...

View Full Version : how to manipulate and validate strings



skalag
02-07-2003, 02:00 PM
Hi, I have just got through a login, relogin, displaydata, update, add and delete section for a web site, with a lot of help from this forum, but i did not use any validation on input and strings, not knowing how to do this i skipped it for later, now i get errors such as when the login fields are spelt correct but wrongly in uppercase i get an error, though a wrong entry in uppercase does not cause any problems...what i need to do is convert all to lowercase and perform a trim on all the text boxes on login, edit and add new...but i now find it difficult to insert these into my (very confusing) code...is it possible to put all these functions on an include file or something that i can easily call instead of going back into all the code?

arnyinc
02-07-2003, 03:15 PM
Probably. It just depends how your code is already written. Assuming you have something like:



strUsername=request.querystring("strUsername")


You can change it to



strUsername=trim(lcase(request.querystring("strUsername")))


There isn't much benefit to putting it in an include file though.

skalag
02-07-2003, 04:12 PM
what about using a page of javascript functions, is there any benefit in that?

skalag
02-07-2003, 08:52 PM
i tried the above example but i couldnt get it to work...i had to try it here before the form data was matched to the database...so i tried declaring variables strings 1, 2 & 3 and did trim and lcase on these before selecting WHERE Fusername = String1 etc, but coul;d not get the syntax right on this...i also tried doing the trim and lcase funtions on the request.form in the sql statement but couldnt get this to work either...can some one advise please?

below are versions of the two ways i tried and failed:

stringx= trim(lcase(Request.Form("Tusername")))
stringy= trim(lcase(Request.Form("Tuserpin")))
stringz= trim(lcase(Request.Form("Tuserpassword")))


strSQL = "SELECT Fid, Fusername, Fuserpin, Fuserpassword FROM tblLoginuser WHERE Fusername = " ' " & stringx & " ' " and Fuserpin= " ' " & stringy & " ' " and Fuserpassword= " ' " & stringz & " ' " "

set rstLoginChecker=cnn.execute(strSQL)



strSQL = "SELECT Fid, Fusername, Fuserpin, Fuserpassword FROM tblLoginuser WHERE Fusername = '" & Request.Form("Tusername") & "' and Fuserpin= '" & Request.Form("Tuserpin") & "' and Fuserpassword= '" & Request.Form("Tuserpassword") & "'"

whammy
02-07-2003, 11:46 PM
Your explanation was a bit confusing... are you having trouble comparing strings because they aren't the same case? If so, then you can UCase() Them when you compare them:

If UCase(somestring) <> UCase(someotherstring) Then
' Uh-oh, they don't match!
End If

:confused:

If that doesn't help, let's start sorting through the specific errors one at a time. :)

skalag
02-08-2003, 12:27 AM
okay ill try and make sense, im posting username and password from htm page where it is then used to select matching username and password from database, i want to ensure that there are no unwanted spaces or characters or upper case chars in the data from the htm form before it is used in sql statement...
in the post above i showed how i tried passing the form values to string variables and using the variables in the Sql statement but i keep getting syntax errors doing this...i dont know how to select 3 string variables from the database through a sql statement

whammy
02-08-2003, 12:29 AM
Ok, well unwanted spaces, characters, etc. don't matter at all when you're requesting something using a SQL statement. Also, SQL is case-insensitive, so "WHAMMY" would still equal "whammy" as far as SQL is concerned.

Either the username and password match, or they don't... it seems like you aren't really sure what the problem is, by your explanation.

