unable to load information from the database

[robokopf]

hi guys, i'm trying to create a simple login system that retrieves the log-in information from a database. when a user logs in it'll create a session and the user will be redirected to the main page. and when the user clicks on his own username it'll redirect the user to a profile editing page. here's some codes.

<p><a href="editprofile.asp?user=<%=Session("username")%>">edit my profile</a></p>

when user clicks on this link it'll link up to editprofile page that will display his information and user is able to edit the information fields.

<!--#INCLUDE VIRTUAL="Project/includes/connection.asp"--><%strsql = "SELECT * FROM userdb where username"set objRs = Server.CreateObject("ADODB.Recordset")objRs.open strsql,objConn,1,2if not objRs.eof then%><body><form name="update" method="get" action="updatedata.asp"><table border=1><tr><td>User ID:</td><td><INPUT name=name readonly value=<%=objRs("username")%>></td></tr><tr><td>Address:</td><td><INPUT name=text value=<%=objRs("address")%>></td></tr><tr><td><INPUT type=submit value=Submit name=submit></td><td><INPUT type=reset value=Reset name=reset></td></tr></table></form><%end if%>

this is the code in the editprofile.aspthe problem is when i'm in this page, the information that is loaded is not of my own username but other accounts. i've created multiple test accounts in the database but it still does not display the correct information corresponding to the username. is there something wrong with the SQL codes or what? thanks in advance.

[jesh]

strsql = "SELECT * FROM userdb where username"

If there was a record that you wanted to retrieve from your database which had a username of "robokopf", you'd want to use a SQL query something like the following:

SELECT * FROM userdb WHERE username = 'robokopf'

I think if you change your code to reflect that query you would be closer to your goal.

strsql = "SELECT * FROM userdb WHERE username = '"&username&"'"

[robokopf]

hi jesh thanks for the reply. i've got it fixed and it's working now. here's my code. so sorry for the trouble

<!--#INCLUDE VIRTUAL="Project/includes/connection.asp"--><%[b]dim usernameusername = request.querystring("user")[/b]strsql = "SELECT * FROM userdb WHERE username = '"&username&"'"

[justsomeguy]

One thing to note is that this is really insecure, because someone can type any username into the URL and be able to edit that information. Since you are putting the username in the URL from the session here:<p><a href="editprofile.asp?user=<%=Session("username")%>">edit my profile</a></p>It would be better to leave out the querystring, and just get the username from the session on the next page.<p><a href="editprofile.asp">edit my profile</a></p>...username = Session("username")strsql = "SELECT * FROM userdb WHERE username = '"&username&"'"

[jesh]

One thing to note is that this is really insecure...

I agree. You might also want to read about SQL injection, if you don't already know about it.