Basic Login Validation

ASP Free Forums Sponsor:

May 3rd, 2007, 08:33 AM

degsy

Contributing User

ASP Free God 2nd Plane (6000 - 6499 posts)

Join Date: Aug 2005

Location: North East, UK

Posts: 6,191

Time spent in forums: 3 Weeks 4 Days 19 h 41 m 52 sec
Reputation Power: 121

Basic Login Validation

Here are some examples of validating a user login to an Access database.

You have a database containing usernames and passwords

Code:

id	username	password
1	User1	        Mypass
2	user2	        12345
3	User3	        abcd
4	Testuser1	pass123
5	Testuser2	abc123

You have a simple form for the user to enter their login details

Code:

<form name="form1" method="post" action="">
  <table width="200" border="1" cellspacing="0" cellpadding="5">
    <tr>
      <td>UserName</td>
      <td><input name="username" type="text" id="username"></td>
    </tr>
    <tr>
      <td>Password</td>
      <td><input name="password" type="password" id="password"></td>
    </tr>
    <tr>
      <td>&nbsp;</td>
      <td><input type="submit" name="Submit" value="Submit"></td>
    </tr>
  </table>
</form>

Here is some basic code to login the user

1) Check if the form has been submitted
2) Connect to the database
3) Query the database and create a recordset
4) Check if the recordset is empty or not
5) Output message to the user

asp Code:

Original - asp Code

If Len(Request.Form) > 0 Then
 
    ConnDB = Server.MapPath("basic_validation.mdb")
    
    Set Conn = Server.CreateObject("ADODB.Connection")
    Conn.Provider = "Microsoft.Jet.OLEDB.4.0"
    Conn.Open ConnDB
    
    Set rs = Server.CreateObject("ADODB.Recordset")
    rsSQL = "SELECT id, username, password FROM Users" &_
            " WHERE username = '" & Request.Form("username") & "'" &_
            " AND password = '" & Request.Form("password") & "'"
    
    '---------------------
    '## DEBUG ##
    'Response.Write rsSQL
    'Response.End()
    '---------------------
    
    rs.Open rsSQL,Conn
    
    If Not rs.EOF Then
        msg = "Login successful"
    Else
        msg = "Login details not found"
    End If
    
    rs.Close
    Set rs = Nothing
    
    Conn.Close
    Set Conn = Nothing
End If

This will work but it has several problems.
These include the lack of data validation, sanitization of data to prevent SQL Injection attacks and outputting relevant messages to the user.

Comments on this post

lewy agrees: Very nice script and explanation. Excellent job

__________________
CyberTechHelp

May 3rd, 2007, 08:48 AM

degsy

Contributing User

Join Date: Aug 2005

Location: North East, UK

Posts: 6,191

Time spent in forums: 3 Weeks 4 Days 19 h 41 m 52 sec
Reputation Power: 121

There are somethings that can be done before connecting to or querying the database.

The first is to validate the submitted data

asp Code:

Original - asp Code

<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
'Check if form has been submitted
If Len(Request.Form) > 0 Then
	
	'Request the form fields and assign them to local variables
	username = Request.Form("username")
	password = Request.Form("password")
	
	'Validate the data
	If username = "" Or password = "" Then
		'If there are errors then create an errMsg variable
		errMsg = "Please enter your login details"
	End If
	
	'If everything is ok and their is no errMsg then proceed to the database query
	If errMsg = "" Then
		ConnDB = Server.MapPath("basic_validation.mdb")
		
		Set Conn = Server.CreateObject("ADODB.Connection")
		Conn.Provider = "Microsoft.Jet.OLEDB.4.0"
		Conn.Open ConnDB
		
		Set rs = Server.CreateObject("ADODB.Recordset")
		
		'Create a SQL query to request the user details from the submitted data
		rsSQL = "SELECT id, username, password FROM Users" &_
				" WHERE username = '" & username & "'" &_
				" AND password = '" & password & "'"
		
		'---------------------
		'## DEBUG ##
		'Response.Write rsSQL
		'Response.End()
		'---------------------
		
		rs.Open rsSQL,Conn
		
		'Check if the recordset contains a record
		If Not rs.EOF Then
			'If it does then assign local variables for the user details
			id = rs("id")
			username = rs("username")
			password = rs("password")
			
