SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    problem with login page

    Hey, i got the following page that enables users to log into my page:
    Code ASP:
    user=Request.Form("user")
    pass=Request.Form("password")
    Set conn= Server.CreateObject ("ADODB.Connection")
    Set rs= Server.CreateObject ("ADODB.Recordset")
    conn.Open "DRIVER=Microsoft Access Driver (*.mdb);DBQ=" & Server.MapPath("users.mdb")
    sql= "SELECT * FROM users WHERE user =" & user
    rs.Open sql, conn, 3, 3 ' Error here
    if not rs.EOF then
     if rs("pass") <> pass then
      user = False
     Else
      user = true
      ' some sessions
     End if
    Else
     user = false
    End If

    the problem is that i get error:
    Microsoft OLE DB Provider for ODBC Drivers (0x80040E10)
    [Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.
    on the line i marked above, what is the prob :/?

    Thanks,
    Ulthane

  2. #2
    SitePoint Enthusiast lucky20's Avatar
    Join Date
    Oct 2010
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    connection string for access is

    <body>
    <%
    Set MyConn = Server.CreateObject("ADODB.Connection")
    MdbFilePath = Server.MapPath("database/db1.mdb")
    MyConn.Open "Driver={Microsoft Access Driver (*.mdb)}; DBQ="&MdbFilePath&";"
    %>


    </body>

  3. #3
    SitePoint Guru
    Join Date
    Jun 2007
    Posts
    690
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  4. #4
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    358
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Most lkely user is empty or the form didn't get posted properly. If the variable user is empty you'll get the error you show.

    On a side note, you should run the form data through some kind of validation before using user posted data such as request.form("user") directly in your sql. You can be opening your database to sql injection hacks the way you have it written now.
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon

  5. #5
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    solved the problem, ty guys

    and btw Doug G, ty for the advice im already aware of SQL injection and got some validations on my page, it just didnt had anything to do with the thread so i removed it

  6. #6
    SitePoint Enthusiast lucky20's Avatar
    Join Date
    Oct 2010
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How would you solve this. Plz let me know. I am newbie to ASP.

    I should gain some knowledge..

    Thanks..

  7. #7
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    just changed this line
    Code:
    sql= "SELECT * FROM users WHERE user =" & user
    To this:
    Code:
    sql= "SELECT * FROM users "
     sql= sql & "WHERE user=" 
     sql= sql & "'"
     sql= sql & user
     sql= sql & "'"
    and it started working.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •