| Author |
 Topic  |
|
|
snowsurfer
New Member
64 Posts |
 Posted - 27 December 2004 : 00:32:21
|
I am using my snitz databse to authenticate users to a certain page on my site. The problem I am running into is the ppasswords are encrypted, so of course the password never matches when I test the page. Here is my code
<!--#include file="header.asp" -->
<!--#include file="Connections/snitz.asp" -->
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername=CStr(Request.Form("name"))
If MM_valUsername <> "" Then
MM_fldUserAuthorization=""
MM_redirectLoginSuccess="testreview.asp"
MM_redirectLoginFailed="http://www.google.com"
MM_flag="ADODB.Recordset"
set MM_rsUser = Server.CreateObject(MM_flag)
MM_rsUser.ActiveConnection = MM_snitz_STRING
MM_rsUser.Source = "SELECT M_USERNAME, M_PASSWORD"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM FORUM_MEMBERS WHERE M_USERNAME='" & Replace(MM_valUsername,"'","''") &"' AND M_PASSWORD='" & Replace(Request.Form("password"),"'","''") & "'"
MM_rsUser.CursorType = 0
MM_rsUser.CursorLocation = 2
MM_rsUser.LockType = 3
MM_rsUser.Open
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
Else
Session("MM_UserAuthorization") = ""
End If
if CStr(Request.QueryString("accessdenied")) <> "" And true Then
MM_redirectLoginSuccess = Request.QueryString("accessdenied")
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginSuccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If
%>
<!--#include file="Connections/norcal.asp" -->
<%
Dim rsTitle__MMColParam
rsTitle__MMColParam = "1"
If (Request.QueryString("ID") <> "") Then
rsTitle__MMColParam = Request.QueryString("ID")
End If
%>
<%
Dim rsTitle
Dim rsTitle_numRows
Set rsTitle = Server.CreateObject("ADODB.Recordset")
rsTitle.ActiveConnection = MM_norcal_STRING
rsTitle.Source = "SELECT DisplayName, pic_thumb FROM Places WHERE ID = " + Replace(rsTitle__MMColParam, "'", "''") + ""
rsTitle.CursorType = 0
rsTitle.CursorLocation = 2
rsTitle.LockType = 1
rsTitle.Open()
rsTitle_numRows = 0
%>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td> </td>
<td align="center" valign="top"><p> </p>
<form action="<%=MM_LoginAction%>" method="POST" name="login" id="login">
<div align="center">User Name:
<input name="name" type="text" id="name">
<br>
Password:
<input name="password" type="password" id="password">
<br>
<input type="submit" name="Submit" value="Submit">
</div>
</form>
<p> </p>
<p> </p></td>
<td> </td>
</tr>
<tr>
<td width="29%"> </td>
<td width="44%" align="center" valign="top"><table width="95%" border="0" cellspacing="0" cellpadding="4">
<tr valign="middle">
<td width="24%" bgcolor="#F2F2F2"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b>Location
Name: </b></font></td>
<td width="76%" bgcolor="#F2F2F2"><div align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><%=(rsTitle.Fields.Item("DisplayName").Value)%> <img src="<%=(rsTitle.Fields.Item("pic_thumb").Value)%>"></font></div></td>
</tr>
</table>
<table width="95%" border="0" cellspacing="0" cellpadding="0">
</table>
<br>
</td>
<td width="27%"> </td>
</tr>
</table>
<!--#include file="footer.asp" -->
<%
rsTitle.Close()
Set rsTitle = Nothing
%>
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 27 December 2004 : 02:22:07
|
Just use the sha256 function. Add this at the top:
<!-- #include file="inc_sha256.asp" -->
Then, before you try and validate them, save the form data to a variable, then run the sha256 function on it. Something like this:
user_pass = Request.form("password")
user_pass = sha256(user_pass)
I did exactly this on my site, and it works like a charm. |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
 |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 27 December 2004 : 02:46:08
|
| Thats right, you simply encrypt the password the same way Snitz does and then compare the two encrypted passwords. The info muzishun's given you is spot on :) |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 27 December 2004 : 09:40:07
|
| Thanks, Gremlin. I've been learning. :) |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
snowsurfer
New Member
64 Posts |
Posted - 27 December 2004 : 20:17:17
|
Thanks guys, I am not a programmer, so just to clarify. I include the file at the top with my other include files. Where would I put the
user_pass = Request.form("password")
user_pass = sha256(user_pass |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
Posted - 27 December 2004 : 22:09:52
|
You have to compare the password the user entered with the Snitz password. In order to do that you need to encrypt the password they entered by using inc_sha_256.asp and compare it with the one in the database. The code that musishun posted above encrypts the password for you;
user_pass = Request.form("password")
user_pass = sha256(user_pass)
after encrytion user_pass will end up in an encrypted form which you may compare with the password in the database. |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
|
|
|
snowsurfer
New Member
64 Posts |
Posted - 27 December 2004 : 22:38:33
|
| I understand how it works. I think :) I am having trouble figuring out where to put that into my code. |
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 28 December 2004 : 01:18:35
|
Change this:
MM_rsUser.Source = "SELECT M_USERNAME, M_PASSWORD"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM FORUM_MEMBERS WHERE M_USERNAME='" & Replace(MM_valUsername,"'","''") &"' AND M_PASSWORD='" & Replace(Request.Form("password"),"'","''") & "'"
MM_rsUser.CursorType = 0
to this:
user_pass = Request.form("password")
user_pass = sha256(user_pass)
MM_rsUser.Source = "SELECT M_USERNAME, M_PASSWORD"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM FORUM_MEMBERS WHERE M_USERNAME='" & Replace(MM_valUsername,"'","''") &"' AND M_PASSWORD='" & user_pass & "'"
MM_rsUser.CursorType = 0 |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
snowsurfer
New Member
64 Posts |
Posted - 28 December 2004 : 09:37:15
|
That did it
Thanks |
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 28 December 2004 : 09:50:57
|
| No problem. |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
snowsurfer
New Member
64 Posts |
Posted - 28 December 2004 : 10:08:46
|
Now to take it a step farther :)
How do they make it work on the sam page as the post? I noticed that in snitz, on the post.asp page you can enter your user name, password and your post all on the same page.
In my situation, it is taking me three pages to accomplish this. I have the page where the user clicks a link that take them to the page you helped me with, when then authenticate it takes them to the page where they actually post the information.
And how do I get it to recognize they have already logged in. I need a cookie for that right? |
|
|
|
snowsurfer
New Member
64 Posts |
Posted - 28 December 2004 : 10:14:09
|
I found this in post.asp Is this what i would add to my page to check for the cookie?
strCkPassWord = Request.Cookies(strUniqueID & "User")("Pword")
if strSelectSize = "" or IsNull(strSelectSize) then
strSelectSize = Request.Cookies(strUniqueID & "strSelectSize")
end if
if not(IsNull(strSelectSize)) and strSelectSize <> "" then
if strSetCookieToForum = 1 then
Response.Cookies(strUniqueID & "strSelectSize").Path = strCookieURL
else
Response.Cookies(strUniqueID & "strSelectSize").Path = "/"
end if
Response.Cookies(strUniqueID & "strSelectSize") = strSelectSize
Response.Cookies(strUniqueID & "strSelectSize").expires = dateAdd("yyyy", 1, strForumTimeAdjust)
end if |
|
|
| |
Topic |
|
Topic Locked
