit" />
<input type="reset" name="Reset" value="Reset" />
<a href="logOut.asp">
<input type="button" name="logOut" value="Log Out" />
</a> </td>
</tr>
</form>
</table>
<!-- customer search form ends here -->
</div>
<blockquote> </blockquote>
<!-- signIn form ends here -->
</div>

<!-- main text ends here -->
</div>

<div id="btm_Bar">
100 IMPulse Way • Mount Olive, North Carolina 28365 • Main (919) 658-2200 • Fax (919) 658-2268<br /> &copy;2006 IMPulse NC, Inc. All Rights Reserved. </div>
</div>

<script language="javascript" type="text/javascript" src="../js/pop_events.js"></script>

<!-- Places text blinker in the uname text box thru javascript -->
<script language="javascript" type="text/javascript">
{
document.search.clname.focus();
}
</script>
<!-- javascript ends here -->

<%
Response.Write(Session("username")) & "<br />"
Response.Write(Session("userpass")) & "<br />"
Response.Write(Session("sLevel")) & "<br />"
Response.Write(Session("intS")) & "<br />"
%>

</body>
</html>

What am I doing wrong?
TOPICS
Server side applications
344
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 2 Replies 2
latest latest Jump to latest reply
Creativ_Technologies
Contributor ,
Mar 29, 2007 Mar 29, 2007
I don't see how you are adding any extra security by adding 12345. You are just changing their security level. The security level is stored in a session variable anyways, so whats the point of adding 12345?
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Mar 29, 2007 Mar 29, 2007
LATEST
"pqer" <webforumsuser@macromedia.com> wrote in message
news:eugsik$kt5$1@forums.macromedia.com...
> What am I doing wrong?

1. You're allowing unfiltered user input into your SQL query. I could do
some horrible damage to your system.
2. You have SELECT * in your query.
3. You're doing something that doesn't make any sense. Why add a constant
to the security level just to subtract it again when you actually want to
use it? You're just making more work for yourself. There is no benefit
there.


Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices