«

An ASP application retrieves records from a SQL Server database. In the
first page of the application, the user has to enter a password & the
columns retrieved from the DB table depends upon the password. For e.g.
if the password entered is say, pwd1, then that user should be
displayed the records of Column1 & Column2 only. If the password
entered is say, pwd2, then that user should be displayed the records of
Column1 & Column3 only. If the password entered is say, pwd3, then that
user should be displayed the records of Column1 & Column4 only.

Now after the records are displayed, the user should also be given the
option of sorting the records. I am implementing this by making the
column header a hyperlink which has the column name & the sort order as
the querystrings, something like this (the records are being displayed
in a tabular format):

----------------------------------------
<%
Dim strColName,strSortOrder,strPwd
strColName=Request.QueryString("colname")
strSortOrder=Request.QueryString("sortorder")
strPwd=Request.Form("pwd")

'assume that the user is displayed the records of Column1 &
'Column2. When the user comes to this page for the first time
'after entering his password in the previous page, both
'strColName & strSortOrder are empty strings.

Dim strSQL

If(strColName="col1" Or strColName="") Then
If(strSortOrder="" Or strSortOrder="asc") Then
If(strPwd="pwd1") Then 'columns retrieved depends on the
'password
strSQL="SELECT Col1,Col2 FROM tblSheet ORDER BY Col1 ASC"
ElseIf(strPwd="pwd2") Then
strSQL="SELECT Col1,Col3 FROM tblSheet ORDER BY Col1 ASC"
ElseIf(strPwd="pwd3") Then
strSQL="SELECT Col1,Col4 FROM tblSheet ORDER BY Col1 ASC"
End If
ElseIf(strSortOrder="desc") Then
'the same code in the If condition will come here, the
'only difference being using DESC in the ORDER BY clause.
End If
End If

'Column1 is common for both pwd1 & pwd2, thus using Or in the
'next If statement
If(strPwd="pwd1" Or strPwd="pwd2") Then
If(strColName="col1" Or strColName="") Then
If(strSortOrder="" Or strSortOrder="asc") Then
%>
<a href="Records.asp?colname=col1&sortorder=asc">Colu mn 1</a>
<%
Else
%>
<a href="Records.asp?colname=col1&sortorder=desc">Col umn 1</a>
<%
End If
End If
%>
----------------------------------------

As seen in the above code, I am passing the column name & the sort
order through the column header (which is a link) as querystrings. This
correctly sorts the columns & serves my purpose.

But the problem is since the columns displayed depends on the password
entered by the user, when it comes to sorting the records, even the
password has to be passed somehow along with the column name & the sort
order. Of course, the password can be passed as a querystring along
with the column name & the sort order but that's definitely not a wise
idea. So how do I pass the password when the user clicks one of the
column headers to sort the records?

One way of carrying the password forward is by encrypting the password
& then sending it through the querystring along with the column name &
the sort order but I would like to avoid such a solution. This solution
will be my last option.

Please keep in mind that the columns displayed to a user depends upon
the password; so the password has to be sent somehow along with the
column name & the sort order (column name & the sort order are being
passed through the querystring). For e.g. if the password entered is
pwd1, then the user sees the records of only Column1 & Column2. Next he
clicks the column header 'Column 1' (which is a hyperlink with the
column name & the sort order as the querystrings) to sort the records
based on Column 1. When the link is clicked, pwd1 also has to be
carried forward so that this user is displayed the records of Column1 &
Column2 only & not the records of the other columns.

Thanks,

Arpan

"Arpan" <> wrote in message
news: oups.com...
[snip]
> So how do I pass the password when the user clicks one of the
> column headers to sort the records?
[snip]

Store the password as a session variable.

Thanks, Chris, for your response. Actually it's my fault only that I
forgot to add that I would like to avoid using Session variables as
well. Any other suggestion?

Thanks once again,

Regards,

Arpan

"Arpan" <> wrote in message
news: ups.com...
> Thanks, Chris, for your response. Actually it's my fault only that I
> forgot to add that I would like to avoid using Session variables as
> well. Any other suggestion?

Pass the column list instead of the password.

Thanks once again, Chris, for your suggestion. Well, I guess using
Session variables looks to be the most feasible option. The last
suggestion you have given isn't a bad idea but I believe that might
lengthen the code a bit too much.

Anyways thanks a lot for your co-operation

BTW, Chris, from whatever little code I have provided in this post, do
you think my approach is correct or would you suggest a better way of
tackling this issue?

Thanks once again,

Regards,

Arpan

"Arpan" <> wrote in message
news: oups.com...
[snip]
> BTW, Chris, from whatever little code I have provided in this post, do
> you think my approach is correct or would you suggest a better way of
> tackling this issue?

Don't use dynamic sql. Instead, this logic could be encapsulated into a
stored procedure/parameterized query.