Hi all, just wondering if you could help me please. I have a page were the user can log in to their account using thier email address and password, when they log in at the minute links appear, but i want my page to shows all the customer details as soon as they log in, these details will be like title, first name, surname, address stuff like that, it will be reading the information from the database. If you could help me i would be thankful. I have two forms the first page allows the user to enter their email address and password and the second form connects to the database and see if the email and password is correct, if it is it will show the links and if its wrong it just shows the home page link. The email address and password does work, i just want it to display that customer details when they log in. I will show you the code i have used for each page.

The first page is what the user logs on with


<html>
<body>
<link rel = "stylesheet" href = "stylecontent.css">
<p><img src = "logo.bmp" height = "150" width = "150" alt ="AnnieLily's Design Logo" img align="right"></p>
<h1> Login </h1>
<br>
<h3> Enter your details to create an order </h3>
<form method="post" action="customerDetails.asp"><div align="center">
<table width="33%" border="0">
<tr>
<td width="35%">Enter EmailAddress</td>
<td width="58%"><input type="EmailAddress" name="EmailAddress" ></td>
</tr>
<tr>
<td>Enter Password
&nbsp;&nbsp;</td>
<td><input type="Password" name="Password" ></td>
</tr>
<tr>
<td colspan="2"><input type="Submit" value="Login" name="Login"></td>
</tr>
</table>
</div>
</form>

</body>
</html>


The second page displays links if the correct details are read. This is were i want the customer details to be displayed.


<%@ Language=VBScript %>
<% Option Explicit %>
<% Response.Buffer = True %>

<html>
<body>

<%
dim DBconnect,RecordSet,myDB,RecordItem,EmailAddress,P assword

myDB = server.mappath("AnnieLilys.mdb")

'Get the login ID...
EmailAddress = request.form("EmailAddress")
Password = Request.Form("Password")

Set DBconnect = Server.CreateObject("ADODB.Connection")
DBconnect.provider = "Microsoft.Jet.OLEDB.4.0"
DBconnect.open(myDB)

Set RecordSet = Server.CreateObject("ADODB.Recordset")
RecordSet.open "SELECT * FROM CustomerAccount WHERE EmailAddress ='" & EmailAddress & "'" &"AND Password ='"&Password&"'", DBconnect

'If the the password is correct (matches the one in the database), display the link options...

if NOT(RecordSet.EOF) then
response.write("<p align=""center""><a href=""orderDetails.asp""> Order Card</a>&nbsp;</p>")
end if

RecordSet.close
set RecordSet = nothing
DBconnect.close
set DBconnect = nothing
%>

<p align="center"><a href="frame.htm">Return to Home Page</a></p>

</body>
</html>

Two things:

1. Try not to use SELECT * FROM - it forces your database to do unnecessary work. Use a list of the actual field names that you want: SELECT firstName, lastName FROM...

2. Your script at the moment is vulnerable to a SQL Injection attack. By doing this:
EmailAddress = request.form("EmailAddress")
and this:
"WHERE EmailAddress ='" & EmailAddress & "'"
you're allowing people to put whatever they like into your SQL statement.

All I've got to do is type:
' OR 1=1 --into your email box in the form, and I've got access to your system. And what if I typed:
'; DROP TABLE CustomerAccount
Always, ALWAYS validate your user input before passing it into your database.

But to answer your question, you could change this bit:
if NOT(RecordSet.EOF) then
response.write("<p align=""center""><a href=""orderDetails.asp""> Order Card</a>&nbsp;</p>")
end if
to read:
if NOT(RecordSet.EOF) then
response.write("<p align=""center""><a href=""orderDetails.asp""> Order Card</a>&nbsp;</p>")
response.write("<p align=""center"">"& RecordSet("firstName") &"</p>")
end if

(where "firstName" is the name of the database field you want to display)

HTH..