Print Page | Close Window

Password protection - mutliple levels

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=2857
Printed Date: 28 March 2026 at 9:08am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com


Topic: Password protection - mutliple levels
Posted By: 288enzo
Subject: Password protection - mutliple levels
Date Posted: 19 May 2003 at 10:48pm

I already have the script to protect my web from unauthorized users, but how can I give different levels to different users?

My idea is to have seperate columns in my table.  For instance I would have UserID, Password, Admin, Guest, Member as my columns - the last three would be the different levels.  To make it work I need to incorperate a statement that will look for a "yes" in the admin column if they are trying to log in to an admin protected page.

This is my current script:

<%
Dim adoCon   
Dim strCon  
Dim rsCheckAdminUser   
Dim strAccessDB  
Dim strSQL   
Dim strAdminUserName  

strAdminUserName = Request.Form("txtAdminUserName")
strAccessDB = "../********/**************.mdb"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};pwd=****; DBQ=" & Server.MapPath(strAccessDB)
adoCon.Open strCon
Set rsCheckAdminUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "'"
rsCheckAdminUser.Open strSQL, strCon
If NOT rsCheckAdminUser.EOF Then
 If (Request.Form("txtAdminUserPass")) = rsCheckAdminUser("Password") Then
  Session("AdminUserGood") = True
  Set adoCon = Nothing
  Set strCon = Nothing
  Set rsCheckAdminUser = Nothing
  Response.Redirect"admin.asp?name=" & strAdminUserName
 End If
End If
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckAdminUser = Nothing
Session("AdminUserGood") = False
Response.Redirect"unauthorized_admin.htm"
%>
<head><title>Check Admin ID</title></head>

 

Can someone pleeeeeeeeeeease help.



Replies:
Posted By: 288enzo
Date Posted: 20 May 2003 at 11:11am

I tried the following (the text in the red is new), but it didn't work.

<%
Dim adoCon   
Dim strCon  
Dim rsCheckAdminUser   
Dim strAccessDB  
Dim strSQL   
Dim strAdminUserName
Dim strUserLevelAccess1
Dim strUserLevelAccess2
Dim strUserLevelAccess3

strAdminUserName = Request.Form("txtAdminUserName")
strAccessDB = "../********/**************.mdb"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};pwd=****; DBQ=" & Server.MapPath(strAccessDB)
adoCon.Open strCon
Set rsCheckAdminUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "'"
rsCheckAdminUser.Open strSQL, strCon
strUserLevelAccess1 = strCheckAdminUser("admin")
strUserLevelAccess2 = strCheckAdminUser("guest")
strUserLevelAccess3 = strCheckAdminUser("member")
If NOT rsCheckAdminUser.EOF Then
 If strUserLevelAccess1 = "yes" Then
 If (Request.Form("txtAdminUserPass")) = rsCheckAdminUser("Password") Then
  Session("AdminUserGood") = True
  Set adoCon = Nothing
  Set strCon = Nothing
  Set rsCheckAdminUser = Nothing
  Response.Redirect"admin.asp?name=" & strAdminUserName
 End If
 End If
End If
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckAdminUser = Nothing
Session("AdminUserGood") = False
Response.Redirect"unauthorized_admin.htm"
%>

Posted By: ljamal
Date Posted: 20 May 2003 at 2:52pm
change your SQL statement to return those fields. youare only returning the password field.

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming

Posted By: 288enzo
Date Posted: 20 May 2003 at 3:03pm

I tried that, included the following:

strSQL = "SELECT tblAdminUsers.Admin, tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

and got the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e10'

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.

/check_admin_user2.asp, line 18

Posted By: ljamal
Date Posted: 20 May 2003 at 3:31pm
What is line 18?

the SQL line should be
strSQL = "SELECT tblAdminUsers.Admin, tblAdminUsers.Guest, tblAdminUsers.Member tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

I suggest checking and formating your strAdminUserName variable to protect against SQL Injection attacks. Correctly you are just passing what ever is in returned. I could change the request to
' or (Admin=yes) or 1='2
and get admin access.


