Authentication GURU...or vb guru Needed URGENTLY PLEASE

[johnnyboy23]

i have created a login form with username password
which checks my sql7 database for the user password then checks to see the rights of the user and if the user has user rights it puts them to my next user area form Apprasal.asp if no it sends them to an unsuccessfull.htm form

my question is this...i want my user to be taken to the apprasaisal page with the user personal details on it but it only shoes the first record in the database ad not teh users record
and when i use the
request.form("Password")on the appraisal page i cannot get that password value off the form.....and im using the form tag with
post method ???

can anyone tell me whats going on...im really stuck on this and its holding me up to complete my project that i have been doing for 4 months now.

here is my login form script

<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="../../Connections/Conn_wasp.asp" -->
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("Username"))
If MM_valUsername <> "" Then
MM_fldUserAuthorization="Rights"
MM_redirectLoginSuccess="../Users/Appraisal.asp"
MM_redirectLoginFailed="../messages/Failure.asp"
MM_flag="ADODB.Recordset"
set MM_rsUser = Server.CreateObject(MM_flag)
MM_rsUser.ActiveConnection = MM_Conn_wasp_STRING
MM_rsUser.Source = "SELECT FirstName, Password"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM dbo.Users WHERE FirstName='" & MM_valUsername &"' AND Password='" & CStr(Request.Form("Password")) & "'"
MM_rsUser.CursorType = 0
MM_rsUser.CursorLocation = 2
MM_rsUser.LockType = 3
MM_rsUser.Open
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
Else
Session("MM_UserAuthorization") = ""
End If
if CStr(Request.QueryString("accessdenied")) <> "" And false Then
MM_redirectLoginSuccess = Request.QueryString("accessdenied")
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginSuccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If
%>


and here is my Appraisal form script to get the value of the passowrd for the query to take the user to his record when he is logged in


<%
set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Conn_wasp_STRING
Recordset1.Source = "SELECT * FROM dbo.Users WHERE Password LIKE '%" + Replace(Recordset1__VarPassword, "'", "''") + "%'"
Recordset1.CursorType = 0
Recordset1.CursorLocation = 2
Recordset1.LockType = 3
Recordset1.Open()
Recordset1_numRows = 0
%>

[monte96]

I think your problem is in this line:

Recordset1.Source = "SELECT * FROM dbo.Users WHERE Password LIKE '%" + Replace(Recordset1__VarPassword, "'", "''") + "%'"

Why don't you use the same where clause in this select statement as the other script?

The above SQL statement will return the entire table. The reason it looks like your getting only the first record, is your only accessing the first record of the recordset. Trust me, the entire table is in that recordset. Instead of using like for this, use the firstname and password. Also, I would recommend using at least a rudimentary encryption technique. (of course, I don't know how important your project is.. if it's a school project, then probably don't worry about it.)

Also:

If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString

should be:

If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction & "?" & Request.QueryString

just to be safe...