...

View Full Version : Session variables



sagat
08-26-2004, 05:37 PM
i am trying to implement a session variable that displays the username. I have a global.asa file but i don't know how this will fit in:


<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<script language="vbscript" runat="server">
Sub Application_OnStart
Application("Username")
End SubSub Session_OnStart
Application.Lock
Application("Username")=Application("Username")
Application.UnLock
End SubSub Session_OnEnd
Application.Lock
Application("Username")=Application("Username")-1
Application.UnLock
End Sub</script>

</body>
</html>

I would be grateful if you guys can help me ammend this script. thanks

Morgoth
08-26-2004, 11:13 PM
Please use http://www.tf3.net/images/emot-code.gif tags.
The global.asa file is not suppose to have HTML code inside of it.

Look here, you'll find your answer at W3Schools.com:
http://www.w3schools.com/asp/asp_globalasa.asp

Also, you can't use the global.asa to write the username to a page. All you have to do is go into your display page and put in


<%
Response.Write Session("name")
%>

sagat
08-26-2004, 11:16 PM
Thanks i tried it but it just displays blank. I know in coldfusion you have to define session variables; is it the same in asp and if so can you please show me how to do it? thanks

Morgoth
08-26-2004, 11:30 PM
Ok.

When you open up your database because the user has logged in, all you have to do is store his username into a session variable.


<%
Set oConn = Server.CreateObject("ADODB.Connection")
StrConn = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("db.mdb") & ";"
oConn.open StrConn

SQL = "SELECT Username FROM tblTable WHERE something = something"
Set oRS = oConn.Execute(SQL)

Session("Username") = oRS("Username")
%>


And then when you want to display that variable, all you have to do is:


<%
Response.Write Session("Username")
%>

Make sence?

sagat
08-26-2004, 11:46 PM
Hi, this is the code i have tried including the session inside the script:

<%@Language=VBScript%>

<%
username = REPLACE(request.form("username"), "'", "''")
password= REPLACE(request.form("password"), "'", "''")

Set oConn = Server.CreateObject("ADODB.Connection")
StrConn = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("netteh.mdb") & ";"
oConn.open StrConn

SQL = "SELECT * FROM Students WHERE Username = Username"
Set oRS = oConn.Execute(SQL)

Session("Username") = oRS("Username")

If rs.EOF = false then
'it found a record, so the login info is correct
Session("name") = rs("Firstname")
Else
'it did NOT find a record so let them know it was an invalid entry
Response.Redirect("frontpage.asp")
End if

rs.Close
conn.Close
set rs=nothing
set conn=nothing
%>

but it comes up with errors. Please can you help fix the code? thanks
Also, i would like to display the results of a table in access. Just like coldfusion. How can i do this?

Morgoth
08-27-2004, 12:06 AM
but it comes up with errors. Please can you help fix the code? thanks
Also, i would like to display the results of a table in access. Just like coldfusion. How can i do this?

Please, for god's sake, use http://www.tf3.net/images/emot-code.gif tags when you post code. It's so much easier to read, and indents show up in code tags.

Also, please tell us what error you get. If you get and error message, or the code is not doing what you want it to do.

Everything in bold is what I edited or added.


<%@Language=VBScript%>

<%
StrUsername = REPLACE(request.form("username"), "'", "''")
StrPassword = REPLACE(request.form("password"), "'", "''")

Set oConn = Server.CreateObject("ADODB.Connection")
StrConn = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("netteh.mdb") & ";"
oConn.open StrConn

SQL = "SELECT * FROM Students WHERE Username = " & StrUsername
Set oRS = oConn.Execute(SQL)

Session("Username") = oRS("Username")

If rs.EOF = False then
'it found a record, so the login info is correct
Session("Firstname") = oRS("Firstname")
Else
'it did NOT find a record so let them know it was an invalid entry
Response.Redirect("frontpage.asp")
End if

Response.Write Session("Username")
Response.Write "<br>"
Response.Write Session("Firstname")

oRS.Close
oConn.Close
Set oRS = Nothing
Set oConn = Nothing

%>

sagat
08-27-2004, 12:10 AM
thanks i tried it but it came up with the following error:

Error Type:
Microsoft JET Database Engine (0x80040E14)
Syntax error (missing operator) in query expression 'Username ='.
/validate.asp, line 12


Line 12 is: SQL = "SELECT * FROM Students WHERE Username = " & StrUsername

raf
08-27-2004, 12:18 AM
your db-column "Username" will be of a stringtype, so the value needs to be enclosed in quotes.