			'Create a msg variable to output to the user
			msg = "Login successful"
		Else
			'If there are errors then create an errMsg variable
			errMsg = "Login details not found"
		End If
		
		rs.Close
		Set rs = Nothing
		
		Conn.Close
		Set Conn = Nothing
	End If
End If
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Basic validation</title>

<body>
<div>
<% If msg <> "" Then 'Output msg to user%>
<span class="msg"><%=msg%></span>
<p>Welcome <%=username%>, your user ID is <%=id%> and your password is <%=password%></p>
<% ElseIf errMsg <> "" Then 'Output errMsg to user%>
<span class="error">Error: <%=errMsg%></span>
<% End If %>
</div>
<form name="form1" method="post" action="">
  <table width="200" border="1" cellspacing="0" cellpadding="5">
    <tr>
      <td>UserName</td>
      <td><input name="username" type="text" id="username"></td>
    </tr>
    <tr>
      <td>Password</td>
      <td><input name="password" type="password" id="password"></td>
    </tr>
    <tr>
      <td>&nbsp;</td>
      <td><input type="submit" name="Submit" value="Submit"></td>
    </tr>
  </table>
</form>
</body>
</html>

<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
'Check if form has been submitted
If Len(Request.Form) > 0 Then
    
    'Request the form fields and assign them to local variables
    username = Request.Form("username")
    password = Request.Form("password")
    
    'Validate the data
    If username = "" Or password = "" Then
        'If there are errors then create an errMsg variable
        errMsg = "Please enter your login details"
    End If
    
    'If everything is ok and their is no errMsg then proceed to the database query
    If errMsg = "" Then
        ConnDB = Server.MapPath("basic_validation.mdb")
        
        Set Conn = Server.CreateObject("ADODB.Connection")
        Conn.Provider = "Microsoft.Jet.OLEDB.4.0"
        Conn.Open ConnDB
        
        Set rs = Server.CreateObject("ADODB.Recordset")
        
        'Create a SQL query to request the user details from the submitted data
        rsSQL = "SELECT id, username, password FROM Users" &_
                " WHERE username = '" & username & "'" &_
                " AND password = '" & password & "'"
        
        '---------------------
        '## DEBUG ##
        'Response.Write rsSQL
        'Response.End()
        '---------------------
        
        rs.Open rsSQL,Conn
        
        'Check if the recordset contains a record
        If Not rs.EOF Then
            'If it does then assign local variables for the user details
            id = rs("id")
            username = rs("username")
            password = rs("password")
            
            'Create a msg variable to output to the user
            msg = "Login successful"
        Else
            'If there are errors then create an errMsg variable
            errMsg = "Login details not found"
        End If
        
        rs.Close
        Set rs = Nothing
        
        Conn.Close
        Set Conn = Nothing
    End If
End If
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Basic validation</title>
 
<style type="text/css">
<!--
.msg {
    color: #330099;
    background-color: #66CCFF;
    font-family: Arial, Helvetica, sans-serif;
    font-weight: bold;
}
.error {
    color: #FF0000;
    background-color: #FFFF00;
    font-family: "Courier New", Courier, mono;
}
-->
</style>
</head>
 
<body>
<div>
<% If msg <> "" Then 'Output msg to user%>
<span class="msg"><%=msg%></span>
<p>Welcome <%=username%>, your user ID is <%=id%> and your password is <%=password%></p>
<% ElseIf errMsg <> "" Then 'Output errMsg to user%>
<span class="error">Error: <%=errMsg%></span>
<% End If %>
</div>
<form name="form1" method="post" action="">
  <table width="200" border="1" cellspacing="0" cellpadding="5">
    <tr>
      <td>UserName</td>
      <td><input name="username" type="text" id="username"></td>
    </tr>
    <tr>
      <td>Password</td>
      <td><input name="password" type="password" id="password"></td>
    </tr>
    <tr>
      <td>&nbsp;</td>
      <td><input type="submit" name="Submit" value="Submit"></td>
    </tr>
  </table>
</form>
</body>
</html>

This is the part where the data is requested then validated

asp Code:

