Here is a sample of a basic login script for your website. You will find just one page. The form simply submits the page to itself to verify that the user information is accurate and the user email (or name) matches the password for that account.
The following is simply the HTML form that you will need for the users to fill out their information. You can change the field names or how the form works, this is just an example of the form:
Code:
<form name="login" method="post" action="">
<table width="400" border="0" cellspacing="0" cellpadding="2">
<tr>
<td>Email Address</td>
<td><input name="UserEmail" type="text" value="<%= UserEmail %>" /></td>
</tr>
<tr>
<td>Password</td>
<td><input name="UserPassword" type="password" value="<%= UserPassword %>" /></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="Submit" value="Login" /></td>
</tr>
</table>
</form>
This part of code is the section that will actually authenticate the user against the values stored in the database. We will break it down piece-by-piece.
You will need this function to help stop SQL injection by replacing the single quotes with two single quotes:
Code:
'-- Simple function to replace single quotes --
Function ValidateStr(strValue)
strTemp = strValue
strTemp = Trim(strTemp)
strTemp = Replace(strTemp,"'","''")
ValidateStr = strTemp
End Function
Next, you will want to validate that the form has been submitted. Without this, the page will not know whether or not the form has been submitted.
Code:
'-- Check that form has been submitted --
If Request.Form("Submit") = "Login" Then
'-- Grab form values --
UserEmail = ValidateStr(Request.Form("UserEmail"))
UserPassword = ValidateStr(Request.Form("UserPassword"))
After setting your requested values to variables, make sure that they both exist. If not, display error:
Code:
' -- Check if both email and password were submitted -
If UserEmail = "" OR UserPassword = "" Then
strError = "You must enter both an email address and password."
End If
If no errors, you will then need to open your database connection and query the databse with the submitted email and password.
Code:
' -- If no errors, continue --
If strError = "" Then
'-- Connect to DB and create recordset --
Set conn = Server.CreateObject("ADODB.Connection")
conn.Provider = "Microsoft.Jet.OLEDB.4.0"
conn.Open Server.MapPath("login.mdb")
Set rsLogin = Server.CreateObject("ADODB.recordset")
'-- Select the data from the DB using the submitted information --
strSQL = "SELECT UserID, UserEmail, UserPassword FROM tblUsers WHERE UserEmail = '" & UserEmail & "' AND UserPassword = '" & UserPassword & "'"
rsLogin.Open strSQL, conn
Check if the recordset is empty (if a record exists for the given email and password).
Code:
' -- Check that user exists --
If Not rsLogin.EOF Then
'-- If match found, and user exists, then set session variable --
Session("UserID") = rsLogin("UserID")
' -- Redirect to protected page --
Response.Redirect "profile.asp"
Else
strError = "Login failed."
End If
End If
End If
There, you have now successfully validated a login attempt. If you noticed, we stored the error message in a variable called strError. You can reference the error anywhere in your page by using the following code:
This variables contains the exact error why the login failed. This variable will only be populated if an error occured.
Once the user is logged in, you can reference the user ID by pulling the value from the session:
Code:
UserID = Session("UserID")
LinkBack URL
About LinkBacks
Reply With Quote
Bookmarks