Tutorial #175

Creating An Encrypted Login

Level: Intermediate
Requirements: DreamweaverMX, Access
Language: ASP, VBScript, SQL

Like it? Share it >

Introduction

In this tutorial, we will learn how to encrypt data using the SHA256 encryption method. We will apply this method to a password field which can then be used for a user login behaviour. First we will make a form for the creation of a new user record, then the login itself. The required SHA256 files can be downloaded from the following address: http://www.frez.co.uk/freecode.htm#sha256.

Although this tutorial is labelled as Intermediate, it is more the basis of the understanding of how to implement the solution to your own projects that makes it intermediate. This tutorial can be easily applied by beginners as well.

Step 1: Creating the table

One table will be required for this example, a simple user table to hold the login details for each user.

tblUsers

UserID: Primary Key, Autonumber
Username: Text
Password: Text, Length = 255
Email: Text

Step 2: Creating the user record

First we will make a form to allow the creation of a new user record and the encrypted password.

Create a new page called createUser.asp and on it make a form with the three basic text fields for username and password and email address naming these fields accordingly. Then add your submit button and finally create a hidden field called action with an initial value of create. We will use this as the trigger to tell the page the form has been submitted.

Now open the code editor and in the data bindings panel, create a new command (stored procedure). Call it cInsert and select whatever connection you require. Select the type as insert and click OK.

This gives us our setup for the creation of the new user record.

In order to apply the encryption we will need to first include the SHA256 file into the code. So, just underneath the include at the top of the page for your connection string, create another include that points to the location of the SHA256 file.

Now that we have access to the encryption code, all we have to do is use it during the creation of the new user record. All we need to do now is alter the command code that was created with the blank insert SQL.

<%

set cInsert = Server.CreateObject("ADODB.Command")
cInsert.ActiveConnection = MM_YourConnectionString_STRING
cInsert.CommandText = "INSERT INTO ( ) VALUES ( ) "
cInsert.CommandType = 1
cInsert.CommandTimeout = 0
cInsert.Prepared = true
cInsert.Execute()

%>

Again, you'll need to change the MM_YourConnectionString_STRING to equal that of your own set-up.

Lets start by creating the IF statement that checks if the form has been processed. So under the <% tag, enter the following line of code.

If Request.Form("action")="create" Then

Now we are going to create some variables that will gather the details submitted by the user and use them in the SQL to create the record. So underneath the IF statement add the following code.

If(Request.Form("Username") <> "") Then
  cInsert__username = Replace(Request.Form("Username"),"'", "''")
End If
If(Request.Form("Password") <> "") Then
  cInsert__password = SHA256(Replace(Request.Form("Password"),"'", "''"))
End If
If(Request.Form("email") <> "") Then
  cInsert__email = Request.Form("email")
End If

Notice that in the line dealing with the password the value from the form has been converted to the encrypted value. So effectively, we are saving the encrypted value to the database.
We now need to alter the cInsert.CommandText line in the Insert behaviour to the correct SQL for creating the user record. So alter the SQL in this line

cInsert.CommandText = "INSERT INTO ( ) VALUES ( ) "

to the following code.

"INSERT INTO tblUsers ( Username, Password, Email ) VALUES ( '" + cInsert__username + "', '" + cInsert__password + "','" + cInsert__email + "' ) "

Just below the cInsert.Execute() line, add the following line of code.

Response.Redirect("createUser.asp?user=created")
End If

This will simply redirect to this page once the record has been created along with a parameter to inform you that the insert was a success. Of course, from here you would redirect to wherever you want to go when a new user record has been created.

Step 3: Creating the login page

As you will have probably gathered, creating the encrypted password value was a very easy thing to do. It is just a point of getting your real-world value and applying the encryption function to get the encrypted value.

So now that the encrypted value is stored in the database, how can we check a value entered by a user against this?
Again, exactly like the above. You cannot check the real-world value entered against the value in the database as they will not match, we have to re-encrypt the value entered by the user and check that against the stored value in the database. Easy really.

So without further ado, create a new page called login.asp and on it create another form with a username and password field along with a submit button to activate the login.

To make things quick we will use the standard Dreamweaver login extension, so on your server behaviours, select the Log In User from the User Authentication option.

Once that is done, go into the code view of the page. Like before we will need to include the SHA256 file, so add that at the top underneath your connection string. All we need to do now is slightly change the SQL in the MM_rsUser.Source line of code from the block of code for the login.
Locate the line:

MM_rsUser.Source = MM_rsUser.Source & " FROM tblSUser WHERE Username='" & Replace(MM_valUsername,"'","''") &"' AND Password='" & Replace(MM_valUsername,"'","''") & "'"

We need to alter this a little bit at the end as this references the actual value of the password entered by the user, we need to change this to accept the encrypted value of the password. So alter this line to read as follows.

MM_rsUser.Source = MM_rsUser.Source & " FROM tblSUser WHERE Username='" & Replace(MM_valUsername,"'","''") &"' AND Password='" & SHA256(Request.Form("password")) & "'"

Our login page will now encrypt the value entered by the user trying to login and check it against the already encrypted value stored on the database.

Happy coding.

Tutorial By	Submitted On	Views	Rating
Rob Boyle	02/03/2008	7785	Rate Tutorial