Search code examples
coldfusioncoldfusion-9

Database validation of username and password is not working.

I am trying to do login section, but it doesn't validated the username and password with database. can anyone tell me what's wrong in this code?

services/User.cfc

  <cffunction name="login" access="public" output="false" returntype="any">
               <cfargument name="username" required="true">
               <cfargument name="password" required="true">
                    <cfquery name="getUser">
                             SELECT users.Id,
                                    users.username,
                                    users.password       
                             FROM  Users
                             Where UserName = <cfqueryparam value="#arguments.username#" cfsqltype="CF_SQL_VARCHAR">
                             AND   Password = <cfqueryparam value="#arguments.password#" cfsqltype="CF_SQL_VARCHAR">
                    </cfquery>
                    <cfif getUser.recordcount gt 0>
                       <cfreturn getUser>
                    </cfif>
      </cffunction>

controllers/login.cfc

<cffunction name="login" access="public" returntype="void">
                          <cfargument name="rc" type="struct" required="true">
                          <cfset user = getUserService().login(arguments.rc.Username,arguments.rc.password)>
                               <cfif arguments.rc.username EQ UserName and arguments.rc.password EQ password>
                                     <cfset session.auth = structNew()>
                                     <cfset session.auth.isLoggedin = "yes"/>
                                     <!--- <cfset session.auth.id = users.id />  --->
                                     <cfset session.auth.username = UserName />
                                     <cfset session.auth.password = password />
                               <cfelse>
                                     <cfset rc.message = createMessage('error','','entered password is wrong')>
                                     <cfset variables.fw.redirect('login.default','message')>
                               </cfif>

             </cffunction>

Thanks.

Solution

  • where you check the results of of calling login() you've not scoped username and password. try user.UserName and user.Password:

    <cfif arguments.rc.username EQ user.UserName and arguments.rc.password EQ user.password>

    You will also need to check whether the response from login() is a query at all. Currently if the username/password doesn't match, login() returns nothing. You could use IsQuery() on the result or change login() to always return a resultset and just check the length in your code. You could also look to throw an exception if the username and password don't match. You could then try the login() call and catch and handle failure in your controller's login() method.

    You might want to consider renaming the login method in your service to validateUserCredentials or something like that, as the real login (setting session state) happens in your controller, although that's just a matter of personal taste.

    Although not part of the question (and possibly addressed elsewhere in your code), you should look at hashing and salting your passwords in order to protect your users