Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > ATTN: Bob Barrows

Reply
Thread Tools

ATTN: Bob Barrows

 
 
David Shorthouse
Guest
Posts: n/a
 
      06-13-2005
Bob,

Thanks for providing some URLs in a reply to one of my earlier posts.
Not only have you helped me fix up my site to prevent vbscript injections,
you have shown me how to get a performance boost. I have a question for you
and was wondering if you might be able to help once again. I have almost
completely converted my asp into parameterized requests, but I have one last
problem and that is a "create account" page that checks the Access db for an
existing email address or username, both of which are primary keys in the
db. The code I have tried to use is the following. The code fails at the
email or username check when I try to input an email address or username
that would be a duplicate in the db and always gets through to the create
account append query. Of course, the page throws up an error about there
being duplicate records having the same primary key. The query in the db is
working as expected with its p5 OR p6 parameter requests.

Any ideas?

Dim p1, p2, p3, p4, p5, p6

p1 = Request.Form("GivenName")
p2 = Request.Form("SurName")
p3 = Request.Form("PWD")
p4 = Request.Form("PWD2")
p5 = Request.Form("Email")
p6 = Request.Form("UID")

If LenB(Request.Form("btnAdd")) <> 0 Then

If p3 = p4 Then

Dim DataConnection, RecordSet, strError1, strError2, strError3

Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &
DatabasePath & ";"

Set RecordSet = Server.CreateObject("ADODB.Recordset")
DataConnection.CheckAccount p5, p6, RecordSet

If Not RecordSet.EOF Then
If RecordSet.Fields("Email") = p5 Then
strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Email address
is taken.</B></FONT>"
Else
strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Username is
taken.</B></FONT>"
End if
RecordSet.Close
Set RecordSet=Nothing
DataConnection.Close
Set DataConnection=Nothing
Else
RecordSet.Close
Set RecordSet = Nothing
DataConnection.CreateAccount p1, p2, p3, p5, p6
Session("ID") = p6
DataConnection.Close
Set DataConnection = Nothing
Response.Redirect "createprofile.asp"
Response.End
End if
Else
strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords didn't
match.</B></FONT>"
End If

End if

--
______________________________
Remove "_SPAM" to reply directly.


 
Reply With Quote
 
 
 
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      06-13-2005
A better subject line would have been "Problem with If logic". You really
don't want to discourage answers from other participants, do you?

David Shorthouse wrote:
> Bob,
>
> Thanks for providing some URLs in a reply to one of my earlier
> posts. Not only have you helped me fix up my site to prevent vbscript
> injections, you have shown me how to get a performance boost. I have
> a question for you and was wondering if you might be able to help
> once again. I have almost completely converted my asp into
> parameterized requests, but I have one last problem and that is a
> "create account" page that checks the Access db for an existing email
> address or username, both of which are primary keys in the db. The
> code I have tried to use is the following. The code fails at the
> email or username check when I try to input an email address or
> username that would be a duplicate in the db and always gets through
> to the create account append query. Of course, the page throws up an
> error about there being duplicate records having the same primary
> key. The query in the db is working as expected with its p5 OR p6
> parameter requests.
>
> Any ideas?
>
> Dim p1, p2, p3, p4, p5, p6
>
> p1 = Request.Form("GivenName")
> p2 = Request.Form("SurName")
> p3 = Request.Form("PWD")
> p4 = Request.Form("PWD2")
> p5 = Request.Form("Email")
> p6 = Request.Form("UID")
>
> If LenB(Request.Form("btnAdd")) <> 0 Then
>
> If p3 = p4 Then
>
> Dim DataConnection, RecordSet, strError1, strError2, strError3
>
> Set DataConnection = Server.CreateObject("ADODB.Connection")
> DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
> Source=" & DatabasePath & ";"
>
> Set RecordSet = Server.CreateObject("ADODB.Recordset")
> DataConnection.CheckAccount p5, p6, RecordSet
>
> If Not RecordSet.EOF Then
> If RecordSet.Fields("Email") = p5 Then
> strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Email
> address is taken.</B></FONT>"
> Else
> strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this
> Username is taken.</B></FONT>"
> End if
> RecordSet.Close
> Set RecordSet=Nothing
> DataConnection.Close
> Set DataConnection=Nothing
> Else
> RecordSet.Close
> Set RecordSet = Nothing
> DataConnection.CreateAccount p1, p2, p3, p5, p6
> Session("ID") = p6
> DataConnection.Close
> Set DataConnection = Nothing
> Response.Redirect "createprofile.asp"
> Response.End
> End if
> Else
> strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords
> didn't match.</B></FONT>"
> End If
>
> End if
>

Recommendations:
1. Better indenting so you can see where your if...else...endif blocks begin
and end
2. Use Response.Write to see what is happening.
3. I see no action being taken in the event of error 1 or 2, but that could
be because I can't follow your logic due to the lack of proper indenting.

Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


 
Reply With Quote
 
 
 
 
David Shorthouse
Guest
Posts: n/a
 
      06-13-2005
Bob (et al.),

Sorry about the indenting, it was a straight copy and paste and all the
indenting was lost. You sure the indenting would appear in text ng's? Nor
did I include any of the Response.Write headings because I thought what I
included might have been sufficient. I'll try again here:

<%
Dim p1, p2, p3, p4, p5, p6

p1 = Request.Form("GivenName")
p2 = Request.Form("SurName")
p3 = Request.Form("PWD")
p4 = Request.Form("PWD2")
p5 = Request.Form("Email")
p6 = Request.Form("UID")

If LenB(Request.Form("btnAdd")) <> 0 Then

If p3 = p4 Then
Dim DataConnection, RecordSet, strError1, strError2, strError3
Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & DatabasePath & ";"
Set RecordSet = Server.CreateObject("ADODB.Recordset")
DataConnection.CheckAccount p5, p6, RecordSet

If Not RecordSet.EOF Then
If RecordSet.Fields("Email") = p5 Then
strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry,
this Email address is taken.</B></FONT>"
Else
strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry,
this Username is taken.</B></FONT>"
End if
RecordSet.Close
Set RecordSet=Nothing
DataConnection.Close
Set DataConnection=Nothing
Else
RecordSet.Close
Set RecordSet = Nothing
DataConnection.CreateAccount p1, p2, p3, p5, p6
Session("ID") = p6
DataConnection.Close
Set DataConnection = Nothing
Response.Redirect "createprofile.asp"
Response.End
End if
Else
strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords
didn't match.</B></FONT>"
End If
End if
%>

<%
Response.Write (strError1)
Response.Write (strError2)
Response.Write (strError3)
%>

With Text form boxes named GivenName, SurName, PWD, PWD2, Email, UID where
PWD2 doesn't have a field in the db and is merely a check for the client.

Thanks,

Dave

> Recommendations:
> 1. Better indenting so you can see where your if...else...endif blocks
> begin
> and end
> 2. Use Response.Write to see what is happening.
> 3. I see no action being taken in the event of error 1 or 2, but that
> could
> be because I can't follow your logic due to the lack of proper indenting.
>
> Bob Barrows
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
>
>



 
Reply With Quote
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      06-13-2005
Do the response.writes provide any clues? For debugging purposes, you should
do wome writing to response before attempting to do the CreateAccount. In
fact, comment out that statement until you can figure out what's going on.
From what I can see, the only way the CreateAccount statement should run is
if the recordset is empty. Have you verified that it is in fact empty?


David Shorthouse wrote:
> Bob (et al.),
>
> Sorry about the indenting, it was a straight copy and paste and
> all the indenting was lost. You sure the indenting would appear in
> text ng's? Nor did I include any of the Response.Write headings
> because I thought what I included might have been sufficient. I'll
> try again here:
>
> <%
> Dim p1, p2, p3, p4, p5, p6
>
> p1 = Request.Form("GivenName")
> p2 = Request.Form("SurName")
> p3 = Request.Form("PWD")
> p4 = Request.Form("PWD2")
> p5 = Request.Form("Email")
> p6 = Request.Form("UID")
>
> If LenB(Request.Form("btnAdd")) <> 0 Then
>
> If p3 = p4 Then
> Dim DataConnection, RecordSet, strError1, strError2,
> strError3 Set DataConnection =
> Server.CreateObject("ADODB.Connection")
> DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
> Source=" & DatabasePath & ";"
> Set RecordSet = Server.CreateObject("ADODB.Recordset")
> DataConnection.CheckAccount p5, p6, RecordSet
>
> If Not RecordSet.EOF Then
> If RecordSet.Fields("Email") = p5 Then
> strError1 = "<FONT FACE='ARIAL'
> SIZE='3'><B>Sorry, this Email address is taken.</B></FONT>"
> Else
> strError2 = "<FONT FACE='ARIAL'
> SIZE='3'><B>Sorry, this Username is taken.</B></FONT>"
> End if
> RecordSet.Close
> Set RecordSet=Nothing
> DataConnection.Close
> Set DataConnection=Nothing
> Else
> RecordSet.Close
> Set RecordSet = Nothing
> DataConnection.CreateAccount p1, p2, p3, p5, p6
> Session("ID") = p6
> DataConnection.Close
> Set DataConnection = Nothing
> Response.Redirect "createprofile.asp"
> Response.End
> End if
> Else
> strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your
> passwords didn't match.</B></FONT>"
> End If
> End if
> %>
>
> <%
> Response.Write (strError1)
> Response.Write (strError2)
> Response.Write (strError3)
> %>
>
> With Text form boxes named GivenName, SurName, PWD, PWD2, Email, UID
> where PWD2 doesn't have a field in the db and is merely a check for
> the client.
>
> Thanks,
>
> Dave
>
>> Recommendations:
>> 1. Better indenting so you can see where your if...else...endif
>> blocks begin
>> and end
>> 2. Use Response.Write to see what is happening.
>> 3. I see no action being taken in the event of error 1 or 2, but that
>> could
>> be because I can't follow your logic due to the lack of proper
>> indenting.
>>
>> Bob Barrows
>> --
>> Microsoft MVP -- ASP/ASP.NET
>> Please reply to the newsgroup. The email account listed in my From
>> header is my spam trap, so I don't check it very often. You will get
>> a quicker response by posting to the newsgroup.


--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


 
Reply With Quote
 
David Shorthouse
Guest
Posts: n/a
 
      06-13-2005
Bob,

Hmm. I just commented out the CreateAccount section of the script and
don't get the response.write statements to suggest the UID or Email are
already in the db. Doesn't make any sense. When I run the query within
access and use the same values for the parameters, I get the list of records
as I should have within the asp script. I double-checked where I put the
"p5" and "p6" parameter tags in the select query and they match how I
designated them in the asp.

Dave

--
______________________________
Remove "_SPAM" to reply directly.
"Bob Barrows [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Do the response.writes provide any clues? For debugging purposes, you
> should
> do wome writing to response before attempting to do the CreateAccount. In
> fact, comment out that statement until you can figure out what's going on.
> From what I can see, the only way the CreateAccount statement should run
> is
> if the recordset is empty. Have you verified that it is in fact empty?
>
>
> David Shorthouse wrote:



 
Reply With Quote
 
David Shorthouse
Guest
Posts: n/a
 
      06-13-2005
Fix it. Sorry for the hassle. Seems it's important to put the [p5] OR [p6]
criteria for the respective fields in the correct arrangement if on the asp
there is a "If RecordSet("Email") = p5". That [p5] cannot be in the OR
criteria row in the db.

Dave

--
______________________________
Remove "_SPAM" to reply directly.
"David Shorthouse" <davidshorthouse@shaw_SPAM.ca> wrote in message
news:eSjYz$(E-Mail Removed)...
> Bob,
>
> Hmm. I just commented out the CreateAccount section of the script and
> don't get the response.write statements to suggest the UID or Email are
> already in the db. Doesn't make any sense. When I run the query within
> access and use the same values for the parameters, I get the list of
> records as I should have within the asp script. I double-checked where I
> put the "p5" and "p6" parameter tags in the select query and they match
> how I designated them in the asp.
>
> Dave
>
> --
> ______________________________
> Remove "_SPAM" to reply directly.
> "Bob Barrows [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Do the response.writes provide any clues? For debugging purposes, you
>> should
>> do wome writing to response before attempting to do the CreateAccount. In
>> fact, comment out that statement until you can figure out what's going
>> on.
>> From what I can see, the only way the CreateAccount statement should run
>> is
>> if the recordset is empty. Have you verified that it is in fact empty?
>>
>>
>> David Shorthouse wrote:

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ATTN: Bob Barrows - Execute Stored Procedure question Drew ASP General 1 09-25-2007 05:55 PM
DSN-less sonnection - question for bob barrows Hugh Welford ASP General 3 03-02-2006 10:21 AM
Mountain Mods Bob Slay Clear Acrylic Case @ ThinkComputers.org Silverstrand Front Page News 1 12-01-2005 11:17 PM
Attn Bob Barrows John Burns ASP General 8 04-21-2005 12:27 PM
Ping Bob Holmes and Ken Briscoe =?iso-8859-1?Q?Frisbee=AE?= MCSE 8 06-08-2004 08:53 PM



Advertisments