The only thing that will give you grief when requesting this information from SQL is the single quote - see this link for a full explanation:

http://www.codingforums.com/showthread.php?s=&threadid=9843

If that's not the problem (single quotes), then there is something wrong with your SQL Syntax. In these cases, it's best to do this:


MySQLStatement = "WHATEVER"
Response.Write(MySQLStatement) : Response.End

'Conn.Execute(MySQLStatement)

That way, you can see exactly what's being processed. :)

P.S. for strings, you have to do something like:

"SELECT * FROM tablename WHERE mystring = '" & mystring & "'"

skalag
02-08-2003, 05:57 PM
okay here i am again, i think you are right Whammy, im not sure at all what im doing, i did a little bit of vb a couple of years ago, small examples manipulating text etc...but its a lot more daunting trying to put all those bits together in one web application, where theres plenty more i have never done...basically im at the stage now where i finally have connections ok, display, add, deelete, and update all sorted but with no error trapping, validation etc and i thought i should do some trim and lcase and ensuring text boxes have data entered etc... i do have a problem on the login form though, as i mentioned earlier, a wrong pasword/username in ucase or lcase is redirected to relogin, but a correct pass/user in ucase when it should be lcase leads to a server asp error page...this is what i really dont understand and i thought it was necessary to convert all text boxes to lcase to prevent this error occurring....i also wanted to do lcase, trim and ensure data was entered on the login page where it looks easier, before trying on the edit and addnew pages where it looks more complicated.

skalag
02-08-2003, 06:19 PM
thanks Whammy, the syntax for the sql statement works as you showed:
' " & stringx & " '

i tried many versions of this inc:

" ' " & stringx & " ' "
" ' " & (stringx) & " ' "
" ' " & ("stringx") & " ' "
' & stringx & '
" & stringx & "
" & (stringx) & "
& ("stringx") &

i tried every combo i could think of,
thanks a lot again guys for the help, ive got it to work at last, thats one potential error avoided , only how many more to go???

whammy
02-08-2003, 10:58 PM
Not sure what's happening with the case-sensitivity, can you post the relevant code?

skalag
02-09-2003, 12:43 PM
OK WHAMMY, im sorry for the state of this and youll probably understand why i get lost when you see it, i took long and unnecessary ways to get things done and havent removed anything i feel is redundant, not yet anyway, i am planning to go back and rewrite when i have got this alll finished, hopefully it will look more like the excellently displayed (neat, readable) code from members on this forum...

login page: (HTML tags removed)

code:
---------------------------------------------------------------------------

<form name="form" method="post" action="asp/Logincheck.asp

<input type="password" name="Tusername" size="20" maxlength="8">

<input type="password" name="Tuserpin" maxlength="4" size="20">

<input type="password" name="Tuserpassword" maxlength="8" size="20">

<input type="reset" name="reset" value="Cancel">

<input type="submit" name="Submit" value="Submit">

---------------------------------------------------------------------------
code:

ok...simple enuff

logincheck.asp: (this is the version that now trims and converts to lower case with no errors)


code:
---------------------------------------------------------------------------
<OBJECT RUNAT=SERVER ID=cnn PROGID="ADODB.Connection"></OBJECT>

<%
cnn.Open Application("ConnectionString")
dim strSQL , rstLoginChecker


'retrieve input from (re)login form and Trim and convert to lower case in variable strings x, y, z
'use variable strings to query the database

stringx= trim(lcase(Request.Form("Tusername")))
stringy= trim(lcase(Request.Form("Tuserpin")))
stringz= trim(lcase(Request.Form("Tuserpassword")))



strSQL="SELECT Fid, Fusername, Fuserpin, Fuserpassword FROM tblLoginuser WHERE Fusername = '" & stringx & "' AND Fuserpin = '" & stringy & "' AND Fuserpassword = '" & stringz & "'"

set rstLoginChecker=cnn.execute(strSQL)


if rstLoginChecker.EOF or rstLoginChecker.BOF then
response.redirect ("/MEMBERS/relogin.htm")

else
while not rstLoginChecker.EOF

'used to pass value to displaydata.asp page
'why index and loguser?

dim INDEX
INDEX = rstLoginChecker("Fusername")
response.cookies("loguser") = INDEX

