Guest oranged Posted April 24, 2006 Share Posted April 24, 2006 how to compare two data field!? i want to compare the data input by user and the data stored inside access database. Below is my coding: password=Request.Form("passwd")Set adoCon = Server.CreateObject("ADODB.Connection")adoCon.Open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("db1.mdb")Set rsGuestbook = Server.CreateObject("ADODB.Recordset")strSQL = "SELECT password FROM pass where password=passwd"rsGuestbook.Open strSQL, adoConSo next after the sql query execution, what coding should be done to identify either the password input by user is identical with password inside the database. Link to comment Share on other sites More sharing options...
aspnetguy Posted April 24, 2006 Share Posted April 24, 2006 The above sql statement is open to sql injection. A user could put hello OR 1=1 -- and that statement would return true giving them access to your site. You need to be careful whne using variables directly in sql conditions.You are better off to select all the passwords and put them in an array. Then loop throught the array until you find a match. Link to comment Share on other sites More sharing options...
justsomeguy Posted April 24, 2006 Share Posted April 24, 2006 You can also put the password in quotes and make sure you escape any quotes that are in the input. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now