Classic ASP Discussion - Help needed with login SQL statement

Print Page | Close Window

Help needed with login SQL statement

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=3467
Printed Date: 29 March 2026 at 11:56pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Help needed with login SQL statement

Posted By: LeoV
Subject: Help needed with login SQL statement
Date Posted: 12 June 2003 at 4:26am

I do need some help with the following. I want users to login. After this i want them to have direct access to there own details. But i do not know how to do this or what i am doing wrong.

I guess something is wrong in the SELECT..FROM...WHERE... statements! Which code i made in a blue color. But please can anybody help me..................

After login i have them directed to a check_user page to see if they exist. This is the check_user page;

<%
'Dimension variables
Dim adoCon           'Database Connection Variable
Dim strCon          'Holds the Database driver and the path and name of the database
Dim rsCheckUser      'Database Recordset Variable
Dim strAccessDB      'Holds the Access Database Name
Dim strSQL           'Database query sring
Dim strUserName      'Holds the user name

'Initalise the strUserName variable
strUserName = Request.Form("txtUserName")

'Check the database to see if user exsits and read in there password
'Initialise the strAccessDB variable with the name of the Access Database
strAccessDB = "db\Nah_Leden.mdb"

'Create a connection odject
Set adoCon = Server.CreateObject("ADODB.Connection")

'Database connection info and driver
strCon = "DRIVER={Microsoft Access Driver (*.mdb)};uid=;pwd=; DBQ=" & Server.MapPath(strAccessDB)

'Set an active connection to the Connection object
adoCon.Open strCon

'Create a recordset object
Set rsCheckUser = Server.CreateObject("ADODB.Recordset")

'Initalise the strSQL variable with an SQL statement to query the database
strSQL = "SELECT tblNah_Leden.Password FROM tblNah_Leden WHERE tblNah_Leden.UserID ='" & strUserName & "'"

'Query the database
rsCheckUser.Open strSQL, strCon

'If the recordset finds a record for the username entered then read in the password for the user
If NOT rsCheckUser.EOF Then

     'Read in the password for the user from the database
     If (Request.Form("txtUserPass")) = rsCheckUser("Password") Then

          'If the password is correct then set the session variable to True
          Session("blnIsUserGood") = True

          'Close Objects before redirecting
          Set adoCon = Nothing
          Set strCon = Nothing
          Set rsCheckUser = Nothing

          'Redirect to the authorised user page and send the users name
          Response.Redirect"Select_Eigen_gegevens.asp?name=" & strUserName

     End If
End If

'Close Objects
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckUser = Nothing

'If the script is still running then the user must not be authorised
Session("blnIsUserGood") = False
'Redirect to the unautorised user page
Response.Redirect"unauthorised_user_page.asp"
%>

So if they exist i have them directed to the Select_Eigen_gegevens.asp page. On this page i want them to have direct access to there own records.

This is a part of the Select_Eigen_gegevens.asp page;

<%@LANGUAGE="VBSCRIPT"%>

<%
' # Open the database to get Column names for the drop down list #####
set Rsemaa = Server.CreateObject("ADODB.Recordset")
Rsemaa.ActiveConnection = "DRIVER={Microsoft Access Driver (*.mdb)};uid=;pwd=;DBQ="& server.MapPath("db/Nah_Leden.mdb")
if request("id") <> "" then
     Dim SQLstring
     SQLstring = "select * from tblNah_Leden where AdresId=" & request("id")
'     response.write SQLstring
     Rsemaa.Source = SQLstring
     Rsemaa.CursorType = 0
     Rsemaa.CursorLocation = 2
     Rsemaa.LockType = 3
     Rsemaa.Open()
end if
'### If the search has been submitted create the SQL string and open another DB connection for the search

     set RsSearch = Server.CreateObject("ADODB.Recordset")
     RsSearch.ActiveConnection = "DRIVER={Microsoft Access Driver (*.mdb)};uid=;pwd=;DBQ="& server.MapPath("db/Nah_Leden.mdb")
     RsSearch.Source = SQLstring
     RsSearch.CursorType = 0
     RsSearch.CursorLocation = 2
     RsSearch.LockType = 3
     RsSearch.Open()

%>

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>

<%
'Dimension Variables
Dim strUserName     'Holds the name of the user

'Get the users name passed from the previous page
strUserName = Request.QueryString("name")
%>

            

Further HTML
<%
'#### Close it off ######
RsSearch.Close()
Set RsSearch = nothing
End if %>
</form>

Replies:

Posted By: stephen
Date Posted: 12 June 2003 at 8:30am

SQLstring = "select * from tblNah_Leden where AdresId=" & request("id")&""

is the correct syntax

Posted By: ljamal
Date Posted: 12 June 2003 at 8:35am

You are requesting "ID" from the querystring but only pass "name" is passed.

Additionally, I would suggest checking the reject value before inserting it into a SQL statement because currently you leave yourself open to a SQL Injection attack. Search the web for more information on SQL Injection attacks.

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming