Password protection - mutliple levels

I tried the following (the text in the red is new), but it didn't work.

<%
Dim adoCon   
Dim strCon  
Dim rsCheckAdminUser   
Dim strAccessDB  
Dim strSQL   
Dim strAdminUserName
Dim strUserLevelAccess1
Dim strUserLevelAccess2
Dim strUserLevelAccess3

strAdminUserName = Request.Form("txtAdminUserName")
strAccessDB = "../********/**************.mdb"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};pwd=****; DBQ=" & Server.MapPath(strAccessDB)
adoCon.Open strCon
Set rsCheckAdminUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "'"
rsCheckAdminUser.Open strSQL, strCon
strUserLevelAccess1 = strCheckAdminUser("admin")
strUserLevelAccess2 = strCheckAdminUser("guest")
strUserLevelAccess3 = strCheckAdminUser("member")
If NOT rsCheckAdminUser.EOF Then
 If strUserLevelAccess1 = "yes" Then
 If (Request.Form("txtAdminUserPass")) = rsCheckAdminUser("Password") Then
  Session("AdminUserGood") = True
  Set adoCon = Nothing
  Set strCon = Nothing
  Set rsCheckAdminUser = Nothing
  Response.Redirect"admin.asp?name=" & strAdminUserName
 End If
 End If
End If
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckAdminUser = Nothing
Session("AdminUserGood") = False
Response.Redirect"unauthorized_admin.htm"
%>

I tried that, included the following:

strSQL = "SELECT tblAdminUsers.Admin, tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

and got the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e10'

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.

/check_admin_user2.asp, line 18

Ok, I made the changes to incorporate guest and member in the sql statement but got the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e10'

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 3.

/check_admin_user2.asp, line 19

Line 19 is the strSql = "SELECT ................

I wish I understood what it is that you were trying to tell me about injection attacks.  I really don't have much of a grasp on asp, just taking it one step at a time.

Thanks

Instead of having a field for admin  and member, you could just have a field called userStatus. UserStatus would either be a 1 or 2.

1 for admin

2 for member

strSQL = "SELECT tblAdminUsers.UserStatus, tblAdminUsers.Member tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

Then on you pages you can use if after checking the username and password.

for example.

IF rs("UserStatus") = "2" THEN.........

ELSE ........

END IF