when guarding against sql injection attack from modified form or querystring variables is it enough to strip out just apostrophes...if the variable USERNAME is the name of a text box passed to a script is the below always safe...
q1="select * from TABLENAME where username='" & trim(replace(request("USERNAME"),"'","''")) & "'"
select contactname,contactnumber,contactnumber1,contactem ail,address,city,state ,zip,type,sqft,0,bedrooms,baths,lotsize,acreage,ga rage,comments,price,0, 0,county from table1 where active='Y'
I need HASPHOTO to equal 1 if hasphoto <> 0 and HASPHOTO=0 when hasphoto=0. Make sense? HASPHOTO usually equals a number, but in this case, I want it to equal a 1 or 0 because I am exporting this to a CSV file. I know how to do everything else, just not this part.
I am trying to construct an If Statement from an URL variable.
Basically if a string in the URL variable, reads, 'Technology, then I want to response.write something. If its anything different, then i would like to response.write something different. The URL = news.asp?type=technology
I have already declared that the lngRecord = Request.QueryString("type") and I have constructed the following If statement off the top of my head, but its not working properly.
I have also been able to access an individual page depending on the URL variable so it's definitely a problem with only my poorly-constructed If statement and nothing else
The form post an agent name to the next page it then takes that name and matches it to the database and shows all entries that agent has. my problem is with calling the variable in the query I just cant seem to get the syntax right Code:
I have a SQL DB with a number of tables and queries (views) in.
In front of this is my ASP app I am designing.
When my users log in, their User ID is stored in a session variable.
One of the views determines which User ID can access which records, and obviously then I want to base all my app around this so that a user can only ever be working on data relevant to them.
Is there any way of using a variable in my SQL View outside of DWMX so that once my users log in, the SQL View is automatically filtered based on their User ID in the session variable?
Is there a way of inserting a variable/parameter into SQL so this happens?
I've never seen this before. I am new to querystrings, as just using hidden fields and the POST method has been more than adequate for me until recently. But I started using the GET method, and I noticed that when I clicked the submit button, it gave me this for a URL:
The thing is, selectTSE and Status are the two <SELECT> boxes, so I understand them being there. But why is is telling me the x and y coordinates of where I clicked the button to submit the form? I should add that the submit button is an image, not a regular button. This doesn't hurt anything, just wondering why it's there. And maybe it will hurt something later on; I don't know enough to say.
can cookies be passed from a pop up "secure folder log in" window, provided by my hosting company? As I would like to display a welcome message with their name when they log in.
when i try passing a numeric value as a string("0004") using asp to a stored procedure, the value is stored as 4 and not as 0004 in the table. In the table and stored procedure the value type is nvarchar.
I'm trying to pass paramter values to another .aspx page via a querystring. The record in the db table looks something like this lahlahlah. The value that gets passed looks like this lahblahblah. So basically the is not getting passed.
When i submit this form all the record values are being passed to the next asp page. But i want only those records which the user has changed in this page.
Would anyone be kind enough to give me a solution to the problem below please?
If for example in the stored procedure looks like this:
-- Initialize the SQL Server XML stored procedures EXEC sp_xml_preparedocument @xmlDoc OUTPUT, @xmlString
Insert into @TableBook SELECT * FROM OPENXML (@xmlDoc, 'books/book') WITH ( bookNameVARCHAR(100) 'name', authorVARCHAR(100) 'author' )
The question is supposing there is a node called 'Surname' but I am not adding 'Surname' to 'Author'. If I want to check 'Surname' value DOES exists and I want to replace it with 'Author' or if 'Surname' does not exist, just use 'Author' node instead.
I am not sure how you can use IF statement to check a node and put the value into SET @surname and then put something like author VARCHAR(100) '@surname' OR author VARCHAR(100) '@Author'. Just like switching it around.
it would then insert the email into a table, collect these for a while and only see these as active members.Any ideas how to do this, I've tried a few things but no luck.
I am creatiung a track record website which displays a list of branches and how many people are available at each individual time slot.
I thought the best way to update would be to create a link which passed two variables, the branch and what time slot. This would then be retrieved int he book.asp page which then would knock one of the current count. I came up with the below page: Code:
my ASP code creates a form and an array of chekbox with this statement response.write "<input type='checkbox' name='chkProduct" & Cstr(counter) & "' value='delete'>" all goes well and i also have a button that points to a VBScript function passing one parameter the counter start value so i can loop throught the checkboxs on the client side and determine if checked or not.
Ok i can display my command "document.frmProductCart.chkProduct & (Cstr(counter)) & .checked" as a string in alert but cannot make it as a command like it should be, anyone got any pointers ?
I have created a database connection function which I use to open my database connection and recordset and another to close it. Easy stuff I know. The problem is this.
I want to be able to create database conenctions and recordsets specifically when I call the function. For example Code:
in J-Script, I could do it by Eval() or about eight ways through the DOM. It seems crazy to me that if I can access the Attributes of a specific element directly by ID (thisTD.Attributes), I couldn't also access it by reference.
But I have been able to find NOTHING to indicate how this may be done. Obviously, my problem is not limited to a single attribute, or else I would have just typed them all out by now. Trouble is, there is a lot of logic that must be applied to the data before setting the attribute. Without being able to iterate or loop by reference, I will be typing for ages just to change some freaking classes.
I have encountered some strange behaviour when using the XMLHTTP Request object in Javascript to return xml from a C# Webservice Method. I create a SOAP envelope and send it off to the Webservice, which I have debug points in, which when hit I can see that all the parameters are coming thru as null....
My code retrieves a username and a password from a form. Then this information is compared to some usernames and passwords that are stored in a database. The important thing here is that the comparison must be case sensitive meaning that "passWord" is not the same thing as "password"
I have this code, working fine in access 2003
SQL = "SELECT * FROM users WHERE StrComp(username_column,'" & entered_username_in_form & "',0) = 0 AND StrComp(password_column,'" & entered_password_in_form & "',0) = 0"
but get the following error when I run it against my sql 2005 database.
[Microsoft][SQL Native Client][SQL Server]'StrComp' is not a recognized built-in function name.
I don't know the corresponding t-sql for the query.
I am running a querry on an access database and have set the number of records/page displayed at 20. if there are more than 20 records returned, then 1st page will show the first 20, the next page will show next 20 and so on....
The trouble:
the count of total records displayed is correct and the first page is displayed correctly. But when i click on *Next* to go to the next page, all the records of the database get displayed (not the 2nd page of records from the query).
In Access you use "*" + [passed variable] + "*", + can be replaced with & Calling a parameterized query in Access requires % be used in place of *, however, all that I have read show dynamic SQL passed to Access:
WHERE [some column] LIKE '" & ASPvar & "' % ORDER BY ...
However, my call is similar to:
conn.qMyLookup strVar, rs
If I modify the query in Access to:
"%" & [passed variable] & "%"
I get all records. If I only put it at the end, as suggested, I only get matches at the end, not throughout the column. Code:
I got that right now but i want the variable, console to be placed along with news so when it selects from the db it selects from gcnnews or whatever variable it's on. How do I do that?
I need to assign a value to a variable, but this variable name is dependant upon another variable!! I am including the code below so you can see it, cos if not I am sure you are thinking whattt?? Code: