Error Updating Access DB

TheMSsForum.com: The Microsoft Software Forum

Hi everyone!

I have a log in page and I want to increment a counter in my DB for each
time a userID logs in. I can connect and retrieve information from the DB
just fine, but my attemps to update cause an "Internal Server Error" Talked
to a friend and he thought that it might have something to do with the table
being locked from a
previous Select statement. So I tried just doing the Update statement and
nothing else - that didn't work. I tried hard coding the statement to rule
out a missing ' or "" or something - that didn't work. Tried running the
statement direct against the DB - and that did work. I just don't
understand what the heck I'm doing wrong. I'm pulling my hair out and any
ideas/suggestions would be greatly appreciated. I had orginally posted this
question on the FrontPage board but thought maybe it would be more
appropriate here. Here is the EmpLogOn.inc in its entirety.

<%
' Do not cache this page.
Response.CacheControl = "no-cache"

' Define the name of the users table.
Const USERS_TABLE = "tblUsers"
' Define the path to the logon page.
Const LOGON_PAGE = "/EmpLogOn.asp"
' Define the path to the logon database.
Const MDB_URL = "/_private/EmpLogOn.mdb"

' Check to see whether you have a current user name.
If Len(Session("UID")) = 0 Then
' Are you currently on the logon page?
If LCase(LOGON_PAGE) <> LCase(Request.ServerVariables("URL")) Then
' If not, set a session variable for the page that made the request...
Session("REFERRER") = Request.ServerVariables("URL")
' ...and redirect to the logon page.
Response.Redirect LOGON_PAGE
End If
End If

' This function checks for a username/password combination.
Function ComparePassword(UID,PWD)
' Define your variables.
Dim strSQL, objCN, objRS
' Set up your SQL string.

strSQL = "SELECT * FROM " & USERS_TABLE & _
" WHERE (UID='" & ParseText(UID) & _
"' AND PWD='" & ParseText(PWD) & "');"

' Create a database connection object.
Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
' Open the database connection object.
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" & _
Server.MapPath(MDB_URL) & "; uid=admin; pwd="
' Run the database query.
Set objRS = objCN.Execute(strSQL)

'incrememt the counter if login worked

If objRS.EOF = false then
Dim CompanyCounter1
CompanyCounter1 = objRS("CompanyCounter") + 1

strSQL = "UPDATE " & USERS_TABLE & _
" SET CompanyCounter = '" & CompanyCounter1 & _
"' WHERE (UID='" & ParseText(UID) & _
"' AND PWD='" & ParseText(PWD) & "');"
******THIS IS THE LINE THAT FAILS IF NOT COMMENTED OUT****
'objCN.Execute (strSQL)
end if

' Set the status to true/false for the database lookup.
ComparePassword = Not(objRS.EOF)
' Close your database objects.
Set objRS = Nothing
Set objCN = Nothing
End Function



' This function checks for a username/password combination.
Function GetName()
' Define your variables.
Dim strSQL, objCN, objRS
' Set up your SQL string.
strSQL = "SELECT * FROM " & USERS_TABLE &" WHERE (UID='" &
ParseText(Session("UID")) & "');"
' Create a database connection object.
Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" & _
Server.MapPath(MDB_URL) & "; uid=admin; pwd="
' Run the database query.
Set objRS = objCN.Execute(strSQL)

GetName = objRS("CompanyName")
' Close your database objects.
Set objRS = Nothing
Set objCN = Nothing
End Function


' This function checks for a username/password combination.
Function GetImage()
' Define your variables.
Dim strSQL, objCN, objRS
' Set up your SQL string.
strSQL = "SELECT * FROM " & USERS_TABLE &" WHERE (UID='" &
ParseText(Session("UID")) & "');"
' Create a database connection object.
Set objCN = Server.CreateObject("ADODB.Connection")
' Open the database connection object.
objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" & _
Server.MapPath(MDB_URL) & "; uid=admin; pwd="
' Run the database query.
Set objRS = objCN.Execute(strSQL)

GetImage = objRS("CompanyImage")
' Close your database objects.
Set objRS = Nothing
Set objCN = Nothing
End Function

' This function restricts text to alpha-numeric data only.
Function ParseText(TXT)
Dim intPos, strText, intText
For intPos = 1 TO Len(TXT)
intText = Asc(Mid(TXT,intPos,1))
If (intText > 47 And intText < 58) Or _
(intText > 64 And intText < 91) Or _
(intText > 96 And intText < 123) Then
strText = strText & Mid(TXT,intPos,1)
End if
Next
ParseText = strText
End Function
%>

Thank you!!!!!
Top

Re: Error Updating Access DB by Bob

Bob
Sat Mar 18 08:12:41 CST 2006

Erica wrote:
> Hi everyone!
>
> I have a log in page and I want to increment a counter in my DB for
> each time a userID logs in.

A better place to have posted this would have been
microsoft.public.inetserver.asp.db

But since we are here...

> I can connect and retrieve information
> from the DB just fine, but my attemps to update cause an "Internal
> Server Error"

Your first task is to determine the real error. You have two options. Most
people choose to do this:
http://www.aspfaq.com/show.asp?id=2109

However, i would suggest combining this with doing some error-trapping in
your code to prevent users from receiving detailed error messages that
potentially could aid hackers to penetrate your site/database:

on error resume next
'execute a statement that could cause an error, then
if err<>0 then
'log the error in a file on your server
response.write "friendly error message that provides " & _
"no details about your database/website structure"
end if
'turn off error-handling
on error goto 0

In the development/debugging phase, of course, just turning off "friendly
errors" in IE and commenting out all "on error resume next" statements is
perfectly acceptable.


> Here is the EmpLogOn.inc in its entirety.

Oohhh, overkill!
However, I do have some suggestions. See inline:

>
>
> ' This function checks for a username/password combination.
> Function ComparePassword(UID,PWD)
> ' Define your variables.
> Dim strSQL, objCN, objRS
> ' Set up your SQL string.
>
> strSQL = "SELECT * FROM " & USERS_TABLE & _
> " WHERE (UID='" & ParseText(UID) & _
> "' AND PWD='" & ParseText(PWD) & "');"

Dynamic sql is not very secure ... especially for validating users. The huge
danger of course is "sql injection":
http://mvp.unixwiz.net/techtips/sql-injection.html

My preference is to use "saved parameter queries", also known as stored
procedures or views (in Jet):
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl

However, parameters can be used without stored procedures:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

>
> ' Create a database connection object.
> Set objCN = Server.CreateObject("ADODB.Connection")
> ' Open the database connection object.
> ' Open the database connection object.
> objCN.Open "driver={Microsoft Access Driver (*.mdb)}; dbq=" & _
> Server.MapPath(MDB_URL) & "; uid=admin; pwd="

Nothing to do with your problem, but:
http://www.aspfaq.com/show.asp?id=2126

>
> 'incrememt the counter if login worked
>
> If objRS.EOF = false then
> Dim CompanyCounter1
> CompanyCounter1 = objRS("CompanyCounter") + 1

This statement is not necessary. You can close this recordset right now if
you aren't going to do anything with it later on in your code.

>
> strSQL = "UPDATE " & USERS_TABLE & _
> " SET CompanyCounter = '" & CompanyCounter1 & _

This can be changed to (assuming CompanyCounter is a Number field rather
than a Text field, you use of quote delimiters notwithstanding - see the
link I cited above which contains the rules for delimiting data in sql
statements, unless you wish to change to using parameters of course, in
which case you no longer have to worry about delimiters.):

" SET CompanyCounter = CompanyCounter + 1 "

> "' WHERE (UID='" & ParseText(UID) & _
> "' AND PWD='" & ParseText(PWD) & "');"

This ParseText business can probably be avoided if you switch to the easier
technique of using parameters.
You SHOULD continue validating user input before using it, just to detect
hack attempts.

> ******THIS IS THE LINE THAT FAILS IF NOT COMMENTED OUT****
> 'objCN.Execute (strSQL)

The code does us no good without knowing what your error message is. Here
are some likely suspects:
http://www.aspfaq.com/show.asp?id=2062 - updatable cursor
http://www.aspfaq.com/show.asp?id=2009 - 80004005 errors

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


Top

Re: Error Updating Access DB by Bob

Bob
Sat Mar 18 08:14:24 CST 2006

Erica wrote:
> Hi everyone!
>
> I have a log in page and I want to increment a counter in my DB for
> each time a userID logs in.

Oh! And I forgot to post this link which you may find helpful:
http://www.aspfaq.com/show.asp?id=2491

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


Top

Re: Error Updating Access DB by Erica

Erica
Mon Mar 20 09:06:03 CST 2006

Bob,

Thank you, thank you, thank you!

It turns out that the ISP had the directory where my DB resides flagged as
'read only' So now everything is working.

This is not only my first web site, but also my first stab at asp - so I'm
going to take all the great info you gave me - study it and learn from it.

Thanks again!





"Bob Barrows [MVP]" wrote:

> Erica wrote:
> > Hi everyone!
> >
> > I have a log in page and I want to increment a counter in my DB for
> > each time a userID logs in.
>
> Oh! And I forgot to post this link which you may find helpful:
> http://www.aspfaq.com/show.asp?id=2491
>
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"
>
>
>
Top