'password checker and redirect valid login

IF trim(lcase(Request.Form("Tusername"))) = rstLoginChecker("Fusername") AND trim(lcase(Request.Form("Tuserpassword"))) = rstLoginChecker("Fuserpassword") AND trim(lcase(Request.Form("Tuserpin"))) = rstLoginChecker("Fuserpin") Then

Response.redirect("/MEMBERS/asp/welcome.asp")
Else
Response.redirect("relogin.htm")
End IF
rs.MoveNext
Wend

OnError response.Redirect ("relogin.htm")

END IF
set strSQl=nothing
cnn.close
%>
---------------------------------------------------------------------------
code:

this next bit was the original logincheck page that gave an error, when all three text fields were filled with characters such as /?'#, it still does crash on this, though i dont think i could prevent it anyway and its such an unlikely occurrence....i hope...
...also if username, pin number and password were all 'pass'
then data entered in text boxes performed thus:
pass, pass, pass, went to logged in
PASS, pass, pass, loginfailed redirect to relogin
PASS, PASS, PASS, produced 404 page not found
PUSS, PUSS, PUSS, loginfailed redirect to relogin

code:
---------------------------------------------------------------------------

<OBJECT RUNAT=SERVER ID=cnn PROGID="ADODB.Connection">
</OBJECT>

<%
cnn.Open Application("ConnectionString")
dim strSQL , rstLoginChecker

strSQL = "SELECT Fid, Fusername, Fuserpin, Fuserpassword FROM tblLoginuser WHERE Fusername = '" & Request.Form("Tusername") & "' and Fuserpin= '" & Request.Form("Tuserpin") & "' and Fuserpassword= '" & Request.Form("Tuserpassword") & "'"

set rstLoginChecker=cnn.execute(strSQL)


if rstLoginChecker.EOF or rstLoginChecker.BOF then
response.redirect ("/MEMBERS/relogin.htm")

else
while not rstLoginChecker.EOF


dim INDEX
INDEX = rstLoginChecker("Fusername")
response.cookies("loguser") = INDEX

If Request.Form("Tusername") = rstLoginChecker("Fusername") AND Request.Form("Tuserpassword") = rstLoginChecker("Fuserpassword") AND Request.Form("Tuserpin") = rstLoginChecker("Fuserpin") Then

Response.redirect("/MEMBERS/asp/welcome.asp")
Else
Response.redirect("relogin.htm")
End If
rs.MoveNext
Wend

OnError response.Redirect ("relogin.htm")
end if

set strSQl=nothing
cnn.close
%>

---------------------------------------------------------------------------
code:

whammy
02-09-2003, 08:26 PM
This is the problem:

IF trim(lcase(Request.Form("Tusername"))) = rstLoginChecker("Fusername") AND trim(lcase(Request.Form("Tuserpassword"))) = rstLoginChecker("Fuserpassword") AND trim(lcase(Request.Form("Tuserpin"))) = rstLoginChecker("Fuserpin") Then


You don't need that, since you already checked in the SQL statement to see if they were all equal.

If it's NOT rs.EOF, then a match was found, and they have successfully logged in. All you need to do in that case is redirect them. It will probably work if you just delete the part above.

skalag
02-09-2003, 11:13 PM
Thanks again whammy, its cleaned up the code a lot and works a treat...

whammy
02-09-2003, 11:42 PM
:cool:

glenngv
02-10-2003, 03:47 AM
IMHO, I think you should not trim and lowercase the password entered by the user. For security reasons, password should be case-sensitive. You should accept whatever the user entered in the password field, no trimming, no lowercasing.

whammy
02-11-2003, 12:53 AM
Good point, Mr. Vergara.

I like to use passwords similar to:

@<""<!--B3+

This is not _really_ one of my passwords (as you can see it is a somewhat 133+ version of "Robert" with some funky stuff in front).

And I have no problems entering something resembling that into a database, or displaying on an ASP page.

Of course in order to do the latter you'd need to Server.HTMLEncode() the variable - otherwise the above characters would break your HTML.

:)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum