SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    Nov 2011
    Location
    The Colony, TX
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Server.Transfer not working after clean SQL query

    The short version: I've got a database where employees are required to enter a client's email address in order to get started.
    I'm working on an asp script to check that email against the existing database to make sure it doesn't already exist.
    Using either a Response.Redirect on error, or a Server.Transfer on success (IE: the email doesn't already exist)

    I've set the column we're inserting to be unique in the SQL database, but every time I enter any email, I always get the error page, never the server.transfer. My code is below, I'm ommitting things like my server connection info (its stored in a separate asp page so I don't have to constantly call it. I'm using the server.transfer method because it retains the values in the earlier entered form, so I can autopopulate part of the form on the next page.
    Code:
    <!--#INCLUDE FILE="databaseconnectionSQL.asp" -->
    <%
    	userid = session("userid")
    	If Len(userid) = 0 Then
    		response.redirect("login.asp?msg=Your Session is expired. Please Log-in again.")
    	End If
    On Error Resume Next
    Dim strNewClientEmail, strEmpID, rs, strSQL
    strNewClientEmail = Request.Form("newclientemail")
    strEmpID = Session("empid")
    strSQL = "INSERT (rep_id, client_email) INTO client VALUES('" & strEmpID & "' , '" & strNewClientEmail & "')" 
        set rs = RD.execute(strSQL) 
    if err.number <> 0 then 
            Response.Redirect("addclient.asp?error=This Email is already in our database")  
    else
            
    Server.Transfer("addclient2.asp") 
    
    end if 
     %>
    So, what am I missing here? Theoretically, if the email is already in the db, you get redirected back to the original page : addclient.asp : with an error message displayed. If the email is NOT in the db, you should get pushed to the second page : addclient2.asp : which is another form for name, address, phone, etc.

    Thanks for any help or pointers you can give me!!

  2. #2
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,609
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    On Error Resume Next

    Comment that out and see what is the real error being generated. There IS an error, that's why you always get the Response.Redirect.

    I'd also Response.Write (strSQL) to see what SQL is trying to be executed.

    Finally - using form data directly in a SQL command without validating it is clean is a big No-No!
    Ian Anderson
    www.siteguru.co.uk

  3. #3
    SitePoint Member
    Join Date
    Nov 2011
    Location
    The Colony, TX
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'll give it a shot. As for validation, I'm validating the form with JavaScript on the form submission page, I assume that's what you're referring to?

  4. #4
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,609
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Bad idea - as your ONLY method of protection anyway. Anyone can disable Javascript in their browser = NO protection.
    Ian Anderson
    www.siteguru.co.uk

  5. #5
    Non-Member
    Join Date
    Oct 2011
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You do this, banned JavaScript

  6. #6
    SitePoint Member
    Join Date
    Nov 2011
    Location
    The Colony, TX
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not as concerned about malicious use, this is an "internal only" system that will be used by 3 or 4 employees. Right now, I'm on a time crunch to demonstrate the functionality of the system, I can go back and add security at a later date. I intend to try out the proposed suggestions in a couple of hours, will post my results (and the appropriate fixes) as soon as I get done.

  7. #7
    SitePoint Member
    Join Date
    Nov 2011
    Location
    The Colony, TX
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Red face Solved, Kind of......

    So, in a roundabout way, here's how I solved this issue:
    I'm no longer doing an insert at the same time, simply doing a query to see if the value exists, then allowing the user to continue on to the next page with the value intact if it doesn't.
    I'm still curious as to how to validate form data for insertion into sql, but that's research for another day.
    Thanks for the input all!!


    Code:
    <!--#INCLUDE FILE="databaseconnectionSQL.asp" -->
    <%
    	userid = session("userid")
    	If Len(userid) = 0 Then
    		response.redirect("login.asp?msg=Your Session is expired. Please Log-in again.")
    	End If
    dim rs, strSQL, strNewClientEmail
    strNewClientEmail = Request.QueryString("newclientemail")
    strSQL = ("select * from client where client_email = '" & strNewClientEmail & "'")
    set rs = RD.execute(strSQL)
     if rs.eof then
    Server.Transfer("addclient2.asp")
    else
    Response.Redirect("addclient.asp?error=This Email is already in our database")
    end if
    %>

  8. #8
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,609
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Ian Anderson
    www.siteguru.co.uk


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •