Submitting a form that checks entyered data is not in an exclusion list

[mphillips]

I have an ASP form that users enter a number into. The form then posts
the number with a hidden login and password to a web address which
opens in a new window. However, I want make sure that the number they
enter is not one of the numbers I have in an Access database table that
contains a list of numbers they are not allowed to enter. How can I do
this?

 

[Mike Brind]

I have an ASP form that users enter a number into. The form then posts
the number with a hidden login and password to a web address which
opens in a new window. However, I want make sure that the number they
enter is not one of the numbers I have in an Access database table that
contains a list of numbers they are not allowed to enter. How can I do
this?

set rs = conn.execute("SELECT restrictedNumber FROM table WHERE
restrictedNumber = " & Request.Form("inputNumber"))
if not rs.eof then
'user can't proceed because there is a match
else
'user can
end if

 

[Bob Barrows [MVP]]

set rs = conn.execute("SELECT restrictedNumber FROM table WHERE
restrictedNumber = " & Request.Form("inputNumber"))

This is the correct solution, as far as it goes. however, don't forget your
server-side validation. This technique is susceptible to sql injection.
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

Far better is to:

1. validate user inputs in server-side code (e.g., make sure numbers contain
only numbers)
2. use parameters instead of dynamic sql.
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Better yet, use saved parameter queries:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/b3d322b882a604bd

 

[mphillips]

Thanks for your help I will give it a go and see if I can get it to
work.

Mal