Original - asp Code
username = Request.Form("username") password = Request.Form("password") 'Validate the data If username = "" Or password = "" Then 'If there are errors then create an errMsg variable errMsg = "Please enter your login details" End If

username = Request.Form("username")
    password = Request.Form("password")
    
    'Validate the data
    If username = "" Or password = "" Then
        'If there are errors then create an errMsg variable
        errMsg = "Please enter your login details"
    End If

Then we can output a simple message to the user if the user doesn't enter any data

Quote:

Error: Please enter your login details

To expand on this validation you can validate the variables seperately and construct the errMsg variable

asp Code:

Original - asp Code
If username = "" Then errMsg = errMsg & "Please enter your username<br>" End If If password = "" Then errMsg = errMsg & "Please enter your password<br>" End If

If username = "" Then
        errMsg = errMsg & "Please enter your username<br>"
    End If
    
    If password = "" Then
        errMsg = errMsg & "Please enter your password<br>"
    End If

Quote:

Error: There were problems with your submission
Please enter your username
Please enter your password

If the user enters incorrect details then they will receive an error message

asp Code:

Original - asp Code
If Not rs.EOF Then 'If it does then assign local variables for the user details id = rs("id") username = rs("username") password = rs("password") 'Create a msg variable to output to the user msg = "Login successful" Else 'If there are errors then create an errMsg variable errMsg = "Login details not found" End If

If Not rs.EOF Then
            'If it does then assign local variables for the user details
            id = rs("id")
            username = rs("username")
            password = rs("password")
            
            'Create a msg variable to output to the user
            msg = "Login successful"
        Else
            'If there are errors then create an errMsg variable
            errMsg = "Login details not found"
        End If

Quote:

Error: Login details not found

If the user enters correct details then they receive a welcome message

ASP & HTML Code:

Original - ASP & HTML Code
<% If msg <> "" Then 'Output msg to user%> <span class="msg"><%=msg%></span> <p>Welcome <%=username%>, your user ID is <%=id%> and your password is <%=password%></p>


<% If msg <> "" Then 'Output msg to user%>
<span class="msg"><%=msg%></span>
<p>Welcome <%=username%>, your user ID is <%=id%> and your password is <%=password%></p>

So the basic validation to make sure the user submits data is done.

There is more validation to do though.

May 3rd, 2007, 09:16 AM

degsy

Contributing User

Join Date: Aug 2005

Location: North East, UK

Posts: 6,191

Time spent in forums: 3 Weeks 4 Days 19 h 41 m 52 sec
Reputation Power: 121

Data Sanitization - Prevent SQL Injection Attacks

The data has to also be sanitized to prevent SQL Injection attacks.

At the moment the user submits their data it is fed directly into the SQL query.

asp Code:

Original - asp Code
rsSQL = "SELECT id, username, password FROM Users" &_ " WHERE username = '" & username & "'" &_ " AND password = '" & password & "'"

rsSQL = "SELECT id, username, password FROM Users" &_
                " WHERE username = '" & username & "'" &_
                " AND password = '" & password & "'"

If the user enters
username: user1
password: mypass
then this is the executed query

Quote:

SELECT id, username, password FROM Users WHERE username = 'user1' AND password = 'mypass'

To see the generated SQL query then uncommend the Response.Write rsSQL line

Code:

'---------------------
		'## DEBUG ##
		Response.Write rsSQL
		'Response.End()
		'---------------------

At this point the user could user SQL Injection by using a single quotes/apostrophes in the form fields

If the user enters
username: ' or 1=1 or 'a' = 'a
password: ' or 1=1 or 'a' = 'a
then the executed query would be

Quote:

SELECT id, username, password FROM Users WHERE username = '' or 1=1 or 'a' = 'a' AND password = '' or 1=1 or 'a' = 'a'

This is a valid SQL query and if your output code was a loop to output the recordset then all the records would be output

asp Code:

Original - asp Code
'Check if the recordset contains a record If Not rs.EOF Then While Not rs.EOF Response.Write rs("id") & "," & rs("username") & "," & rs("password") & "<br>" rs.MoveNext Wend

'Check if the recordset contains a record
        If Not rs.EOF Then
            While Not rs.EOF 
                Response.Write rs("id") & "," & rs("username"