Prevent duplicate email in ASP

U

unclechris

Guppy
OK - I've tried - can anyone tell me what's wrong with my code? Please!!

set dBaseConn = Server.CreateObject("adodb.connection")
set rs = server.createobject("adodb.recordset")
strConn = "Provider=Microsoft.JET.OLEDB.4.0; Data Source = " & dBasePath & ";"
dBaseConn.open strConn
strSQL = "SELECT email FROM Advertisers where email=" & Request.Form("email")
rs.open strSQL, dBaseConn
If RS.EOF Then
Else
StrError = StrError & "You already have an account - please use an alternative email address<BR>"
End If
rs.close
dBaseConn.close
set rs = nothing
set dBaseConn = nothing
 
unclechris said:
OK - I've tried - can anyone tell me what's wrong with my code? Please!!

set dBaseConn = Server.CreateObject("adodb.connection")
set rs = server.createobject("adodb.recordset")
strConn = "Provider=Microsoft.JET.OLEDB.4.0; Data Source = " & dBasePath & ";"
dBaseConn.open strConn
strSQL = "SELECT email FROM Advertisers where email=" & Request.Form("email")
rs.open strSQL, dBaseConn
If RS.EOF Then
Else
StrError = StrError & "You already have an account - please use an alternative email address<BR>"
End If
rs.close
dBaseConn.close
set rs = nothing
set dBaseConn = nothing
Click to expand...


to start with theres a problem with the red part
it should look like:

Code: 
 strSQL = "SELECT email FROM Advertisers where email=[COLOR=Red][COLOR=SeaGreen]'[/COLOR]" & Request.Form("email") & "[COLOR=SeaGreen]'[/COLOR];"[/COLOR]

i highlighted in green what you missed

also, id advise adding some security
as a hacker could hack your site quite easily by doing a SQL Injection (basically they enter an SQL statement into the "email" field, i think an example would be

Code: 
[email protected]'; delete from Advertisers where email = '[email protected]'

and they've deleted the record where the email equals that

but there not limited to that table, they cant delete anything from any table

try to do some research into Formating Form Imputs - i think sites like www.4guysfromrolla.com will have something, or you could simply search google (or msn, what ever takes ya fancy)


hope that helps
 
To answer your question mirtheil, I fixed it by building the email check into the error messages.

emailExists = 0
rs.MoveFirst
Do while not rs.eof
if rs("email") = request.form("email") then
emailExists = 1
end if
rs.MoveNext
loop
if emailExists = 1 then
StrError = StrError & "Your email address already exists in our database.<br>"
End If
 
OK - I'm amazed. I typed ' or ''=' into my user/pass fields, and I've hacked my own website! That easy. 8o

I've now changed my SQL statement to the following - and using this replace method, I'm eliminating the user being able to use single quotes and hack my database.

strSQL = "select AdvID from advertisers where email = '" & Replace(Request.Form("email"), "'", "''") & "' "_
& "and password = '" & Replace(Request.Form("password"), "'", "''") & "' "

Scotty - whatch think man? Am I covered now?
 
WebWizForum has a function to format the Strings

for example, a line of the function:
Code: 
strInputEntry = Replace(strInputEntry, "select", "select", 1, -1, 1)

which pritty much stops people using "select" as i doubt the database will see Select with the character changed, and will think its completely different.
 
You must log in or register to reply here.
Back
Top