sagat
08-27-2004, 12:25 AM
i put the qoutes and it came up with errors:
SQL = "SELECT * FROM Students WHERE Username = & StrUsername"
Set oRS = oConn.Execute(SQL)

Error Type:
Microsoft JET Database Engine (0x80040E14)
Syntax error (missing operator) in query expression 'Username = & StrUsername'.
/TMPlq3xv32rru.asp, line 12

and i tried:
SQL = "SELECT * FROM Students WHERE Username" = "& StrUsername"
Set oRS = oConn.Execute(SQL)

Error Type:
Microsoft JET Database Engine (0x80040E14)
Invalid SQL statement; expected 'DELETE', 'INSERT', 'PROCEDURE', 'SELECT', or 'UPDATE'.
/TMPlsdiw32rus.asp, line 12

raf
08-27-2004, 12:31 AM
Try

SQL = "SELECT * FROM Students WHERE Username = '" & StrUsername & "'"

sagat
08-27-2004, 12:34 AM
still has errors: Error Type:
Error Type:
Microsoft VBScript compilation (0x800A0400)
Expected statement
/TMPlykmp32s2t.asp, line 11
"SELECT * FROM Students WHERE Username = '" & StrUsername & "'"

SQL = "SELECT * FROM Students WHERE Username = '" & StrUsername & "'"

raf
08-27-2004, 12:40 AM
Yaeh! Still errors. But we moved on 3 lines ! Think positive !
The query should be valid now (which doesn't mean it'll return records).

Anyway, this looks wrong

"If rs.EOF = False then"

i don't see you open na recordset named "rs". You probably copy pasted this code from somewhere. Your recordset is called oRS so the chack should probably be

"If oRS.EOF = False then"

<edit>Hah. You edited your post to get an error o the query

echo out the composed sql and then copy paste it to a querywindow in your db to see if it's valid. Or maybe post the code you now have because i'm quite sure you'll still have other errors</edit>

sagat
08-27-2004, 08:22 AM
this is what i have:

<%@Language=VBScript%>

<%

' variables
dim oConn
dim rs
dim StrUsername
dim StrPassword
dim StrConn
dim oRS
dim sqlStr

StrUsername = REPLACE(request.form("Username"), "'", "''")
StrPassword = REPLACE(request.form("Password"), "'", "''")

Set oConn = Server.CreateObject("ADODB.Connection")
StrConn = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("netteh.mdb") & ";"
oConn.open StrConn

sqlStr = "Select * From Students where StrUsername = '" _
& Request.Form("username") & "' and password = '" & Request.Form("password") & "'"
Set oRS = oConn.Execute(SQL)

Session("Username") = oRS("Username")

If rs.EOF = False then
'it found a record, so the login info is correct
Session("Firstname") = oRS("Firstname")
Else
'it did NOT find a record so let them know it was an invalid entry
Response.Redirect("frontpage.asp")
End if


Response.Write Session("Username")
Response.Write "<br>"
Response.Write Session("Firstname")


oRS.Close
oConn.Close
Set oRS = Nothing
Set oConn = Nothing

%>

Error Type:
Microsoft JET Database Engine (0x80040E0C)
Command text was not set for the command object.
/TMP2jbr233dly.asp, line 24


line 24: Set oRS = oConn.Execute(SQL)

raf
08-27-2004, 12:28 PM
Hmm. I don't think you realy know what you are doing.

If you copy some code, but change the variablenames, then you of course need to change them throughout your code. The error you get on

Set oRS = oConn.Execute(SQL)
is caused by the "SQL". This was the variablename in your original code, that contained the sql-query as a stringvalue. In your latest version of that code, you rename that variable to "sqlStr".

So either rename the sqlStr back to SQL or change the
Set oRS = oConn.Execute(SQL)
into
Set oRS = oConn.Execute(sqlStr)

then you have this buggy line
Session("Username") = oRS("Username")
which should be moved a fex lines down to the if-clause (you can only call the querystringvalue if there is a record returned, so you would get an error if no records are returned)

The next error that you'll get will point to this line
If rs.EOF = False then
which should be
If oRS.EOF = False then

your selectquery should also be rewritten to

sqlStr = "Select TOP 1 Username, Firstname From Students where StrUsername = '" _
& Request.Form("username") & "' and password = '" & Request.Form("password") & "' ORDER BY Username ASC"

or else you need to check if the returned recordcount is higher then 1 before processing it

sagat
08-27-2004, 04:31 PM
Thanks guys this is the code i have now:

<%@Language=VBScript%>

<%
StrUsername = REPLACE(request.form("username"), "'", "''")
StrPassword = REPLACE(request.form("password"), "'", "''")

