Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Password protection - mutliple levels
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Password protection - mutliple levels
 Post Reply Post Reply Page  123>
Author
  Topic Search Topic Search  Topic Options Topic Options
288enzo View Drop Down
Groupie
Groupie
Avatar

Joined: 28 April 2003
Location: United States
Status: Offline
Points: 61 		Post Options Post Options   Thanks (0) Thanks(0)   Quote 288enzo Quote  Post ReplyReply Direct Link To This Post Topic: Password protection - mutliple levels
    Posted: 19 May 2003 at 10:48pm

I already have the script to protect my web from unauthorized users, but how can I give different levels to different users?

My idea is to have seperate columns in my table.  For instance I would have UserID, Password, Admin, Guest, Member as my columns - the last three would be the different levels.  To make it work I need to incorperate a statement that will look for a "yes" in the admin column if they are trying to log in to an admin protected page.

This is my current script:

<%
Dim adoCon   
Dim strCon  
Dim rsCheckAdminUser   
Dim strAccessDB  
Dim strSQL   
Dim strAdminUserName  

strAdminUserName = Request.Form("txtAdminUserName")
strAccessDB = "../********/**************.mdb"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};pwd=****; DBQ=" & Server.MapPath(strAccessDB)
adoCon.Open strCon
Set rsCheckAdminUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "'"
rsCheckAdminUser.Open strSQL, strCon
If NOT rsCheckAdminUser.EOF Then
 If (Request.Form("txtAdminUserPass")) = rsCheckAdminUser("Password") Then
  Session("AdminUserGood") = True
  Set adoCon = Nothing
  Set strCon = Nothing
  Set rsCheckAdminUser = Nothing
  Response.Redirect"admin.asp?name=" & strAdminUserName
 End If
End If
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckAdminUser = Nothing
Session("AdminUserGood") = False
Response.Redirect"unauthorized_admin.htm"
%>
<head><title>Check Admin ID</title></head>

 

Can someone pleeeeeeeeeeease help.

Back to Top
288enzo View Drop Down
Groupie
Groupie
Avatar

Joined: 28 April 2003
Location: United States
Status: Offline
Points: 61 		Post Options Post Options   Thanks (0) Thanks(0)   Quote 288enzo Quote  Post ReplyReply Direct Link To This Post Posted: 20 May 2003 at 11:11am

I tried the following (the text in the red is new), but it didn't work.

<%
Dim adoCon   
Dim strCon  
Dim rsCheckAdminUser   
Dim strAccessDB  
Dim strSQL   
Dim strAdminUserName
Dim strUserLevelAccess1
Dim strUserLevelAccess2
Dim strUserLevelAccess3

strAdminUserName = Request.Form("txtAdminUserName")
strAccessDB = "../********/**************.mdb"
Set adoCon = Server.CreateObject("ADODB.Connection")
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};pwd=****; DBQ=" & Server.MapPath(strAccessDB)
adoCon.Open strCon
Set rsCheckAdminUser = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "'"
rsCheckAdminUser.Open strSQL, strCon
strUserLevelAccess1 = strCheckAdminUser("admin")
strUserLevelAccess2 = strCheckAdminUser("guest")
strUserLevelAccess3 = strCheckAdminUser("member")
If NOT rsCheckAdminUser.EOF Then
 If strUserLevelAccess1 = "yes" Then
 If (Request.Form("txtAdminUserPass")) = rsCheckAdminUser("Password") Then
  Session("AdminUserGood") = True
  Set adoCon = Nothing
  Set strCon = Nothing
  Set rsCheckAdminUser = Nothing
  Response.Redirect"admin.asp?name=" & strAdminUserName
 End If
 End If
End If
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckAdminUser = Nothing
Session("AdminUserGood") = False
Response.Redirect"unauthorized_admin.htm"
%>



Edited by 288enzo
Back to Top
ljamal View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 16 April 2003
Status: Offline
Points: 888 		Post Options Post Options   Thanks (0) Thanks(0)   Quote ljamal Quote  Post ReplyReply Direct Link To This Post Posted: 20 May 2003 at 2:52pm
change your SQL statement to return those fields. youare only returning the password field.
L. Jamal Walton

L. Jamal Inc : Web/ Print Design and ASP Programming
Back to Top
288enzo View Drop Down
Groupie
Groupie
Avatar

Joined: 28 April 2003
Location: United States
Status: Offline
Points: 61 		Post Options Post Options   Thanks (0) Thanks(0)   Quote 288enzo Quote  Post ReplyReply Direct Link To This Post Posted: 20 May 2003 at 3:03pm

I tried that, included the following:

strSQL = "SELECT tblAdminUsers.Admin, tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

and got the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e10'

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.

/check_admin_user2.asp, line 18
Back to Top
ljamal View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 16 April 2003
Status: Offline
Points: 888 		Post Options Post Options   Thanks (0) Thanks(0)   Quote ljamal Quote  Post ReplyReply Direct Link To This Post Posted: 20 May 2003 at 3:31pm
What is line 18?

the SQL line should be
strSQL = "SELECT tblAdminUsers.Admin, tblAdminUsers.Guest, tblAdminUsers.Member tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

I suggest checking and formating your strAdminUserName variable to protect against SQL Injection attacks. Correctly you are just passing what ever is in returned. I could change the request to
' or (Admin=yes) or 1='2
and get admin access.
L. Jamal Walton

L. Jamal Inc : Web/ Print Design and ASP Programming
Back to Top
288enzo View Drop Down
Groupie
Groupie
Avatar

Joined: 28 April 2003
Location: United States
Status: Offline
Points: 61 		Post Options Post Options   Thanks (0) Thanks(0)   Quote 288enzo Quote  Post ReplyReply Direct Link To This Post Posted: 20 May 2003 at 4:03pm

Ok, I made the changes to incorporate guest and member in the sql statement but got the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e10'

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 3.

/check_admin_user2.asp, line 19

Line 19 is the strSql = "SELECT ................

I wish I understood what it is that you were trying to tell me about injection attacks.  I really don't have much of a grasp on asp, just taking it one step at a time.

Thanks
Back to Top
ljamal View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 16 April 2003
Status: Offline
Points: 888 		Post Options Post Options   Thanks (0) Thanks(0)   Quote ljamal Quote  Post ReplyReply Direct Link To This Post Posted: 20 May 2003 at 4:08pm
That error suggest that the columns are not in the database table. Are guest, admin and member columns in the table tblAdminUsers?
L. Jamal Walton

L. Jamal Inc : Web/ Print Design and ASP Programming
Back to Top
ultramods View Drop Down
Groupie
Groupie
Avatar

Joined: 08 January 2003
Location: Scotland
Status: Offline
Points: 146 		Post Options Post Options   Thanks (0) Thanks(0)   Quote ultramods Quote  Post ReplyReply Direct Link To This Post Posted: 20 May 2003 at 4:08pm

Instead of having a field for admin  and member, you could just have a field called userStatus. UserStatus would either be a 1 or 2.

1 for admin

2 for member

strSQL = "SELECT tblAdminUsers.UserStatus, tblAdminUsers.Member tblAdminUsers.Password FROM tblAdminUsers WHERE tblAdminUsers.UserID ='" & strAdminUserName & "';"

Then on you pages you can use if after checking the username and password.

for example.

IF rs("UserStatus") = "2" THEN.........

ELSE ........

END IF
Back to Top
 Post Reply Post Reply Page  123>

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.