ATTN: Bob Barrows

Discussion in 'ASP General' started by David Shorthouse, Jun 13, 2005.

  1. Bob,

    Thanks for providing some URLs in a reply to one of my earlier posts.
    Not only have you helped me fix up my site to prevent vbscript injections,
    you have shown me how to get a performance boost. I have a question for you
    and was wondering if you might be able to help once again. I have almost
    completely converted my asp into parameterized requests, but I have one last
    problem and that is a "create account" page that checks the Access db for an
    existing email address or username, both of which are primary keys in the
    db. The code I have tried to use is the following. The code fails at the
    email or username check when I try to input an email address or username
    that would be a duplicate in the db and always gets through to the create
    account append query. Of course, the page throws up an error about there
    being duplicate records having the same primary key. The query in the db is
    working as expected with its p5 OR p6 parameter requests.

    Any ideas?

    Dim p1, p2, p3, p4, p5, p6

    p1 = Request.Form("GivenName")
    p2 = Request.Form("SurName")
    p3 = Request.Form("PWD")
    p4 = Request.Form("PWD2")
    p5 = Request.Form("Email")
    p6 = Request.Form("UID")

    If LenB(Request.Form("btnAdd")) <> 0 Then

    If p3 = p4 Then

    Dim DataConnection, RecordSet, strError1, strError2, strError3

    Set DataConnection = Server.CreateObject("ADODB.Connection")
    DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &
    DatabasePath & ";"

    Set RecordSet = Server.CreateObject("ADODB.Recordset")
    DataConnection.CheckAccount p5, p6, RecordSet

    If Not RecordSet.EOF Then
    If RecordSet.Fields("Email") = p5 Then
    strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Email address
    is taken.</B></FONT>"
    Else
    strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Username is
    taken.</B></FONT>"
    End if
    RecordSet.Close
    Set RecordSet=Nothing
    DataConnection.Close
    Set DataConnection=Nothing
    Else
    RecordSet.Close
    Set RecordSet = Nothing
    DataConnection.CreateAccount p1, p2, p3, p5, p6
    Session("ID") = p6
    DataConnection.Close
    Set DataConnection = Nothing
    Response.Redirect "createprofile.asp"
    Response.End
    End if
    Else
    strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords didn't
    match.</B></FONT>"
    End If

    End if

    --
    ______________________________
    Remove "_SPAM" to reply directly.
    David Shorthouse, Jun 13, 2005
    #1
    1. Advertising

  2. Re: Bob Barrows

    A better subject line would have been "Problem with If logic". You really
    don't want to discourage answers from other participants, do you?

    David Shorthouse wrote:
    > Bob,
    >
    > Thanks for providing some URLs in a reply to one of my earlier
    > posts. Not only have you helped me fix up my site to prevent vbscript
    > injections, you have shown me how to get a performance boost. I have
    > a question for you and was wondering if you might be able to help
    > once again. I have almost completely converted my asp into
    > parameterized requests, but I have one last problem and that is a
    > "create account" page that checks the Access db for an existing email
    > address or username, both of which are primary keys in the db. The
    > code I have tried to use is the following. The code fails at the
    > email or username check when I try to input an email address or
    > username that would be a duplicate in the db and always gets through
    > to the create account append query. Of course, the page throws up an
    > error about there being duplicate records having the same primary
    > key. The query in the db is working as expected with its p5 OR p6
    > parameter requests.
    >
    > Any ideas?
    >
    > Dim p1, p2, p3, p4, p5, p6
    >
    > p1 = Request.Form("GivenName")
    > p2 = Request.Form("SurName")
    > p3 = Request.Form("PWD")
    > p4 = Request.Form("PWD2")
    > p5 = Request.Form("Email")
    > p6 = Request.Form("UID")
    >
    > If LenB(Request.Form("btnAdd")) <> 0 Then
    >
    > If p3 = p4 Then
    >
    > Dim DataConnection, RecordSet, strError1, strError2, strError3
    >
    > Set DataConnection = Server.CreateObject("ADODB.Connection")
    > DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
    > Source=" & DatabasePath & ";"
    >
    > Set RecordSet = Server.CreateObject("ADODB.Recordset")
    > DataConnection.CheckAccount p5, p6, RecordSet
    >
    > If Not RecordSet.EOF Then
    > If RecordSet.Fields("Email") = p5 Then
    > strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Email
    > address is taken.</B></FONT>"
    > Else
    > strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this
    > Username is taken.</B></FONT>"
    > End if
    > RecordSet.Close
    > Set RecordSet=Nothing
    > DataConnection.Close
    > Set DataConnection=Nothing
    > Else
    > RecordSet.Close
    > Set RecordSet = Nothing
    > DataConnection.CreateAccount p1, p2, p3, p5, p6
    > Session("ID") = p6
    > DataConnection.Close
    > Set DataConnection = Nothing
    > Response.Redirect "createprofile.asp"
    > Response.End
    > End if
    > Else
    > strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords
    > didn't match.</B></FONT>"
    > End If
    >
    > End if
    >

    Recommendations:
    1. Better indenting so you can see where your if...else...endif blocks begin
    and end
    2. Use Response.Write to see what is happening.
    3. I see no action being taken in the event of error 1 or 2, but that could
    be because I can't follow your logic due to the lack of proper indenting.

    Bob Barrows
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jun 13, 2005
    #2
    1. Advertising

  3. Re: Bob Barrows

    Bob (et al.),

    Sorry about the indenting, it was a straight copy and paste and all the
    indenting was lost. You sure the indenting would appear in text ng's? Nor
    did I include any of the Response.Write headings because I thought what I
    included might have been sufficient. I'll try again here:

    <%
    Dim p1, p2, p3, p4, p5, p6

    p1 = Request.Form("GivenName")
    p2 = Request.Form("SurName")
    p3 = Request.Form("PWD")
    p4 = Request.Form("PWD2")
    p5 = Request.Form("Email")
    p6 = Request.Form("UID")

    If LenB(Request.Form("btnAdd")) <> 0 Then

    If p3 = p4 Then
    Dim DataConnection, RecordSet, strError1, strError2, strError3
    Set DataConnection = Server.CreateObject("ADODB.Connection")
    DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
    Source=" & DatabasePath & ";"
    Set RecordSet = Server.CreateObject("ADODB.Recordset")
    DataConnection.CheckAccount p5, p6, RecordSet

    If Not RecordSet.EOF Then
    If RecordSet.Fields("Email") = p5 Then
    strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry,
    this Email address is taken.</B></FONT>"
    Else
    strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry,
    this Username is taken.</B></FONT>"
    End if
    RecordSet.Close
    Set RecordSet=Nothing
    DataConnection.Close
    Set DataConnection=Nothing
    Else
    RecordSet.Close
    Set RecordSet = Nothing
    DataConnection.CreateAccount p1, p2, p3, p5, p6
    Session("ID") = p6
    DataConnection.Close
    Set DataConnection = Nothing
    Response.Redirect "createprofile.asp"
    Response.End
    End if
    Else
    strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords
    didn't match.</B></FONT>"
    End If
    End if
    %>

    <%
    Response.Write (strError1)
    Response.Write (strError2)
    Response.Write (strError3)
    %>

    With Text form boxes named GivenName, SurName, PWD, PWD2, Email, UID where
    PWD2 doesn't have a field in the db and is merely a check for the client.

    Thanks,

    Dave

    > Recommendations:
    > 1. Better indenting so you can see where your if...else...endif blocks
    > begin
    > and end
    > 2. Use Response.Write to see what is happening.
    > 3. I see no action being taken in the event of error 1 or 2, but that
    > could
    > be because I can't follow your logic due to the lack of proper indenting.
    >
    > Bob Barrows
    > --
    > Microsoft MVP -- ASP/ASP.NET
    > Please reply to the newsgroup. The email account listed in my From
    > header is my spam trap, so I don't check it very often. You will get a
    > quicker response by posting to the newsgroup.
    >
    >
    David Shorthouse, Jun 13, 2005
    #3
  4. Re: Bob Barrows

    Do the response.writes provide any clues? For debugging purposes, you should
    do wome writing to response before attempting to do the CreateAccount. In
    fact, comment out that statement until you can figure out what's going on.
    From what I can see, the only way the CreateAccount statement should run is
    if the recordset is empty. Have you verified that it is in fact empty?


    David Shorthouse wrote:
    > Bob (et al.),
    >
    > Sorry about the indenting, it was a straight copy and paste and
    > all the indenting was lost. You sure the indenting would appear in
    > text ng's? Nor did I include any of the Response.Write headings
    > because I thought what I included might have been sufficient. I'll
    > try again here:
    >
    > <%
    > Dim p1, p2, p3, p4, p5, p6
    >
    > p1 = Request.Form("GivenName")
    > p2 = Request.Form("SurName")
    > p3 = Request.Form("PWD")
    > p4 = Request.Form("PWD2")
    > p5 = Request.Form("Email")
    > p6 = Request.Form("UID")
    >
    > If LenB(Request.Form("btnAdd")) <> 0 Then
    >
    > If p3 = p4 Then
    > Dim DataConnection, RecordSet, strError1, strError2,
    > strError3 Set DataConnection =
    > Server.CreateObject("ADODB.Connection")
    > DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
    > Source=" & DatabasePath & ";"
    > Set RecordSet = Server.CreateObject("ADODB.Recordset")
    > DataConnection.CheckAccount p5, p6, RecordSet
    >
    > If Not RecordSet.EOF Then
    > If RecordSet.Fields("Email") = p5 Then
    > strError1 = "<FONT FACE='ARIAL'
    > SIZE='3'><B>Sorry, this Email address is taken.</B></FONT>"
    > Else
    > strError2 = "<FONT FACE='ARIAL'
    > SIZE='3'><B>Sorry, this Username is taken.</B></FONT>"
    > End if
    > RecordSet.Close
    > Set RecordSet=Nothing
    > DataConnection.Close
    > Set DataConnection=Nothing
    > Else
    > RecordSet.Close
    > Set RecordSet = Nothing
    > DataConnection.CreateAccount p1, p2, p3, p5, p6
    > Session("ID") = p6
    > DataConnection.Close
    > Set DataConnection = Nothing
    > Response.Redirect "createprofile.asp"
    > Response.End
    > End if
    > Else
    > strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your
    > passwords didn't match.</B></FONT>"
    > End If
    > End if
    > %>
    >
    > <%
    > Response.Write (strError1)
    > Response.Write (strError2)
    > Response.Write (strError3)
    > %>
    >
    > With Text form boxes named GivenName, SurName, PWD, PWD2, Email, UID
    > where PWD2 doesn't have a field in the db and is merely a check for
    > the client.
    >
    > Thanks,
    >
    > Dave
    >
    >> Recommendations:
    >> 1. Better indenting so you can see where your if...else...endif
    >> blocks begin
    >> and end
    >> 2. Use Response.Write to see what is happening.
    >> 3. I see no action being taken in the event of error 1 or 2, but that
    >> could
    >> be because I can't follow your logic due to the lack of proper
    >> indenting.
    >>
    >> Bob Barrows
    >> --
    >> Microsoft MVP -- ASP/ASP.NET
    >> Please reply to the newsgroup. The email account listed in my From
    >> header is my spam trap, so I don't check it very often. You will get
    >> a quicker response by posting to the newsgroup.


    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jun 13, 2005
    #4
  5. Re: Bob Barrows

    Bob,

    Hmm. I just commented out the CreateAccount section of the script and
    don't get the response.write statements to suggest the UID or Email are
    already in the db. Doesn't make any sense. When I run the query within
    access and use the same values for the parameters, I get the list of records
    as I should have within the asp script. I double-checked where I put the
    "p5" and "p6" parameter tags in the select query and they match how I
    designated them in the asp.

    Dave

    --
    ______________________________
    Remove "_SPAM" to reply directly.
    "Bob Barrows [MVP]" <> wrote in message
    news:...
    > Do the response.writes provide any clues? For debugging purposes, you
    > should
    > do wome writing to response before attempting to do the CreateAccount. In
    > fact, comment out that statement until you can figure out what's going on.
    > From what I can see, the only way the CreateAccount statement should run
    > is
    > if the recordset is empty. Have you verified that it is in fact empty?
    >
    >
    > David Shorthouse wrote:
    David Shorthouse, Jun 13, 2005
    #5
  6. Re: Bob Barrows

    Fix it. Sorry for the hassle. Seems it's important to put the [p5] OR [p6]
    criteria for the respective fields in the correct arrangement if on the asp
    there is a "If RecordSet("Email") = p5". That [p5] cannot be in the OR
    criteria row in the db.

    Dave

    --
    ______________________________
    Remove "_SPAM" to reply directly.
    "David Shorthouse" <davidshorthouse@shaw_SPAM.ca> wrote in message
    news:eSjYz$...
    > Bob,
    >
    > Hmm. I just commented out the CreateAccount section of the script and
    > don't get the response.write statements to suggest the UID or Email are
    > already in the db. Doesn't make any sense. When I run the query within
    > access and use the same values for the parameters, I get the list of
    > records as I should have within the asp script. I double-checked where I
    > put the "p5" and "p6" parameter tags in the select query and they match
    > how I designated them in the asp.
    >
    > Dave
    >
    > --
    > ______________________________
    > Remove "_SPAM" to reply directly.
    > "Bob Barrows [MVP]" <> wrote in message
    > news:...
    >> Do the response.writes provide any clues? For debugging purposes, you
    >> should
    >> do wome writing to response before attempting to do the CreateAccount. In
    >> fact, comment out that statement until you can figure out what's going
    >> on.
    >> From what I can see, the only way the CreateAccount statement should run
    >> is
    >> if the recordset is empty. Have you verified that it is in fact empty?
    >>
    >>
    >> David Shorthouse wrote:

    >
    >
    David Shorthouse, Jun 13, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ken North
    Replies:
    0
    Views:
    315
    Ken North
    Feb 25, 2004
  2. Frank D. Greco
    Replies:
    0
    Views:
    367
    Frank D. Greco
    Jun 9, 2005
  3. John Burns

    Attn Bob Barrows

    John Burns, Apr 20, 2005, in forum: ASP General
    Replies:
    8
    Views:
    125
    John Burns
    Apr 21, 2005
  4. Hugh Welford

    DSN-less sonnection - question for bob barrows

    Hugh Welford, Mar 1, 2006, in forum: ASP General
    Replies:
    3
    Views:
    121
    Hugh Welford
    Mar 2, 2006
  5. Drew
    Replies:
    1
    Views:
    98
    Bob Barrows [MVP]
    Sep 25, 2007
Loading...

Share This Page