Home All Groups Group Topic Archive Search About

Submitting a form that checks entyered data is not in an exclusion list

microsoft.public.inetserver.asp.general


Author
7 Mar 2006 10:40 AM
mphillips
I have an ASP form that users enter a number into. The form then posts
the number with a hidden login and password to a web address which
opens in a new window. However, I want make sure that the number they
enter is not one of the numbers I have in an Access database table that
contains a list of numbers they are not allowed to enter. How can I do
this?

Author
7 Mar 2006 11:19 AM
Mike Brind
mphill***@policecredit.com.au wrote:
> I have an ASP form that users enter a number into. The form then posts
> the number with a hidden login and password to a web address which
> opens in a new window. However, I want make sure that the number they
> enter is not one of the numbers I have in an Access database table that
> contains a list of numbers they are not allowed to enter. How can I do
> this?

set rs = conn.execute("SELECT restrictedNumber FROM table WHERE
restrictedNumber = " & Request.Form("inputNumber"))
if not rs.eof then
   'user can't proceed because there is a match
else
   'user can
end if

--
Mike Brind
Author
7 Mar 2006 12:02 PM
Bob Barrows [MVP]
Mike Brind wrote:
> mphill***@policecredit.com.au wrote:
>> I have an ASP form that users enter a number into. The form then
>> posts the number with a hidden login and password to a web address
>> which opens in a new window. However, I want make sure that the
>> number they enter is not one of the numbers I have in an Access
>> database table that contains a list of numbers they are not allowed
>> to enter. How can I do this?
>
> set rs = conn.execute("SELECT restrictedNumber FROM table WHERE
> restrictedNumber = " & Request.Form("inputNumber"))

This is the correct solution, as far as it goes. however, don't forget your
server-side validation. This technique is susceptible to sql injection.
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

Far better is to:

1. validate user inputs in server-side code (e.g., make sure numbers contain
only numbers)
2. use parameters instead of dynamic sql.
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Better yet, use saved parameter queries:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/b3d322b882a604bd

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Author
8 Mar 2006 3:49 AM
mphillips
Thanks for your help I will give it a go and see if I can get it to
work.

Mal

AddThis Social Bookmark Button

Post Other interesting topics
Java Script and ASP
How to send the uploaded file's name???
validating the string in ASP
Problem with handling table insert from ASP page
Help connection