<% ' ******************************************************************************* ' ** ' ** 589 10/21/06 Ability for collectors to logon to web site ' ** ' ******************************************************************************* Dim ConnStr Dim Conn Dim rsQuerry dim UserID Dim Pswd Dim SQL Dim Agency Dim SecLevel UserID = Request.QueryString("UserID") UserID = trim(UserID) ' block SQL injection attack UserID = Replace(UserID, "'", "NOT LIKELY") if len(UserID) > 20 then response.redirect("ErrLogin.asp") end if if UserID = "" then response.redirect("ErrLogin.asp") end if Pswd = Request.QueryString("Pswd") Pswd = trim(Pswd) ' block SQL injection attack Pswd = Replace(Pswd, "'", "NOT LIKELY") if len(Pswd) > 20 then response.redirect("ErrLogin.asp") end if if Pswd = "" then response.redirect("ErrLogin.asp") end if ' *************************************** ' Connect to Database ' *************************************** connectdb Session("UserID") = 0 Session("UserType") = 0 ' *************************************** ' Select Agent Login Information ' *************************************** if ucase(UserID) = "SYSADMIN" then response.redirect("ErrLogin.asp") end if ' *************************************** ' Select Agent Login Information ' *************************************** SQL = "SELECT e.EmpID, e.Agency, e.SecLevel, " SQL = SQL & "r1.Fname, r1.Lname " SQL = SQL & "FROM Employee e, Rdex r1 " SQL = SQL & "WHERE e.LoginID = '" & userid & "' " SQL = SQL & "AND e.Pswd = '" & Pswd & "' " SQL = SQL & "AND e.SecLevel > 0 " SQL = SQL & "AND r1.ID = e.EmpID " SQL = SQL & "AND r1.Active = 'Y' " Set rsQuery = Conn.Execute(SQL) While Not rsQuery.EOF Session("UserID") = rsQuery.fields("EmpID") Agency = rsQuery.fields("Agency") SecLevel = rsQuery.fields("SecLevel") Session("SecLevel") = SecLevel Lname = rsQuery.fields("Lname") Fname = rsQuery.fields("Fname") rsQuery.MoveNext Wend rsQuery.close set rsquery = nothing if Session("UserID") > 0 then Session("FullName") = Fname & " " & Lname if Agency = "Y" then Session("UserType") = 3 Session("FullName") = Lname elseif seclevel < 6 then Session("UserType") = 3 else Session("UserType") = 1 end if else ' *************************************** ' Select Client Login Information ' *************************************** SQL = "SELECT c.ClientID, c.SecLevel, " SQL = SQL & "r1.Fname, r1.Lname " SQL = SQL & "FROM Client c, Rdex r1 " SQL = SQL & "WHERE c.LoginID = '" & userid & "' " SQL = SQL & "AND c.Pswd = '" & Pswd & "' " SQL = SQL & "AND c.SecLevel > 1 " SQL = SQL & "AND c.clientID = r1.ID " SQL = SQL & "AND r1.Active = 'Y' " Set rsQuery = Conn.Execute(SQL) While Not rsQuery.EOF Session("UserID") = rsQuery.fields("ClientID") Session("UserType") = 2 SecLevel = rsQuery.fields("SecLevel") Session("SecLevel") = SecLevel Session("FullName") = rsQuery.fields("Fname") rsQuery.MoveNext Wend rsQuery.close set rsquery = nothing end if ' *************************************** ' Select Collector Login Information ' *************************************** if Session("UserID") = 0 then SQL = "SELECT c.CollectorID, c.SecLevel, r2.ID as clientID, " SQL = SQL & "r1.Fname, r1.Lname " SQL = SQL & "FROM Collector c, Rdex r1, Rdex r2 " SQL = SQL & "WHERE c.LoginID = '" & userid & "' " SQL = SQL & "AND c.Pswd = '" & Pswd & "' " SQL = SQL & "AND c.SecLevel > 1 " SQL = SQL & "AND c.CollectorID = r1.ID " SQL = SQL & "AND r1.Active = 'Y' " SQL = SQL & "AND r2.ID = r1.masterID " Set rsQuery = Conn.Execute(SQL) While Not rsQuery.EOF Session("UserID") = rsQuery.fields("ClientID") Session("CollectorID") = rsQuery.fields("CollectorID") Session("UserType") = 2 SecLevel = rsQuery.fields("SecLevel") Session("SecLevel") = SecLevel Session("FullName") = rsQuery.fields("Fname") & " " & rsQuery.fields("Lname") rsQuery.MoveNext Wend rsQuery.close set rsquery = nothing end if conn.close set conn = nothing ' *************************************** ' Send Reply ' *************************************** if Session("UserID") = 0 then response.redirect("ErrLogin.asp") else response.redirect("openinv.asp") end if %>