The login form is a relatively simple affair. It prompts the user for a username and password, validates it against the database, and if the username/password combination is valid, it saves a variable saying so in the Session data.
Note |
Copy the code below into login.asp, and then we'll take a closer look.
login.asp <% Option Explicit Dim strError, strSQL, objRS 'see if the form has been submitted If Request.Form("action")="login" Then 'the form has been submitted '// validate the form 'check if a username has been entered If Request.Form("username") = "" Then _ strError = strError & "- Please enter a username<br>" & vbNewLine 'check if a password has been entered If Request.Form("password") = "" Then _ strError = strError & "- Please enter a password<br>" & vbNewLine '// check if an error has occured If strError = "" Then 'continue 'include database connection code %> <!--#include file="inc-dbconnection.asp"--> <% '// create the SQL strSQL = "SELECT id,password FROM members WHERE username='" & _ fixQuotes(Request.Form("username")) & "'" '// run the SQL Set objRS = objConn.Execute (strSQL) '// see if there are any records returned If objRS.EOF Then 'no username found strError = "- Invalid username or password<br>" & vbNewLine Else 'check password If objRS("password")=Request.Form("password") Then 'username/password valid 'save session data Session("loggedin") = True Session("userid") = objRS("id") 'redirect to members area Response.Redirect ("default.asp") Response.End Else 'invalid password strError = "- Invalid username or password<br>" & vbNewLine End If End If End If If strError <> "" Then 'output the error message 'add extra HTML... strError = "<p><font color=""#FF0000"">The following errors occured:" & _ "</font><br>" & vbNewLine & strError End If 'display message in URL.. (ie thank you for registering) If Request.QueryString("msg") <> "" And strError = "" Then strError = "<p>" & Request.QueryString("msg") & "</p>" End If End If Function fixQuotes(strData) fixQuotes = Replace(strData,"'","''") End Function |
A large proportion of this code is almost identical to that of register.asp
.
The code first checks to see if the form has been submitted. If it has, it uses
the same validation technique as before to see if a username and password has
been specified. If it hasn't it displays an error message. If it has, then it
checks the username/password combination by querying the database for that username.
If objRS.EOF Then
the username hasn't been found; display error
message. Otherwise, we check the password returned from the database, and compare
it to the one the user has just entered. Once again, if they are incorrect, we
tell the user that.
If the username/password combination is correct, we set the loggedin
value of our session data to 1, and also save the user id. These session data
variables are available outside login.asp, so our members pages can check
if we are logged in or not. Therefore, once setting this data, we simply redirect
to default.asp ; the members home page (we are assuming that you have
a seperate /members/
directory).
Comments