-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming

Posted By: 288enzo
Date Posted: 20 May 2003 at 4:03pm

Ok, I made the changes to incorporate guest and member in the sql statement but got the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e10'

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 3.

/check_admin_user2.asp, line 19

Line 19 is the strSql = "SELECT ................

I wish I understood what it is that you were trying to tell me about injection attacks.  I really don't have much of a grasp on asp, just taking it one step at a time.

Thanks

Posted By: ljamal
Date Posted: 20 May 2003 at 4:08pm
That error suggest that the columns are not in the database table. Are guest, admin and member columns in the table tblAdminUsers?

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming

Posted By: ultramods
Date Posted: 20 May 2003 at 4:08pm

Instead of having a field for admin  and member, you could just have a field called userStatus. UserStatus would either be a 1 or 2.

1 for admin

2 for member

strSQL = "SELECT tblAdminUsers.UserStatus, tblAdminUsers.Member tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

Then on you pages you can use if after checking the username and password.

for example.

IF rs("UserStatus") = "2" THEN.........

ELSE ........

END IF

Posted By: 288enzo
Date Posted: 20 May 2003 at 6:03pm

That was a great suggestion ultramods!!! I still got an error though.

Microsoft OLE DB Provider for ODBC Drivers error '80040e10'

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.

/check_admin_user2.asp, line 16

Let me include my latest script.

<%
Dim adoCon   
Dim strCon  
Dim rsCheckAdminUser   
Dim strAccessDB  
Dim strSQL   
Dim strAdminUserName

strAdminUserName = Request.Form("txtAdminUserName")
strAccessDB = "../********/**************.mdb"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};pwd=****; DBQ=" & Server.MapPath(strAccessDB)
adoCon.Open strCon
Set rsCheckAdminUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblAdminUsers.Access, tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"
rsCheckAdminUser.Open strSQL, strCon
If NOT rsCheckAdminUser.EOF Then
 If rsCheckAdminUser("Access") = "3" Then
 If (Request.Form("txtAdminUserPass")) = rsCheckAdminUser("Password") Then
  Session("AdminUserGood") = True
  Set adoCon = Nothing
  Set strCon = Nothing
  Set rsCheckAdminUser = Nothing
  Response.Redirect"admin.asp?name=" & strAdminUserName
 End If
 End If
End If
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckAdminUser = Nothing
Session("AdminUserGood") = False
Response.Redirect"unauthorized_admin.htm"
%>

Posted By: ljamal
Date Posted: 20 May 2003 at 6:06pm
Is the column (field) the table?

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming

Posted By: 288enzo
Date Posted: 20 May 2003 at 6:15pm

Table name is tblAdminUsers.

I have three fields:

UserID
Password
Access

All are text fields.

Posted By: ljamal
Date Posted: 20 May 2003 at 6:19pm
In order to access a field it has to be present in the databse. There is no field for UserStatus or the other fields mentioned and that's why you are getting the error.

Create a field called UserStatus (make it numeric)and use the 1 to represent Admin and 2 to represent Member and 0 to represent Guest.

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming

Posted By: 288enzo
Date Posted: 20 May 2003 at 6:49pm

strSQL = "SELECT tblAdminUsers.Access, tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

My sql statement is not looking for the field UserStatus, thus I don't have it in my table.

Do you know what else it might be?

Posted By: farrukh
Date Posted: 21 May 2003 at 3:20am
Originally posted by 288enzo 288enzo wrote:

Table name is tblAdminUsers.

I have three fields:

UserID
Password
Access          convert it in a numeric type Field

All are text fields.


so you can easily make an access level.
0 for guest
1 for Admin
2 for Members

-------------
i have collected some nice avatars (37) and smileys (227) here you can download
http://www24.brinkster.com/webmastertool/download.html

Posted By: 288enzo
Date Posted: 21 May 2003 at 10:26am

Made the change from text to number in my database for the access field, but I still get the same error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e10'

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.

