Results 1 to 3 of 3
  1. #1
    Join Date
    Aug 2004
    Posts
    77

    Unanswered: quotation problem

    I use function fix quotation in the register page.

    Function fixQuotes(theString)
    fixQuotes=REPLACE(theString,"'","''")
    End Function

    sql="select * from register where username='"&fixQuotes(request.querystring("usernam e"))&"'"
    set rstcheck=conn.execute(sql)
    if rstcheck.eof then
    set rst=server.createobject("adodb.recordset")
    rst.open"register",conn,1,3
    rst.addnew rst("username")=fixQuotes(request.querystring("use rname"))
    rst.update

    This register page does not have problem. The users can register the site, they can enter the username which has quotation. For examlple, username=i's
    Because I use fixQuote function so the username that is stored in the database is i''s


    The problem is When I want to login . In my code if the users enter the wrong username then they will get the message to try to login again.

    When I enter username i's I got the message to try to login again. But when I enter i''s I can login.
    This is log in page.
    <%
    Function fixQuotes(theString)
    fixQuotes=REPLACE(theString,"'","''")
    End Function

    Dim strUsername
    strUsername=fixQuotes(request("username"))

    sql="select * from register where username='"&strUsername&"'"
    set rst=server.createobject("adodb.recordset")
    rst.open sql,conn,1,3
    if not rst.eof then
    response.redirect "Main.asp"
    else
    response.write "Please Try again"
    End if

    Anyone has any comment. (I use Microsoft Access)
    Last edited by gop373; 03-10-05 at 12:27.

  2. #2
    Join Date
    Dec 2003
    Posts
    148
    That's because you're converting " to ''.

    That's what should happen.

    Why don't you forbid usernames and passwords from having any special characters?

    Just do a replace function with nothing

    Code:
    fixQuotes=REPLACE(theString,"'","")

  3. #3
    Join Date
    Nov 2003
    Location
    Christchurch, New Zealand
    Posts
    1,618
    replacing without telling the user would be bad (m'kay) because they wouldn't know you had done it. Just check for invalid characters and disallow anything with them.

    Of course you could go the other way and create a stored procedure and use a data command and just use parameters to do the updates etc (providing you are using something that supports stored procs) then you wouldn't have to worry at all.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •