Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Session Variable

  • 27-08-2009 2:13pm
    #1
    Registered Users, Registered Users 2 Posts: 224 ✭✭


    Hi,

    Im using Dreamweaver and Asp. I have a login page which works fine. The login calls a table called tblIELogin and looks up the username and password and then passes you through to the home page if they are correct. I want to be able to call over another field (entryid) as a session variable. how do i do this. see below the code from the login page.

    **************

    <%@LANGUAGE=&quot;VBSCRIPT" CODEPAGE="1252"%>
    <!--#include file="../../Connections/123.asp" -->
    <%

    ' *** Validate request to log in to this site.
    MM_LoginAction = Request.ServerVariables("URL")
    If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
    MM_valUsername = CStr(Request.Form("Username"))
    If MM_valUsername <> "" Then
    Dim MM_fldUserAuthorization
    Dim MM_redirectLoginSuccess
    Dim MM_redirectLoginFailed
    Dim MM_loginSQL
    Dim MM_rsUser
    Dim MM_rsUser_cmd

    MM_fldUserAuthorization = "Companyid"
    MM_redirectLoginSuccess = "home.asp"
    MM_redirectLoginFailed = "loginbad.asp"

    MM_loginSQL = "SELECT usrname, pword,entryid"
    If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
    MM_loginSQL = MM_loginSQL & " FROM dbo.tblIELogin WHERE usrname = ? AND pword = ?"
    Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
    MM_rsUser_cmd.ActiveConnection = MM_123_STRING
    MM_rsUser_cmd.CommandText = MM_loginSQL
    MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 50, MM_valUsername) ' adVarChar
    MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 50, Request.Form("Password")) ' adVarChar
    MM_rsUser_cmd.Prepared = true
    Set MM_rsUser = MM_rsUser_cmd.Execute

    If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
    Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
    Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
    MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginFailed)
    End If

    %>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"&gt;
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <title>Please Logon now</title>

    <LINK href="../../sitestyle.css" type=text/css rel=STYLESHEET>
    </head>
    <body bgcolor="#FFFFFF" text="#000000" topmargin="0">




    <table width="500" border="1" align="center" bordercolor="#E14A6D">
    <tr>
    <td width="500"><table width="500" border="1" height="324" bordercolor="#E14A6D" align="center">
    <tr>
    <td height="259" align="center" valign="top" background="../../ie/images/bg.gif" bgcolor="#FFFFFF"><table width="100%">
    <tr>
    <td bgcolor="#FFFFFF"><div align="center"><img src="../../siteimgs/homehdr.jpg" width="800" height="189" alt=""></div></td>
    </tr>
    </table>
    <table width="100%">
    <tr>
    <td height="132" align="center" valign="top" bgcolor="#E14A6D">
    <form name="login" method="POST" action="<%=MM_LoginAction%>">
    <table width="100%" border="0" cellpadding="2" cellspacing="2" bgcolor="#E14A6D">
    <tr bgcolor="#E14A6D">
    <td colspan="2"><div align="center"><span class="subhead"><font face="Verdana, Arial, Helvetica, sans-serif">Please Login</font></span><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><b><font size="3"><br>
    <br>
    </font></b></font></div></td>
    </tr>
    <tr bgcolor="#E14A6D">
    <td width="40%"><div align="right"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Username:</font></div></td>
    <td><div align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">
    <input name="Username" type="text" class="txtbox">
    </font></div></td>
    </tr>
    <tr bgcolor="#E14A6D">
    <td><div align="right"><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Password: </font> </div></td>
    <td><p align="left">
    <input name="Password" type="password" class="txtbox">
    </p>
    </td>
    </tr>
    <tr bgcolor="#E14A6D">
    <td> <div align="right"><br>
    <br>
    <input name="Reset" type="reset" class="subhead" value="Reset">
    </div></td>
    <td> <div align="left"><br>
    <br>
    <input name="Submit" type="submit" class="subhead" value="Submit">
    </div></td>
    </tr>
    </table>
    <font face="Verdana, Arial, Helvetica, sans-serif" size="3"></font>
    <p></p>
    </form></td>
    </tr>
    </table>
    </td>
    </tr>
    </table></td>
    </tr>
    </table>


Comments

  • Registered Users, Registered Users 2 Posts: 2,931 ✭✭✭Ginger


    Session("EntryID") = MM_rsUser.Fields("entryId")

    That should do it, as you are returning it in the Recordset


  • Registered Users, Registered Users 2 Posts: 224 ✭✭The Mighty Dubs


    Sorry but you'll have to excuse my ignorance here. But where exactly should this variable be put in? Should it be somewhere in the code displayed below or the home page where the login redirects where correct?
    This sort of thing im not very good at.


  • Registered Users, Registered Users 2 Posts: 21,263 ✭✭✭✭Eoin


    Sorry but you'll have to excuse my ignorance here. But where exactly should this variable be put in? Should it be somewhere in the code displayed below or the home page where the login redirects where correct?
    This sort of thing im not very good at.

    Imagine you wanted to just print the userID from the database to the page - where would you put that line of code?


  • Registered Users, Registered Users 2 Posts: 224 ✭✭The Mighty Dubs


    I need to store this variable in the background and put it into a hidden form field in an insert statement...


  • Registered Users, Registered Users 2 Posts: 21,263 ✭✭✭✭Eoin


    Yep, I know what you mean - I just mean that you need to find out at what stage you can access the value from the database. That's when you set the session variable. Using Response.Write to print out variables to the page is usually a good first step for this kind of thing.

    I wouldn't use a hidden form field by the way, as it's incredibly easy to overwrite this value using very basic injection techniques. There's no need to use it if you're using session variables.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 224 ✭✭The Mighty Dubs


    ah ok, the value should be set at log in.


  • Registered Users, Registered Users 2 Posts: 21,263 ✭✭✭✭Eoin


    Yep, you set the value as soon as you get it, and then you can access it throughout the site.

    Don't do this though:

    [html]<input type="hidden" name="txtUserID" value="<%=Session("UserID")%>"/>[/html]

    I did this on a web app years ago, and it was really easy to change the value of this form field to anything I wanted.


  • Registered Users, Registered Users 2 Posts: 224 ✭✭The Mighty Dubs


    Cheers for the heads up on the hidden field thing, im always using them. must use something else instead.

    I have tried to put the following into the logon statement
    MM_rsUser.Fields("entryId") = Session("IELoginID")
    but am getting back an error, (Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another. Line 26) see below to view where i have put it in.

    **********

    <%
    ' *** Validate request to log in to this site.
    MM_LoginAction = Request.ServerVariables("URL")
    If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
    MM_valUsername = CStr(Request.Form("Username"))
    If MM_valUsername <> "" Then
    Dim MM_fldUserAuthorization
    Dim MM_redirectLoginSuccess
    Dim MM_redirectLoginFailed
    Dim MM_loginSQL
    Dim MM_rsUser
    Dim MM_rsUser_cmd

    MM_fldUserAuthorization = "Companyid"
    MM_redirectLoginSuccess = "home.asp"
    MM_redirectLoginFailed = "loginbad.asp"

    MM_loginSQL = "SELECT usrname, pword,entryid"
    If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
    MM_loginSQL = MM_loginSQL & " FROM dbo.tblIELogin WHERE usrname = ? AND pword = ?"
    Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
    MM_rsUser_cmd.ActiveConnection = MM_123_STRING
    MM_rsUser_cmd.CommandText = MM_loginSQL
    MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 50, MM_valUsername) ' adVarChar
    MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 50, Request.Form("Password")) ' adVarChar
    MM_rsUser_cmd.Prepared = true
    MM_rsUser.Fields("entryId") = Session("IELoginID")
    Set MM_rsUser = MM_rsUser_cmd.Execute

    If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    If (MM_fldUserAuthorization <> "") Then
    Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
    Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And true Then
    MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginFailed)
    End If

    %>


  • Registered Users, Registered Users 2 Posts: 224 ✭✭The Mighty Dubs


    D'OH...let the connection string out but still not getting the variable to carry over.


  • Registered Users, Registered Users 2 Posts: 21,263 ✭✭✭✭Eoin


    First, print out the userID from the database to the page. Then print out the session variable to the page and see if it's being set.


  • Advertisement
Advertisement