CODEWITHSUNDEEP
ms-accesscoldfusionpasswords
Foxlon
Foxlon

Reputation: 21

Setting strict password rules

I am a bit confused here. I have a form and action page for handling a user login. Presently, my action page ignores the capitalization of the password. Whether you use lower case letters, or all caps, for the password, the action.cfm page logs you in, as long as the value is correct. I want it to ONLY login if the correct password case is used. How do I solve this?

Form:

<form name="login" target="_self" method="POST" action="action.cfm">
   Username: <input name="UserName" type="text"><br/>
   Password: <input name="Password" type="password"><br/>
   <input name="" type="submit" value="Login">
</form>

action.cfm:

<cfquery name="qVerify" datasource="me.mdb"> 
    SELECT  UserName, Password 
    FROM    rbs 
    WHERE   UserName = '#UserName#' 
    AND     Password = '#Password1#' 
</cfquery> 
<cfif qVerify.RecordCount> 
    <cfset session.allowin = "True"> 
    <!--- Now welcome user and redirect to "accessgranted.cfm" ---> 
    <CFLOCATION URL="successful.html"> 
<cfelse> 
    <script> 
    alert("ACCESS NOT GRANTED. CHECK YOUR LOGIN PARAMETERS."); 
    self.location="loginpage.html"; 
    </script> 
</cfif>

Upvotes: 0

Views: 115

Answers (3)

Maertsch
Maertsch

Reputation: 56

Your table collation seems to be case-insensitive.

Check the password with ColdFusion in a case-sensitive way. For example with the function compare() which is case-sensitive, whereas compareNoCase() is case-insensitive. Compare() returns 0 if the strings are equal.

Your code would look like this:

<cfquery name="qVerify" datasource="me.mdb"> 
    SELECT  UserName, Password 
    FROM    rbs 
    WHERE   UserName = <cfqueryparam value="#form.UserName#">
    AND     Password = <cfqueryparam value="#form.Password#">
</cfquery> 
<cfif qVerify.RecordCount and compare(qVerify.username, form.username) eq 0 and compare(qVerify.password, form.password) eq 0> 
    <cfset session.allowin = "True"> 
    <!--- Now welcome user and redirect to "accessgranted.cfm" ---> 
    <CFLOCATION URL="successful.html"> 
<cfelse> 
    <script> 
    alert("ACCESS NOT GRANTED. CHECK YOUR LOGIN PARAMETERS."); 
    self.location="loginpage.html"; 
    </script> 
</cfif>

Upvotes: 0

Andre
Andre

Reputation: 27644

Comparisons in Access are always case-insensitive.

So a query 

SELECT foo FROM bar WHERE foo = 'HELLO'

will also return records with foo = hello or Hello.

But: you shouldn't store passwords in plaintext anyway. Hash them, and the problem solves itself.

Upvotes: 3

alireza
alireza

Reputation: 43

You should save the passwords without converting to lower or upper case. Then while checking password in the login page, you should compare them as the same way.

By default comparison will be done without changing lower or upper cases.

Check your server side code.

Upvotes: 1

Related Questions