teemo
Reputation: 51
VBScript Code breaking from String containing '
one of my user has a ' inside the user name and i think that it is breaking the login code on the line tempPassword=Request.Form("UserPassword")
if (Request.Form("Action") = "Login") then
tempUsername=Request.Form("UserName")
tempPassword=Request.Form("UserPassword")
if not (tempUserName = "") and not (tempPassword = "") then
strSQL="SELECT ContactID,Email,Password from Directory WHERE Email='" & tempUsername & "' AND Password='" & tempPassword & "'"
set rsQuery=cn.execute(strSQL)
if not (rsQuery.EOF) then
'-- Login correct, so set session variables
Session("CBWorkUser") = "Yes"
Session("CBWorkUserName") = rsQuery("Email")
Session("CBWorkID") = rsQuery("ContactID")
end if
set rsQuery = nothing
end if
end if
what solutions is there to fix this?
Upvotes: 0
Views: 159
Answers (1)
Ansgar Wiechers
Reputation: 200253
Don't use string concatenation for building SQL queries. Ever. Not only will you encounter problems like this, it will also make you vulnerable to SQL injection. Use parameterized queries (AKA prepared statements) instead:
Set cmd = CreateObject("ADODB.Command")
cmd.ActiveConnection = cn
Set p1 = cmd.CreateParameter("@email" , 200, 1, 255, tempUsername)
cmd.Parameters.Append p1
Set p2 = cmd.CreateParameter("@password" , 200, 1, 255, tempPassword)
cmd.Parameters.Append p2
cmd.CommandText = "SELECT ContactID,Email,Password FROM Directory " _
& "WHERE Email=? AND Password=?"
Set rsQuery = cmd.Execute
Upvotes: 5
Related Questions
- VBScript problem
- VBScript Invalid Character 800A0408 compilation error
- VBscripting _error
- "expected statement" when running VBScript
- Vbs throws syntax error. I can't see why
- VBscript runtime error
- VBScript Carriage Returns
- Converting VBscript to VB Error (checking for right characters)
- Seem like a VBscript exception, how to cope with?
- VBScript Out of String space