Forums

This topic is locked

Log In Server Behavior Problems

Posted 22 Mar 2002 18:33:41
1
has voted
22 Mar 2002 18:33:41 Aegis Kleais posted:
I know I'm new to UD4, however, despite my learning ASP and such, I'm able to use most of UD4's many features without problem. However, I have a place where I use the LOG IN server behavior to log a person into a restricted area.

My current thought was to do it like this:
Give them a URL, ie:

www.page.com/secure.asp?id=232

And the ID would load the Record of their information.

But then it occured to me, that someone who logged in (another account) could just chage the "232" to a different number and if they found a valid one, they would be seeing someone elses private information.

So I have 2 questions here....

I want to do something like this: Create a field in the database that I call LOCK and give it a long random string like:
sdhf348r7sdvhkas8d7foefkjh4398t7ysdlkn34o8478osdyf

Then I give people an address of:
www.page.com/secure.asp?id=232?lock=sdhf348r7sdvhkas8d7foefkjh4398t7ysdlkn34o8478osdyf

So this means that they would have to not only get the ID number correct, but the LONG lock code as well. The only problem is that I don't think I can use the SIMPLE Query Builder when defining a recordset. I have to use the advanced one, and it shows something like:

SELECT *
FROM DSNConnection
WHERE id = 'MMColParam'

( MMColParam = Request.QueryString("id" )

So If I make MMColParam2 = Request.QueryString("lock" how do I add on some "AND WHERE lock = 'MMColParam2'" phrase to my SQL Query?

-------------------------------------------------------------------------------------

My other question had to do with loggin in using the LOG IN Server Behavior.

I need to know how people send the USERNAME of a USERNAME/PASSWORD login system upon successful verification.

I Thought I would Request a form value from whatever the user supplied in the USERNAME box, and then when defining the LOG IN server behavior, upon successful verification it would goto "secure.asp?username=<%= Request.Form("username" %>"

But when I press OK to get back to the webpage, I get loads of ASP code put into the design view. SO I know something went wrong. If I've done a good enough job of explaining what I need, I look forward to hearing your answers!

Replies

Replied 23 Mar 2002 01:24:44
23 Mar 2002 01:24:44 Dennis van Galen replied:
ok, here's a UDev rule, don't paste asp code in a visual editor as you did, you saw the result.

you did this:
<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>I Thought I would Request a form value from whatever the user supplied in the USERNAME box, and then when defining the LOG IN server behavior, upon successful verification it would goto "secure.asp?username=&lt;%= Request.Form("username" %&gt;"<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>

the idea is correct, now do it again but leave out the &lt;% Request....%&gt; and after clicking ok switch to code view, now find the code that redirects you to "secure.asp?username=" and paste the &lt;% Request.Form("username" %&gt; behind the "=" sign and now try it out.

For the other thingy try:

SELECT *
FROM DSNConnection
WHERE id = 'MMColParam' AND lock = 'MMColParam2'

The simple mode is just to get a quick select from where order by statement, you will find yourself using it for that and quickly ending up in advanced where i spend most my time, if i'm not rewriting the codes or attempting to anyway <img src=../images/dmxzone/forum/icon_smile_wink.gif border=0 align=middle>

With kind regards,

Dennis van Galen
Webmaster KPN Services
Financial and Information Services
Replied 23 Mar 2002 03:43:12
23 Mar 2002 03:43:12 Aegis Kleais replied:
I made the following:

SELECT *
FROM DSNConnection
WHERE id = 'MMColParam' AND lock = 'MMColParam2'

-------------------------------------------------

MMColParam ----- Runtime value of 1 --- Request.QueryString("id"
MMColParam2 ---- Runtime value of 1 --- Request.QueryString("lock"

And I get a MS ODBC Data Mismatch Error.

ID is a MS Access Autonumber and LOCK is a MEMO


As for the "Don't paste code into the visual editor", is there any reason not to? Does UD4 just spaz out by design when I do that, but works fine when you cut and paste it?

My thanks for your help. It's really gettin me out of a pickle.

Reply to this topic