ATTN: Bob Barrows

[David Shorthouse]

Bob,

Thanks for providing some URLs in a reply to one of my earlier posts.
Not only have you helped me fix up my site to prevent vbscript injections,
you have shown me how to get a performance boost. I have a question for you
and was wondering if you might be able to help once again. I have almost
completely converted my asp into parameterized requests, but I have one last
problem and that is a "create account" page that checks the Access db for an
existing email address or username, both of which are primary keys in the
db. The code I have tried to use is the following. The code fails at the
email or username check when I try to input an email address or username
that would be a duplicate in the db and always gets through to the create
account append query. Of course, the page throws up an error about there
being duplicate records having the same primary key. The query in the db is
working as expected with its p5 OR p6 parameter requests.

Any ideas?

Dim p1, p2, p3, p4, p5, p6

p1 = Request.Form("GivenName")
p2 = Request.Form("SurName")
p3 = Request.Form("PWD")
p4 = Request.Form("PWD2")
p5 = Request.Form("Email")
p6 = Request.Form("UID")

If LenB(Request.Form("btnAdd")) <> 0 Then

If p3 = p4 Then

Dim DataConnection, RecordSet, strError1, strError2, strError3

Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &
DatabasePath & ";"

Set RecordSet = Server.CreateObject("ADODB.Recordset")
DataConnection.CheckAccount p5, p6, RecordSet

If Not RecordSet.EOF Then
If RecordSet.Fields("Email") = p5 Then
strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Email address
is taken.</B></FONT>"
Else
strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Username is
taken.</B></FONT>"
End if
RecordSet.Close
Set RecordSet=Nothing
DataConnection.Close
Set DataConnection=Nothing
Else
RecordSet.Close
Set RecordSet = Nothing
DataConnection.CreateAccount p1, p2, p3, p5, p6
Session("ID") = p6
DataConnection.Close
Set DataConnection = Nothing
Response.Redirect "createprofile.asp"
Response.End
End if
Else
strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords didn't
match.</B></FONT>"
End If

End if

 

[Bob Barrows [MVP]]

A better subject line would have been "Problem with If logic". You really
don't want to discourage answers from other participants, do you?

Bob,

Thanks for providing some URLs in a reply to one of my earlier
posts. Not only have you helped me fix up my site to prevent vbscript
injections, you have shown me how to get a performance boost. I have
a question for you and was wondering if you might be able to help
once again. I have almost completely converted my asp into
parameterized requests, but I have one last problem and that is a
"create account" page that checks the Access db for an existing email
address or username, both of which are primary keys in the db. The
code I have tried to use is the following. The code fails at the
email or username check when I try to input an email address or
username that would be a duplicate in the db and always gets through
to the create account append query. Of course, the page throws up an
error about there being duplicate records having the same primary
key. The query in the db is working as expected with its p5 OR p6
parameter requests.

Any ideas?

Dim p1, p2, p3, p4, p5, p6

p1 = Request.Form("GivenName")
p2 = Request.Form("SurName")
p3 = Request.Form("PWD")
p4 = Request.Form("PWD2")
p5 = Request.Form("Email")
p6 = Request.Form("UID")

If LenB(Request.Form("btnAdd")) <> 0 Then

If p3 = p4 Then

Dim DataConnection, RecordSet, strError1, strError2, strError3

Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & DatabasePath & ";"

Set RecordSet = Server.CreateObject("ADODB.Recordset")
DataConnection.CheckAccount p5, p6, RecordSet

If Not RecordSet.EOF Then
If RecordSet.Fields("Email") = p5 Then
strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this Email
address is taken.</B></FONT>"
Else
strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, this
Username is taken.</B></FONT>"
End if
RecordSet.Close
Set RecordSet=Nothing
DataConnection.Close
Set DataConnection=Nothing
Else
RecordSet.Close
Set RecordSet = Nothing
DataConnection.CreateAccount p1, p2, p3, p5, p6
Session("ID") = p6
DataConnection.Close
Set DataConnection = Nothing
Response.Redirect "createprofile.asp"
Response.End
End if
Else
strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords
didn't match.</B></FONT>"
End If

End if

Recommendations:
1. Better indenting so you can see where your if...else...endif blocks begin
and end
2. Use Response.Write to see what is happening.
3. I see no action being taken in the event of error 1 or 2, but that could
be because I can't follow your logic due to the lack of proper indenting.

Bob Barrows

 

[David Shorthouse]

Bob (et al.),

Sorry about the indenting, it was a straight copy and paste and all the
indenting was lost. You sure the indenting would appear in text ng's? Nor
did I include any of the Response.Write headings because I thought what I
included might have been sufficient. I'll try again here:

<%
Dim p1, p2, p3, p4, p5, p6

p1 = Request.Form("GivenName")
p2 = Request.Form("SurName")
p3 = Request.Form("PWD")
p4 = Request.Form("PWD2")
p5 = Request.Form("Email")
p6 = Request.Form("UID")

If LenB(Request.Form("btnAdd")) <> 0 Then

If p3 = p4 Then
Dim DataConnection, RecordSet, strError1, strError2, strError3
Set DataConnection = Server.CreateObject("ADODB.Connection")
DataConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & DatabasePath & ";"
Set RecordSet = Server.CreateObject("ADODB.Recordset")
DataConnection.CheckAccount p5, p6, RecordSet

If Not RecordSet.EOF Then
If RecordSet.Fields("Email") = p5 Then
strError1 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry,
this Email address is taken.</B></FONT>"
Else
strError2 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry,
this Username is taken.</B></FONT>"
End if
RecordSet.Close
Set RecordSet=Nothing
DataConnection.Close
Set DataConnection=Nothing
Else
RecordSet.Close
Set RecordSet = Nothing
DataConnection.CreateAccount p1, p2, p3, p5, p6
Session("ID") = p6
DataConnection.Close
Set DataConnection = Nothing
Response.Redirect "createprofile.asp"
Response.End
End if
Else
strError3 = "<FONT FACE='ARIAL' SIZE='3'><B>Sorry, your passwords
didn't match.</B></FONT>"
End If
End if
%>

<%
Response.Write (strError1)
Response.Write (strError2)
Response.Write (strError3)
%>

With Text form boxes named GivenName, SurName, PWD, PWD2, Email, UID where
PWD2 doesn't have a field in the db and is merely a check for the client.

Thanks,

Dave

 

[Bob Barrows [MVP]]

Do the response.writes provide any clues? For debugging purposes, you should
do wome writing to response before attempting to do the CreateAccount. In
fact, comment out that statement until you can figure out what's going on.
From what I can see, the only way the CreateAccount statement should run is
if the recordset is empty. Have you verified that it is in fact empty?

 

[David Shorthouse]

Bob,

Hmm. I just commented out the CreateAccount section of the script and
don't get the response.write statements to suggest the UID or Email are
already in the db. Doesn't make any sense. When I run the query within
access and use the same values for the parameters, I get the list of records
as I should have within the asp script. I double-checked where I put the
"p5" and "p6" parameter tags in the select query and they match how I
designated them in the asp.

Dave

 

[David Shorthouse]

Fix it. Sorry for the hassle. Seems it's important to put the [p5] OR [p6]
criteria for the respective fields in the correct arrangement if on the asp
there is a "If RecordSet("Email") = p5". That [p5] cannot be in the OR
criteria row in the db.

Dave