I use function fix quotation in the register page.

Function fixQuotes(theString)
fixQuotes=REPLACE(theString,"'","''")
End Function

sql="select * from register where username='"&fixQuotes(request.querystring("usernam e"))&"'"
set rstcheck=conn.execute(sql)
if rstcheck.eof then
set rst=server.createobject("adodb.recordset")
rst.open"register",conn,1,3
rst.addnew rst("username")=fixQuotes(request.querystring("use rname"))
rst.update

This register page does not have problem. The users can register the site, they can enter the username which has quotation. For examlple, username=i's
Because I use fixQuote function so the username that is stored in the database is i''s


The problem is When I want to login . In my code if the users enter the wrong username then they will get the message to try to login again.

When I enter username i's I got the message to try to login again. But when I enter i''s I can login.
This is log in page.
<%
Function fixQuotes(theString)
fixQuotes=REPLACE(theString,"'","''")
End Function

Dim strUsername
strUsername=fixQuotes(request("username"))

sql="select * from register where username='"&strUsername&"'"
set rst=server.createobject("adodb.recordset")
rst.open sql,conn,1,3
if not rst.eof then
response.redirect "Main.asp"
else
response.write "Please Try again"
End if

Anyone has any comment. (I use Microsoft Access)

That's because you're converting " to ''.

That's what should happen.

Why don't you forbid usernames and passwords from having any special characters?

Just do a replace function with nothing

replacing without telling the user would be bad (m'kay) because they wouldn't know you had done it. Just check for invalid characters and disallow anything with them.

Of course you could go the other way and create a stored procedure and use a data command and just use parameters to do the updates etc (providing you are using something that supports stored procs) then you wouldn't have to worry at all.