| Author |
Topic |
|
mastajbl
Starting Member
42 Posts |
 Posted - 2009-05-04 : 14:20:54
|
I am trying to update the password field when a user needs to change their password. Now i'm not sure if I am going about this the right way, but this is what i have. The problem occuring is that it is saying Unterminated string constant. query = "UPDATE login (Password) VALUES "& Request.Cookies("Password")"conn.Execute (query) |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
mastajbl
Starting Member
42 Posts |
Posted - 2009-05-04 : 14:41:35
|
Even though the user will be sending this via a web application?? Let me post my whole code so you have a better idea as to what i'm doing mayb...not sure I explained or gave you enough details. It's vbscript, but the part i am having problems with is my update query section as posted previously.<% Username = Request.Cookies("userID") Password = Request.Form("Pass1") Response.Cookies("Password")= Request.Form("Pass1") if UserName<>"" then if Password<>"" then set conn = Server.CreateObject ("ADODB.Connection") conn.Open Application("connString") query = "SELECT [Password] FROM Login WHERE userID='" & UserName & "' AND Password='" & Password & "'" set rs = conn.Execute (query) ' Check if the user and password are valid if rs.eof then ' There is no record to match the UserName and Password Response.Write "<p class=errmsg>Invalid user and password!</p>" conn.Close else ' User login ok and set the user_id value from the Members table in a session variable Response.Cookies("chgPassword") = rs("chgPassword") rs.close set rs = nothing ' Insert a new password in the login table with the password. query = "UPDATE login (Password) VALUES ("& Request.Cookies("Password")")" conn.Execute (query) conn.close set conn = nothing Response.Redirect "loginauth2.asp" end if else Response.Write "<p class=errmsg>Please fill both fields.</p>" end if end if %> |
 |
|
|
Lamprey
Master Smack Fu Yak Hacker
4614 Posts |
Posted - 2009-05-04 : 14:47:06
|
You shouldn't contact strings like that. But it looks like you update sytax is invalid. Try: query = "UPDATE login SET Password = '" & Request.Cookies("Password") & "' WHERE userID='" & UserName & "'"EDIT: Good call Tara. I forgot about the WHERE clause. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
mastajbl
Starting Member
42 Posts |
Posted - 2009-05-04 : 14:54:45
|
| yea it appears you're right...I missed a few thing in there. Does SQL Injection apply to access databases as well? It appears I have some reading to do in the meantime. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
mastajbl
Starting Member
42 Posts |
Posted - 2009-05-04 : 15:12:56
|
Well after doing some reading I can see how the code is vulnerable, however it is run entirely on server side so i dont see how you could inject coding into it??On the other hand I am receiving a new error.[Microsoft][ODBC Microsoft Access Driver] Syntax error in UPDATE statement. It is happening when at the conn.Executequery = "UPDATE login WHERE userID='" & UserName &"' SET Password = " & Request.Cookies("chgPassword")conn.Execute (query) |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
mastajbl
Starting Member
42 Posts |
Posted - 2009-05-04 : 15:27:47
|
| Hmmm..it definitely update my database for my userid, but it removed my password without inputing my new one...any idea on that?? |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
|
Trouble with query update