-1

after include a routine to check if an user "Usuario" is Registered at database i'm getting error message below from any navigator:

error '80020009' /novo.asp, line 31

The routine basic is 

set verificar = conexao.execute ("select Usuario from empresas")
while not verificar.eof

verificar.movenext

if  Cadastrar_CodEmpresa = verificar("Usuario")   Then
              response.Redirect("index.asp?pagina=login") 



if not verificar.eof Then

verificar.movenext
    End if


 set cadastrar_cadastro = conexao.execute("insert into Empresas (Usuario,Telefone) Values ('" & Cadastrar_CodEmpresa & "' , '" & Cadastrar_Telefone & "')")



    End if  Wend

Following My full code: 

 if request.Form("commentForm") = "sim" then



Cadastrar_CodEmpresa = request.Form("CodEmpresa")
Cadastrar_Segmento = request.Form("Segmento")
Cadastrar_Endereco = request.Form("Endereco")
Cadastrar_Bairro = request.Form("Bairro")
Cadastrar_Cidade = request.Form("Cidade")
Cadastrar_CEP = request.Form("CEP")
Cadastrar_Pais = request.Form("Pais")
Cadastrar_Contato = request.Form("Contato")
Cadastrar_Telefone = request.Form("Telefone")
Cadastrar_Email = request.Form("email")


set verificar = conexao.execute ("select Usuario from empresas")
while not verificar.eof

verificar.movenext

if  Cadastrar_CodEmpresa = verificar("Usuario")   Then
              response.Redirect("index.asp?pagina=login") 



if not verificar.eof Then

verificar.movenext
    End if


 set cadastrar_cadastro = conexao.execute("insert into Empresas (Usuario,Telefone) Values ('" & Cadastrar_CodEmpresa & "' , '" & Cadastrar_Telefone & "')")



    End if  Wend
user692942
  • 16,398
  • 7
  • 76
  • 175
Raphael Guarita
  • 1
  • 1

1 Answers1

0

It seems that you get that error message if a recordset field is null. What I believe that you are trying to do is to redirect a user to a login page if he's already registered, otherwise insert a new record into the database. There's a simpler way of doing this

set verificar = conexao.execute ("select * from empresas where Usuario = '"& Cadastrar_CodEmpresa &"'")

If not (verificar.eof and verificar.bof) Then
    verificar.close
    response.Redirect("index.asp?pagina=login")
Else
    verificar.close
    conexao.execute("insert into Empresas (Usuario,Telefone) Values ('" & Cadastrar_CodEmpresa & "' , '" & Cadastrar_Telefone & "')")
End If

The logic of this is, if the form value "Codempressa" doesn't match a value in the database, you get an empty recordset and a database insert occurs, if the value does match then you get a redirect.

I should add a warning seeing as you're inserting data - if this is a public facing page then you need to look at ways of guarding against sql injection attacks

John
  • 4,658
  • 2
  • 14
  • 23
  • Disagree with re-writing the code and leaving the SQL Injection vulnerability in. Providing a warning isn't enough as you've given them what they wanted so they'll happily go off an implement it. If you are going to provide code, provide parameterised examples using `ADODB.Command`. – user692942 Mar 22 '17 at 23:59
  • i will study more this statment " If not (verificar.eof and verificar.bof) Then" . So for SQL Injection i have a VB Script complete to remove SQL injections " array ( "select" , "drop" , ";" , "--" , "insert" , "delete" , "xp_") " etc.... – Raphael Guarita Mar 23 '17 at 11:32
  • The logic is that if eof (end of field) and bof (beginning of field) are true at the same time then the recordset must be empty. One way of guarding against SQL injections is to sanitise your inputs at the `request.form()` stage, but parameterised queries offer a much more robust way of doing this. You should find plenty of examples here on Stack Overflow, and elsewhere - here's one for you to start with http://stackoverflow.com/questions/770419/how-to-make-a-parametrized-sql-query-on-classic-asp – John Mar 23 '17 at 13:12