Submitting a form that checks entyered data is not in an exclusion list

Discussion in 'ASP General' started by mphillips, Mar 7, 2006.

  1. mphillips

    mphillips Guest

    I have an ASP form that users enter a number into. The form then posts
    the number with a hidden login and password to a web address which
    opens in a new window. However, I want make sure that the number they
    enter is not one of the numbers I have in an Access database table that
    contains a list of numbers they are not allowed to enter. How can I do
    mphillips, Mar 7, 2006
    1. Advertisements

  2. mphillips

    Mike Brind Guest

    set rs = conn.execute("SELECT restrictedNumber FROM table WHERE
    restrictedNumber = " & Request.Form("inputNumber"))
    if not rs.eof then
    'user can't proceed because there is a match
    'user can
    end if
    Mike Brind, Mar 7, 2006
    1. Advertisements

  3. This is the correct solution, as far as it goes. however, don't forget your
    server-side validation. This technique is susceptible to sql injection.

    Far better is to:

    1. validate user inputs in server-side code (e.g., make sure numbers contain
    only numbers)
    2. use parameters instead of dynamic sql.

    Better yet, use saved parameter queries:
    Bob Barrows [MVP], Mar 7, 2006
  4. mphillips

    mphillips Guest

    Thanks for your help I will give it a go and see if I can get it to

    mphillips, Mar 8, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.