|
Home > Archive > IIS Server > February 2004 > ASP/Access Update problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
ASP/Access Update problem
|
|
| newsgroup user 2004-02-07, 4:35 am |
| Somewhat of an ASP newbie, only been using it for about a month now. Trying to write an update password script for members. The code I have keeps deleting the entire row and not just the password. It will update the password, but the username is gone from
the Access database along with evverything else. The code below is where I'm having the problems.
This pulls the Username, old password and new password from a previous form, performs the funtion then if successful will redirect. Problem is, however, exactly as i stated above. HELP  ALL i need is for the code to match the username with the username
entered, update the password, then redirect. Aargh!
<html><!--#include File="../opendatabase.asp"--><head><meta http-equiv="refresh" content="2;url=changepass.asp"><title></title></head><%
Name=Request.Form("name")
Old=request.form("old")
Newpass=request.form("newpass")
set rs=Server.CreateObject("ADODB.Recordset")
set rs2=Server.CreateObject("ADODB.Recordset")
set rs3=Server.CreateObject("ADODB.Recordset")
SQLstr="SELECT * FROM register WHERE username='"&Name&"' and password='"&Old&"'"
rs2.Open SQLstr,conn,1,3
if NOT rs2.EOF then
b=rs2("password")
%><p><font size="4" color="#0000FF">Please wait while the system is updating the database . . .</font></p><%
SQLstr="DELETE password FROM register"
rs3.Open SQLstr,conn,1,3
rs.Open "register",conn,1,3
rs.Addnew
if Newpass="" then
rs("password")=b
else
rs("password")=request.form("newpass")
end if
rs.update
rs.Close
session("userID")=request.form("name")
session("userpw")=Request.Form("new")
'response.redirect("somepage.asp")
else
%><p><font size="4" color="#FF0000">Error: Invalid format. Please try again . . .</font></p><%
end if
%></html>
| |
| Kristofer Gafvert 2004-02-07, 6:35 am |
| Well,
your SQL Syntax doesn't seem to be correct. The command DELETE, deletes a
row, not update it. Use UPDATE instead, that one is used to update data in a
table.
UPDATE register SET password = 'newPassword' WHERE username = 'userName' AND
password = 'oldPassword'
You will have to do some modification for it to work with your ASP.
But, why not use Stored Procedures? You are target for SQL Injection if you
put the SQL strings in your ASP code like this, which can really be
dangerous, and someone can do pretty much everything in your database.
What if someone enter Adam'--
as the username?
Then the SQL string will be:
UPDATE register SET password = 'newPassword' WHERE username = 'Adam'--' AND
password = 'oldPassword'
and since everything behind -- is a comment, all you need to know is the
username to change the password.
--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003
"D. Greene" <nsf247@ameritech.net> wrote in message
news:60A646FD-2801-4D49-B3C5-0051425F2034@microsoft.com...
> Somewhat of an ASP newbie, only been using it for about a month now.
Trying to write an update password script for members. The code I have keeps
deleting the entire row and not just the password. It will update the
password, but the username is gone from the Access database along with
evverything else. The code below is where I'm having the problems.
> This pulls the Username, old password and new password from a previous
form, performs the funtion then if successful will redirect. Problem is,
however, exactly as i stated above. HELP ALL i need is for the code to
match the username with the username entered, update the password, then
redirect. Aargh!
>
> <html><!--#include File="../opendatabase.asp"--><head><meta
http-equiv="refresh" content="2;url=changepass.asp"><title></title></head><%
> Name=Request.Form("name")
> Old=request.form("old")
> Newpass=request.form("newpass")
> set rs=Server.CreateObject("ADODB.Recordset")
> set rs2=Server.CreateObject("ADODB.Recordset")
> set rs3=Server.CreateObject("ADODB.Recordset")
> SQLstr="SELECT * FROM register WHERE username='"&Name&"' and
password='"&Old&"'"
> rs2.Open SQLstr,conn,1,3
> if NOT rs2.EOF then
> b=rs2("password")
> %><p><font size="4" color="#0000FF">Please wait while the system is
updating the database . . .</font></p><%
> SQLstr="DELETE password FROM register"
> rs3.Open SQLstr,conn,1,3
> rs.Open "register",conn,1,3
> rs.Addnew
> if Newpass="" then
> rs("password")=b
> else
> rs("password")=request.form("newpass")
> end if
> rs.update
> rs.Close
> session("userID")=request.form("name")
> session("userpw")=Request.Form("new")
> 'response.redirect("somepage.asp")
> else
> %><p><font size="4" color="#FF0000">Error: Invalid format. Please try
again . . .</font></p><%
> end if
> %></html>
| |
| newsgroup user 2004-02-07, 8:35 am |
| Thanks for the help, Now I understand the SQL syntax, but still having a problem. I took to heart about what you said about the username so, on the changepassword page, I changed the form (temporarily) to call the username from the session variable and in
serting it into a stored procedure <%=rsCheckUser("username")%> so that it is displayed in the text box and the text box is disabled so no one can edit it. I'll will later remove the text box if i can figure out how to not use that form entry 'name' from
the previous form to validate the change of password. But for now, i think I have something extra in this code that is not allowing the script to run properly after making the modifications you suggested. Like so..Some unnecessary variable or unnecessary
rs.open like rs3. I dunno, something. What happens now is, after i hit submit on the previous page, it goes to the "Error, Invalid format" part of this script" even with typing the correct old password and a vaild new password 
I'd like to get this to where, i dont need to request the form (name) variable from the previous page, but that's easier for me to work with right now.
<!--#include File="../opendatabase.asp"--><html><head><meta http-equiv="refresh" content="2;url=chgpwd.asp"><title></title></head><%
Name=Request.Form("name")
Old=request.form("old")
Newpass=request.form("newpass")
set rs=Server.CreateObject("ADODB.Recordset")
set rs2=Server.CreateObject("ADODB.Recordset")
set rs3=Server.CreateObject("ADODB.Recordset")
SQLstr="SELECT * FROM register WHERE username='"&Name&"' and password='"&Old&"'"
rs2.Open SQLstr,conn,1,3
if NOT rs2.EOF then
b=rs2("password")
%><p><font size="4" color="#0000FF">Please wait while the system is updating the database . . .</font></p><%
SQLstr="UPDATE register SET password = '"&newpass&"' WHERE username = '"&Name&"'= '"&old&"'"
rs3.Open SQLstr,conn,1,3
rs.Open "register",conn,1,3
rs.Addnew
if Newpass="" then
rs("password")=b
else
rs("password")=request.form("newpass")
end if
rs.update
rs.Close
session("userID")=request.form("name")
session("userpw")=Request.Form("new")
'response.redirect("../ups/chgpwd.asp")
else
%><p><font size="4" color="#FF0000">Error: Invalid format. Please try again . . .</font></p><%
end if
%></html>
|
|
|
|
|