/check_admin_user2.asp, line 16

Starting to get very frustrated

Posted By: 288enzo
Date Posted: 21 May 2003 at 5:47pm

Okay, I still can't seem to get it to work.  Let me show you all my script and hopefully someone out there in ASP land can figure out what is wrong.

admin_login.asp

<html>
<head>
<title>Admin Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body bgcolor="#FFFFFF" text="#000000">
<p align="center">
<br>
<br>
<font face="Bookman Old Style" size="5">Administration Login</font><br>
<br>

</p>

<form name="Login" method="post" action="check_admin_user2.asp">
  <table width="273" border="0" align="center" cellspacing="0" cellpadding="0" bgcolor="#CCCCCC">
    <tr>
      <td align="right" height="47" valign="bottom" width="94">User name: </td>
      <td height="47" valign="bottom" width="172">
        <input type="text" name="txtAdminUserName" size="20">
      </td>
    </tr>
    <tr>
      <td align="right" width="94">Password: </td>
      <td width="172">
        <input type="password" name="txtAdminUserPass" size="20">
      </td>
    </tr>
    <tr>
      <td align="right" height="44" width="94">&nbsp;</td>
      <td height="44" width="172">
        <input type="submit" name="Submit" value="Enter">
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        <input type="hidden" name="txtAdminAccess" value=3>
        <input type="reset" name="Submit2" value="Reset">
      </td>
    </tr>
  </table>
</form>
<br>
<center>
  Session Cookies must be enabled<br>
  <br>
</center>
</body>
</html>

check_admin_user2.asp

<%
Dim adoCon   
Dim strCon  
Dim rsCheckAdminUser   
Dim strAccessDB  
Dim strSQL   
Dim strAdminUserName

strAdminUserName = Request.Form("txtAdminUserName")
strAccessDB = "../********/**************.mdb"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};pwd=****; DBQ=" & Server.MapPath(strAccessDB)
adoCon.Open strCon
Set rsCheckAdminUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblAdminUsers.Access, tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "'"
rsCheckAdminUser.Open strSQL, strCon
If NOT rsCheckAdminUser.EOF Then
 If (Request.Form("txtAdminAccess")) = rsCheckAdminUser("Access") Then
 If (Request.Form("txtAdminUserPass")) = rsCheckAdminUser("Password") Then
  Session("AdminUserGood") = True
  Set adoCon = Nothing
  Set strCon = Nothing
  Set rsCheckAdminUser = Nothing
  Response.Redirect"admin.asp?name=" & strAdminUserName
 End If
 End If
End If
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckAdminUser = Nothing
Session("AdminUserGood") = False
Response.Redirect"unauthorized_admin.htm"
%>
<head><title>Check Admin ID</title></head>

The three fields in my database for tblAdminUsers are:

UserID - text
Password - text
Access - number

For the love of god, please someone help me.


Posted By: farrukh
Date Posted: 25 May 2003 at 6:33pm

check_admin_user2.asp

<%

strSQL = "SELECT * FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "' and tblAdminUsers.Access=5"
rsCheckAdminUser.Open strSQL, strCon

if rsCheckAdminUser.RecordCount=0 then
Session("AdminUserGood") = False
Response.Redirect"unauthorized_admin.htm"
End if

Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckAdminUser = Nothing
%>
5 is the Number which u assigned for Administrator
Conn.CursorLocation = 3 do include this after giving the database location ok
it will work fine.



-------------
i have collected some nice avatars (37) and smileys (227) here you can download
http://www24.brinkster.com/webmastertool/download.html


Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.08 - https://www.webwizforums.com
Copyright ©2001-2026 Web Wiz Ltd. - https://www.webwiz.net