User Level Access Problems

[Eric8000]

Please review the code below and let me know if anything looks out of place. I
am using an Access table for the data.

Thanks!

<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="../Connections/peer.asp" -->
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" +
Server.HTMLEncode(Request.QueryString)
MM_valUsername=CStr(Request.Form("txtUsername"))
If MM_valUsername <> "" Then
MM_fldUserAuthorization="UserAccessLevel"
MM_redirectLoginSuccess="welcome.asp"
MM_redirectLoginFailed="login.asp?Action=Failed"
MM_flag="ADODB.Recordset"
set MM_rsUser = Server.CreateObject(MM_flag)
MM_rsUser.ActiveConnection = MM_peer_STRING
MM_rsUser.Source = "SELECT UserName, UserPassword"
If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source &
"," & MM_fldUserAuthorization
MM_rsUser.Source = MM_rsUser.Source & " FROM website_users WHERE UserName='"
& Replace(MM_valUsername,"'","''") &"' AND UserPassword='" &
Replace(Request.Form("txtUserPassword"),"'","''") & "'"
MM_rsUser.CursorType = 0
MM_rsUser.CursorLocation = 2
MM_rsUser.LockType = 3
MM_rsUser.Open
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
' username and password match - this is a valid user
Session("MM_Username") = MM_valUsername
If (MM_fldUserAuthorization <> "") Then
Session("MM_UserAuthorization") =
CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization ).Value)
Else
Session("MM_UserAuthorization") = ""
End If
' redirect user based on Access level
If Session("MM_UserAuthorization") = "1" Then
MM_redirectLoginSuccess = "jaiifull.asp"
ElseIf Session("MM_UserAuthorization") = "2" Then
MM_redirectLoginSuccess = "matchinggrants.asp"
ElseIf Session("MM_UserAuthorization") = "3" Then
MM_redirectLoginSuccess = "jaiifull.asp"
ElseIf Session("MM_UserAuthorization") = "4" Then
MM_redirectLoginSuccess = "WelcomeSvi.asp"
ElseIf Session("MM_UserAuthorization") = "5" Then
MM_redirectLoginSuccess = "WelcomeEric.asp"
Else
MM_redirectLoginSuccess = "?Action=Failed"
End If

if CStr(Request.QueryString("accessdenied")) <> "" And false Then
MM_redirectLoginSuccess = Request.QueryString("accessdenied")
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginSuccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If
%>