How do I use a Formfield value in a database query on another page?

C

chrispl

Hi, I've followed the instructions on the link below on Passwor
Protection and FrontPage.

http://www.frontpageworld.com/tipsandtricks/tipsandtricks12.htm

Everything works well. It prompts me to login, but what I want to do i
then use the username entered on the previous screen, in a databas
results query.

something like ....

WHERE [managercode] = "username entered on previous screen"

but I just can't get the syntax correct, or even know if it's possible


Can anyone help please? Thanks in advance, Chris
 
S

Stefan B Rusynko

Your example uses the form field from Request.Form("User")
So in the validation part add a session variable for it

If iStatus > 0 Then
Session("login") = iStatus
Session("User") = Request.Form("User")
Response.Redirect sPage

Then in your other pages use the Session variable

sql = "SELECT * FROM Results WHERE [managercode] = '" & Session("User") & "'"

PS
That is also how the sample page uses it in Check_Login




|
| Hi, I've followed the instructions on the link below on Password
| Protection and FrontPage.
|
| http://www.frontpageworld.com/tipsandtricks/tipsandtricks12.htm
|
| Everything works well. It prompts me to login, but what I want to do is
| then use the username entered on the previous screen, in a database
| results query.
|
| something like ....
|
| WHERE [managercode] = "username entered on previous screen"
|
| but I just can't get the syntax correct, or even know if it's possible.
|
|
| Can anyone help please? Thanks in advance, Chris.
|
|
| --
| chrisplPosted from http://www.pcreview.co.uk/ newsgroup access
|
 
J

Jon Spivey

Just to point out there's a major flaw in that script. Enter
user: ' or ''='
pass: ' or ''='

And you're logged in. To fix change
iStatus = Check_Login(Request.Form("User"),Request.Form("Password"))
to
iStatus = Check_Login(replace(Request.Form("User"), "'", ""),
replace(Request.Form("Password"), "'", ""))

Never build a query directly from form field data, it leaves all sorts of
holes. In this case all we need to do is strip out single quotes
 
S

Stefan B Rusynko

And it also uses .inc pages instead of .asp pages for the includes opening another door




| Just to point out there's a major flaw in that script. Enter
| user: ' or ''='
| pass: ' or ''='
|
| And you're logged in. To fix change
| iStatus = Check_Login(Request.Form("User"),Request.Form("Password"))
| to
| iStatus = Check_Login(replace(Request.Form("User"), "'", ""),
| replace(Request.Form("Password"), "'", ""))
|
| Never build a query directly from form field data, it leaves all sorts of
| holes. In this case all we need to do is strip out single quotes
|
| --
| Cheers,
| Jon
| Microsoft MVP
|
| | > Your example uses the form field from Request.Form("User")
| > So in the validation part add a session variable for it
| >
| > If iStatus > 0 Then
| > Session("login") = iStatus
| > Session("User") = Request.Form("User")
| > Response.Redirect sPage
| >
| > Then in your other pages use the Session variable
| >
| > sql = "SELECT * FROM Results WHERE [managercode] = '" & Session("User") &
| > "'"
| >
| > PS
| > That is also how the sample page uses it in Check_Login
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > |
| > | Hi, I've followed the instructions on the link below on Password
| > | Protection and FrontPage.
| > |
| > | http://www.frontpageworld.com/tipsandtricks/tipsandtricks12.htm
| > |
| > | Everything works well. It prompts me to login, but what I want to do is
| > | then use the username entered on the previous screen, in a database
| > | results query.
| > |
| > | something like ....
| > |
| > | WHERE [managercode] = "username entered on previous screen"
| > |
| > | but I just can't get the syntax correct, or even know if it's possible.
| > |
| > |
| > | Can anyone help please? Thanks in advance, Chris.
| > |
| > |
| > | --
| > | chrisplPosted from http://www.pcreview.co.uk/ newsgroup access
| > |
| >
| >
|
|
 
Top