Stuart
|
| Posted: 07/05/2003, 7:11 PM |
|
Quoted from Nicole in
http://www.gotocode.com/disc_viewt.asp?mid=12232
"In order to forbid users edit record belong to other user in case user just change the value of parameter passed through url you should check passed value in form Before Show event. Scenario: catch the passed value, look up corresponding user_id value and compare it to user_id stored in session. In case they are different, it means that user tried to access the record that belong to other user. In this case you can redirect him to any other page.
Sample code:
$passed = CCGetParam("user_id", "");
$db = new clsDBconnection_name();
$looked_up = CCDLookUp("user_id", "users_table", "user_id=". CCGetSession("UserID"), $db);
if (strcmp($passed, $looked_up) != 0)
header("location: Page_name.php");
I am using ASP with templates. Can anybody translate the above to asp.
Please 
|
|
|
 |
Stuart
|
| Posted: 07/07/2003, 8:22 AM |
|
Anybody?
|
|
|
|
EMG
|
| Posted: 07/07/2003, 10:11 AM |
|
Dim passed, rs
passed = CCGetParam("user_id","")
'DBmyDB is your connection name - see ~ line 22 in common.asp (take off the cls prefix)
set rs = DBmyDB.execute(select user_id from users table where user_id=" & CCGetSession("UserID"))
if passed = rs(0) then
response.redirect "Newpage.asp"
end if
|
|
|
|
Stuart
|
| Posted: 07/07/2003, 9:49 PM |
|
Ok this is my common.asp
' Create database connection string, login and password variables
'-------------------------------
Dim strConn, strLogin, strPassword
strConn = "americancom"
strLogin = ""
strPassword = ""
So now is this it?
Dim passed, rs
passed = CCGetParam("member_id","")
set rs = americancom.execute(select member_id from members table where member_id=" & CCGetSession("UserID"))
if passed = rs(0) then
response.redirect "Login.asp"
end if
-----------
But I get this:
Microsoft VBScript compilation error '800a03ea'
Syntax error
/Sites/Americancom/main_site/ViewMyAd.asp, line 307
set rs = americancom.execute(select member_id from members table where member_id=" & CCGetSession("UserID"))
-------------------------------------^
Thank you for any more help.
|
|
|
|
EMG
|
| Posted: 07/08/2003, 6:38 AM |
|
The error is coming from missing double quotes at the beginning of the select statement (as the error reveals a syntax error). Fix that and we shall see if the connection object is correct. You are using CCS right? not CC? If you are using CCS look down around line 21 and look for " class clsDB...". This is the db connection class where you will use the class name (without the cls prefix).
|
|
|
|
Stuart
|
| Posted: 07/08/2003, 7:48 AM |
|
I am using CC and not CCS. How does that change this?
Thanks
|
|
|
|
EMG
|
| Posted: 07/08/2003, 10:04 AM |
|
Go ahead and fix the syntax error and your connection obj should work. I haven't used CC in a while. Look in the comman file for execution methods off the connection object and use that name; it looks like you already are. Let me know how it works.
|
|
|
|
|
