Jump to content

Password protecting pages


Belzar

Recommended Posts

Hi again all, I know, I write on here a little to often. It's just that I learn so much from here :)I have this code that will password protect a page when using Internet Explorer, but it doesnt work when using almost any other browser (Netscape, Mozzilla...)This is the VBscript code i have written:

<script type="text/vbscript">  password = Inputbox("Please enter the password:") 	 do until password = "baby"  msgbox "You have entered an incorrect password- Please try again."  password = Inputbox("Please enter the password:")  	Loop</script>

Maybe there is an asp code that I could use, or some way or another tweek this code to turn it into asp. Help please.

Link to comment
Share on other sites

Belzar,VBScript as a client-side language is browser specific, it only works on IE. However, client-side VBScript is dead, NO ONE uses anymore. To get a password box that works on all browsers, you have to convert your script to client-side Javascript.However, there is a significant problem with using client-side scripts to password protect pages, namely on the basis that they don't protect anything at all. Anyone can view the source of your page and see everything you've written.Here are 2 ways to password protect pages, but here's a simpler ASP-specific way:

<%Dim strPasswordstrPassword = request("password")if Password = "baby" then%>    The rest of your page contents should go here.<%else%>    <form action="<%=Request.ServerVariables("SCRIPT_NAME")%>"    method="post">        What's the password:<br>        <input type="password" name="password">        <p>        <input type="Submit" value="Go!">        </p>    </form><%end if%>

Using this code, no one can see any code they shouldn't when they view your source.Alternatively, I like to use this method on my sites:Login.asp:

'You should always use a function like the one below to protect'against SQL injectionFunction SQLSecurity(strString)    SQLSecurity = replace(strString, "'", "\'", 1, -1, vbBinaryCompare)End FunctionSub Login    Dim Conn, RS, SQL, Redirect    Redirect = True        Conn = Server.CreateObject("ADODB.Connection")    RS = Server.CreateObject("ADODB.Recordset")    sql = "SELECT Count(*) as Count FROM my_table WHERE Username = " & _            "'" & SQLSecurity(Request.Cookies("Username")) & "' " & _            "AND Password = '" & SQLSecurity(Request.Cookies("Password")) & "';"        Conn.Open my_connection_string    RS.Open sql, Conn, 1, 1        if RS("Count") then            Redirect = False        end if    RS.Close    Conn.Close    set conn = nothing    set rs = nothing    if Redirect = True then    'if a valid username and password is not found        response.redirect "error.asp"    end ifEnd Sub

On any other page, all I have to do is insert the following two lines at the top of any page:

<!--include file="login.asp"-->Call Login... rest of page goes here ...

If the user is not logged in, then he or she is automatically redirected to an error.asp page. Otherwise, the page loads as normal.

Link to comment
Share on other sites

Belzar,VBScript as a client-side language is browser specific, it only works on IE. However, client-side VBScript is dead, NO ONE uses anymore. To get a password box that works on all browsers, you have to convert your script to client-side Javascript.However, there is a significant problem with using client-side scripts to password protect pages, namely on the basis that they don't protect anything at all. Anyone can view the source of your page and see everything you've written.Here are 2 ways to password protect pages, but here's a simpler ASP-specific way:
<%Dim strPasswordstrPassword = request("password")if Password = "baby" then%>    The rest of your page contents should go here.<%else%>    <form action="<%=Request.ServerVariables("SCRIPT_NAME")%>"    method="post">        What's the password:<br>        <input type="password" name="password">        <p>        <input type="Submit" value="Go!">        </p>    </form><%end if%>

Using this code, no one can see any code they shouldn't when they view your source.Alternatively, I like to use this method on my sites:Login.asp:

'You should always use a function like the one below to protect'against SQL injectionFunction SQLSecurity(strString)    SQLSecurity = replace(strString, "'", "\'", 1, -1, vbBinaryCompare)End FunctionSub Login    Dim Conn, RS, SQL, Redirect    Redirect = True        Conn = Server.CreateObject("ADODB.Connection")    RS = Server.CreateObject("ADODB.Recordset")    sql = "SELECT Count(*) as Count FROM my_table WHERE Username = " & _            "'" & SQLSecurity(Request.Cookies("Username")) & "' " & _            "AND Password = '" & SQLSecurity(Request.Cookies("Password")) & "';"        Conn.Open my_connection_string    RS.Open sql, Conn, 1, 1        if RS("Count") then            Redirect = False        end if    RS.Close    Conn.Close    set conn = nothing    set rs = nothing    if Redirect = True then    'if a valid username and password is not found        response.redirect "error.asp"    end ifEnd Sub

On any other page, all I have to do is insert the following two lines at the top of any page:

<!--include file="login.asp"-->Call Login... rest of page goes here ...

If the user is not logged in, then he or she is automatically redirected to an error.asp page. Otherwise, the page loads as normal.

Wow, thats very good information. I am having trouble learning how to get into my database and such, like how to get people to sign up and create there own names. I mainly have trouble with it cuz i am unsure of how to code it correctly, but thats a whole nother problem :) thanks for your help on this one.
Link to comment
Share on other sites

Wow, thats very good information. I am having trouble learning how to get into my database and such, like how to get people to sign up and create there own names. I mainly have trouble with it cuz i am unsure of how to code it correctly, but thats a whole nother problem :) thanks for your help on this one.

If you need help on Login/Signup pages, let me know, and I can certainly help you out on them :)
Link to comment
Share on other sites

If you need help on Login/Signup pages, let me know, and I can certainly help you out on them :)

to be honest, i could use help on those... i have tried many different things, i am the kind of person that only uses the code i write... i have only used codes from other people once i think, thats cuz it was a very confusing code. Here is my problem, I have mySQL database, but i am unsure of how exactly how to use it, its on another site, so i dont know how to connect to it. and then there is exactly how it all works, if you could help me, thanks greatly.
Link to comment
Share on other sites

to be honest, i could use help on those... i have tried many different things, i am the kind of person that only uses the code i write... i have only used codes from other people once i think, thats cuz it was a very confusing code. Here is my problem, I have mySQL database, but i am unsure of how exactly how to use it, its on another site, so i dont know how to connect to it. and then there is exactly how it all works, if you could help me, thanks greatly.

ConnectionStrings.com has a lot of information on the type of connection strings you should use to connect to your database.Basically, to connect to a database, you'll use this code:
Dim ConnectionString, Conn, RS, SQLConnectionString = "something here" 'modify this lineConn = Server.CreateObject("ADODB.Connection")RS = Server.CreateObject("ADODB.RecordSet")SQL = "some SQL statement" 'modify this lineConn.Open ConnectionStringRS.Open sql1, Conn, 1, 1 'this opens a database in forward-only, read-only mode    'stuff hereRS.CloseConn.Close'Always set your recordsets and connections to nothing when you're done with themSet rs = nothingSet conn = nothing

You only need to open a database connection once per page, and you need to open and close as many recordsets as SQL statements you plan on executing. After you are finished getting your information out of your databae and recordsets, close them immediately and set them equal to nothing to free up server resources.The value of ConnectionString variable depends on what type of database you're connecting to, and where the database is located relative to your ASP scripts.To connect to a MySQL database, use this connection string:

ConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" & _      "SERVER=mysqlServer;PORT=3306;DATABASE=myDatabase;" & _      "USER=myUsername;PASSWORD=myPassword;OPTION=18475;"

For the part reading SERVER=mysqlServer, set that to the location of your sql server. If your ASP scripts and sqlServer are located on the same domain, then SERVER=localhost works most of the time. If that doesn't work, or if you are connecting to a remote database, just use the location of the sql server. A few examples:

'Connecting to a local database, where your database and scripts are'located on the same serverConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" & _      "SERVER=localhost;PORT=3306;DATABASE=myDatabase;" & _      "USER=myUsername;PASSWORD=myPassword;OPTION=18475;"'Connecting to remote databaseConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" & _      "SERVER=data.domain.com;PORT=3306;DATABASE=myDatabase;" & _      "USER=myUsername;PASSWORD=myPassword;OPTION=18475;"

The USER and PASSWORD correspond to the username and password of your mySQL account (usually these will be identical to the username and password of your account on the remote server), and the DATABASE corresponds to the name of your database.

Link to comment
Share on other sites

ConnectionStrings.com has a lot of information on the type of connection strings you should use to connect to your database.Basically, to connect to a database, you'll use this code:
Dim ConnectionString, Conn, RS, SQLConnectionString = "something here" 'modify this lineConn = Server.CreateObject("ADODB.Connection")RS = Server.CreateObject("ADODB.RecordSet")SQL = "some SQL statement" 'modify this lineConn.Open ConnectionStringRS.Open sql1, Conn, 1, 1 'this opens a database in forward-only, read-only mode    'stuff hereRS.CloseConn.Close'Always set your recordsets and connections to nothing when you're done with themSet rs = nothingSet conn = nothing

You only need to open a database connection once per page, and you need to open and close as many recordsets as SQL statements you plan on executing. After you are finished getting your information out of your databae and recordsets, close them immediately and set them equal to nothing to free up server resources.The value of ConnectionString variable depends on what type of database you're connecting to, and where the database is located relative to your ASP scripts.To connect to a MySQL database, use this connection string:

ConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" & _      "SERVER=mysqlServer;PORT=3306;DATABASE=myDatabase;" & _      "USER=myUsername;PASSWORD=myPassword;OPTION=18475;"

For the part reading SERVER=mysqlServer, set that to the location of your sql server. If your ASP scripts and sqlServer are located on the same domain, then SERVER=localhost works most of the time. If that doesn't work, or if you are connecting to a remote database, just use the location of the sql server. A few examples:

'Connecting to a local database, where your database and scripts are'located on the same serverConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" & _      "SERVER=localhost;PORT=3306;DATABASE=myDatabase;" & _      "USER=myUsername;PASSWORD=myPassword;OPTION=18475;"'Connecting to remote databaseConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" & _      "SERVER=data.domain.com;PORT=3306;DATABASE=myDatabase;" & _      "USER=myUsername;PASSWORD=myPassword;OPTION=18475;"

The USER and PASSWORD correspond to the username and password of your mySQL account (usually these will be identical to the username and password of your account on the remote server), and the DATABASE corresponds to the name of your database.

Great, now i have learned how to use the database and connect to it, very tuff stuff, but i have a small understanding for it now and it is working for the guestbook thing, thank god :)
Link to comment
Share on other sites

  • 3 weeks later...
Belzar,VBScript as a client-side language is browser specific, it only works on IE. However, client-side VBScript is dead, NO ONE uses anymore. To get a password box that works on all browsers, you have to convert your script to client-side Javascript.However, there is a significant problem with using client-side scripts to password protect pages, namely on the basis that they don't protect anything at all. Anyone can view the source of your page and see everything you've written.Here are 2 ways to password protect pages, but here's a simpler ASP-specific way:
<%Dim strPasswordstrPassword = request("password")if Password = "baby" then%>    The rest of your page contents should go here.<%else%>    <form action="<%=Request.ServerVariables("SCRIPT_NAME")%>"    method="post">        What's the password:<br>        <input type="password" name="password">        <p>        <input type="Submit" value="Go!">        </p>    </form><%end if%>

Using this code, no one can see any code they shouldn't when they view your source.Alternatively, I like to use this method on my sites:Login.asp:

'You should always use a function like the one below to protect'against SQL injectionFunction SQLSecurity(strString)    SQLSecurity = replace(strString, "'", "\'", 1, -1, vbBinaryCompare)End FunctionSub Login    Dim Conn, RS, SQL, Redirect    Redirect = True        Conn = Server.CreateObject("ADODB.Connection")    RS = Server.CreateObject("ADODB.Recordset")    sql = "SELECT Count(*) as Count FROM my_table WHERE Username = " & _            "'" & SQLSecurity(Request.Cookies("Username")) & "' " & _            "AND Password = '" & SQLSecurity(Request.Cookies("Password")) & "';"        Conn.Open my_connection_string    RS.Open sql, Conn, 1, 1        if RS("Count") then            Redirect = False        end if    RS.Close    Conn.Close    set conn = nothing    set rs = nothing    if Redirect = True then    'if a valid username and password is not found        response.redirect "error.asp"    end ifEnd Sub

On any other page, all I have to do is insert the following two lines at the top of any page:

<!--include file="login.asp"-->Call Login... rest of page goes here ...

If the user is not logged in, then he or she is automatically redirected to an error.asp page. Otherwise, the page loads as normal.

Doesnt this mean you are storing the password in your cookies? Wont that be a security risk?
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...