Set oConn = Server.CreateObject("ADODB.Connection")
StrConn = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("netteh.mdb") & ";"
oConn.open StrConn

sqlStr = "Select TOP 1 Username, Firstname From Students where StrUsername = '" _
& Request.Form("username") & "' and password = '" & Request.Form("password") & "' ORDER BY Username ASC"
Set oRS = oConn.Execute(SQL)


Session("Username") = oRS("Username")

If oRS.EOF = False then
'it found a record, so the login info is correct
Session("Username") = oRS("Username")

Else
'it did NOT find a record so let them know it was an invalid entry
Response.Redirect("frontpage.asp")
End if

Response.Write Session("Username")
Response.Write "<br>"
Response.Write Session("Firstname")

oRS.Close
oConn.Close
Set oRS = Nothing
Set oConn = Nothing

%>

Error Type:
Microsoft JET Database Engine (0x80040E0C)
Command text was not set for the command object.
/TMP5fch13401e.asp, line 13


Set oRS = oConn.Execute(SQL)


This is the current snag; if you guys could rewrite or correct it i would be grateful. thanks

Morgoth
08-27-2004, 09:08 PM
HOW HARD IS IT TO USE [ CODE ] TAGS?! I use them, and I think 90% of the rest of the forum uses them!
It makes it 100 times easier for everyone to read!

Now look, you're not doing what raf said. If you don't listen you wont learn anything. The problem with your code shouldn't take this many messages to answer.

I re-wrote your code, and I suggest you go through it, and see what I changed, then try the code without adding any of your own changes, see if it works. If it works tell us, and we can move on. If it's still broken, it's probibly not the code.



<%Option Explicit

Dim StrUsername, StrPassword, oConn, StrConn, SQL, oRS

StrUsername = "a" 'Replace(Request.Rorm("username"), "'", "''")
StrPassword = "b" 'Replace(Request.Form("password"), "'", "''")

Set oConn = Server.CreateObject("ADODB.Connection")
StrConn = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("netteh.mdb") & ";"
oConn.open StrConn

SQL = "SELECT Username, Firstname FROM Students WHERE Username = '" & StrUsername & "' And Password = '" & StrPassword & "'"
Set oRS = oConn.Execute(SQL)

If oRS.EOF = False Then ' Login Successful
Session("Username") = oRS("Username")
Session("Firstname") = oRS("Firstname")
Else ' Login Failure
Response.Redirect("frontpage.asp")
End if

Response.Write Session("Username")
Response.Write "<br>"
Response.Write Session("Firstname")

oRS.Close
oConn.Close
Set oRS = Nothing
Set oConn = Nothing
%>


Edit:


or else you need to check if the returned recordcount is higher then 1 before processing it

raf can you explain to me why you need "TOP 1" and "ORDER BY Username ASC"? The code I posted works fine, when I tested it.

sagat
08-27-2004, 09:29 PM
thanks it worked. i am not too familar with the code tags i dont usually use them. I will be using them now. You are right it need not take this many messages to answer this question

raf
08-27-2004, 09:39 PM
morgoth,

there are several reasons:
- there will be only one record with that username or password. if there's more then one then your db is corrupted and this will make sure the app wount brake then
- this is also a good and easy way to prevent sql-injections that try to inject a wildcarded or-clause (if you know my meaning) so that buggy code would consider it a valid login (you know, these noobs that select all records with that username and then start compairing the pwd in a loop kinda jokes)
- this will speed up performance. TOP 1 is optimised to stop processing the table as soon as 1 record is retrieved (well, because Microsoft is incapable of getting it right, the RDBM will continue to retrieve and process records that have the same username as the username from the TOP 1 record --> it will even return these rows !! since t doesn't discreminate)

so if your db is any good, this will speed up retrievel + it makes your ASP code a bit easier. with MySQL s variant (LIMIT 1), or any other decent db for that matters, the advantages are of course bigger since they implemented the limiting as it should.

but you are right that it is not required. It' just something i use as a good practice and if you use a decent db, it's realy something i'd recommend (not done much Jet-db recently). The same goes for delete and update statements. If you for instance delete the record where you have the PK-value from, then in MySQL you just add a LIMIT 1 to your query to ensure that there will be maximali 1 record deleted/updated (even if your query got screwed up or poisened.

it was not my intention to give the impression that your query was bad.

Morgoth
08-27-2004, 10:19 PM
That seems like a smart way for protection.
I believe we should place the blame on to Microsoft for all the weird situations we can climb ourselves into because of ASP.
;)

I will have to try this, and see where it will apply in my code.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum