S3.wp.wsu.edu



Protecting your Website by Implementing Password Control – Featherman ?left13906500 7150100151511000703635972898000This program shows one quick and easy way to implement password control to protect your website. The content here is not the final implementation solution (which would require additional javascript code), but is a large step forward and certainly useful in the academic setting as you prepare your final project.The scenario is that we created a SQL Server database table with the schema on the right. We then added three registered users that can access our website content (also shown on the right).The webpage shown on the left captures the userID and password from the program user in 2 textboxes, then we check if that combination of userID and password exists in our table of registered users. We use a parameterized SQL SELECT COUNT statement to count how many rows in the registered users table have the combination of userID and password. The SELECT COUNT(*) statement is run using a .executescalar method and assigning the results (0 or 1) to a local variable. If the number 0 is returned from the database query then the user is not in the table. It the number 1 is returned by the query then this means that the combination of userID and password is in the database table. If the number 1 is returned then the program tells the webserver to display a different webpage. The program user is redirected to the next web page in the series. The idea is to have a separate webpage that is for login only. This page is protecting the rest of your application which would conceivably reside on a different webserver behind a security system.Imports System.DataImports System.Data.SqlClientPartial Class LoginPage Inherits System.Web.UI.Page‘If you want to implement password access to your website, you would need to first create a ‘registeredUsers’ SQL database table with several approved people. Next you would add your connection string here that connects your webpage to your database.‘We want the program user to only have 3 attempts at typing in their password, so we use a global variable here that will get incremented each time the program user attempts login and fails (ie types the wrong password).Public Shared gintloopcounter As Integer = 0 Protected Sub Button1_Click(sender As Object, e As System.EventArgs) Handles Button1.Click 'Here we use the supplied login information to count the number of rows there are in the database table of registered users that match the login information (user ID and password). If zero rows are returned then the login is not valid. If 1 row was found in the registered users table, then the login information does match that of a registered user. If 1 row of information is found then move from the login page to another page - presumably the first page in your application.This next line is a SQLCommand that runs a SQL statement that counts the number of rows that have the values passed in by the two parameters (userID and password).Dim cmdCheckRegistrant As New SqlCommand("SELECT COUNT(*) from Registered_Users WHERE UserID = @p1 AND Password = @p2", con)This next variable will be used to receive the result of running the SELECT COUNT queryDim intRows As Integer = 0'if the user tried 3 times then they need to be locked out (0,1,2). You will need to find additional javascript code to freeze the webpage including locking the go back link. Here the screen controls are made invisible. If gintloopcounter = 2 Then Response.Write("System locked due to excessive attempts") Button1.Visible = False txtUserID.Visible = False txtPassword.Visible = False Exit Sub End If'The SQLCommand is parameterized so these next few lines take the values from the webpage controls and assign them to the parameters so that the values are passed into the SQL SELECT statement when the command is executed below using the .executescalar method. With cmdCheckRegistrant.Parameters .Clear() .AddWithValue("@p1", txtUserID.Text) .AddWithValue("@p2", txtPassword.Text) End With'Here we run the parameterized SQLCommand which returns one number that we assign to a local variable (intRows). If you are in the middle of your own programming and you realize you need to retrieve one value from the database (not a row of data) then use .executescalar. Try If con.State = ConnectionState.Closed Then con.Open() intRows = cmdCheckRegistrant.ExecuteScalar 'We check the number of rows (calculated from the SLECT COUNT(*)) to see if a row of data was found in the registered user table with the supplied userID and password. Below we increment the global counter variable if no registered user was found. If intRows = 0 Then gintloopcounter += 1 Response.Write("No Attendee with that UserID and Password " & gintloopcounter) txtUserID.Text = Nothing txtPassword.Text = Nothing End If 'if a user was found in the approved user table then navigate to another webpage and display that If intRows = 1 Then Response.Redirect("") Exit Sub End If Catch ex As Exception Response.Write(ex.Message) Finally con.Close() End Try End SubEnd Class ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download