Is This Use Of Stored Procs Vulnerable To SQL Injections?

A collegue developer was criticising a code practice that i have been using, saying that it is vulnerable to SQL injections:

If i excecute a stored procedure like this within my ASP code, is this make my the sql query vulnerable to injections?

conn.Execute("exec pTopCategories " & SupplierID)

View Replies


ADVERTISEMENT

Protect From SQL Injections Without Affecting Functionality

I am trying to figure out a good way to go by protecting from sql injections, but still letting people be able to post those symbols etc...

View Replies View Related

Are Cookies Stored In RAM?

I know that cookies are stored with a txt file in the client PC. but are cookies even stored in RAM? cuz i can access the cookie information but i cannot see the cookie a txt related to that in my PC...

View Replies View Related

Stored Queries

I am running the following code to an access database

' Recordset Object
Dim rs

' connecting to database
con.Open connStr

' executing stored procedure
Set rs = con.Execute ("exec SpotDesc")

' showing all records
While Not rs.EOF
Response.Write rs(0) & " " & rs(1) & "<br>"
rs.MoveNext

Wend

' closing connection and freeing resources
con.Close

Set rs = Nothing



This works and runs the stored procedure SpotDesc.

One question I have is that this line brings back the results

Response.Write rs(0) & " " & rs(1) & "<br>"

but requires me to know how many colums are being returned, ie rs(0) is column 1 and rs(1) is column 2

Is there a way of writing this line and it places all the columns there wheter it be 1, 2, or 3?

Ie a way of know how many columns are returned...

Is there also a way to show the column heading?

View Replies View Related

Stored Procedures!

Just a quick question. I am using Sql Server 2000 and calling stored procedures from asp.
At this stage i am forgoing using the ADO command object and am simply create dynamic like sql statement for store procedure execution.

My question is, I find the code below quite messy, particularly when it comes to checking for option parameters using if statements. Is their a better way to write this, keeping in mind i have to check in a value exists before adding the appropriate parameter
to the stored procedure call.

Is there are more elegant way?....

View Replies View Related

Trying To Use A Stored Procedure

I'm trying to access a stored procedure on our AS400 that is written in RPG. I know that the stored procedure works (I've called it from an RPG program on the AS400), and I know that the connection to the AS400 is good, because this same ASP page is reading data via SQL. However, when I try to call the stored procedure, I can't tell if anything is actually happening. All that I know is that the end result is not being changed, so I suspect that the procedure isn't being called correctly.

My stored procedure is used to encrypt/decrypt data. It has 3 parameters - a 1 character flag telling it whether to encrypt or decrypt, a 25 character field for the plaintext data, and a 50 character field for the encrypted data. The last two parameters are used for either input or output, depending on the value of the first
flag (if the flag is "E", then the plaintext is used as input and the program fills the encrypted data field. If the flag is "D", then vice - versa).

Here is the code where I call my stored procedure. I'm trying to decrypt data from the queryString and place it in some program variables. I'm new to ASP, and can't find any good examples for my situation, so I pieced this together from what examples I found
online. Can anyone tell me what I'm missing?

View Replies View Related

Stored Procedures

A while back people were looking into stored procedures and code to list which ones exist
Does anyone know the code to list all the stored procedures in a my sql database?

View Replies View Related

Stored Proc

I need to also add an AND after the where like

WHERE (Id = @CId)
and MAX(end) < NOW()

CREATE PROCEDURE dbo.[sp_rsgroup]
@Id int
AS

SELECT ISNULL(Group, '') AS GroupCalc, MIN(start) AS START, COUNT(Id) AS Count
FROM Table
WHERE (Id = @CId)
GROUP BY ISNULL(Group, '')
ORDER BY start
GO

View Replies View Related

Sql Stored Procedure

I have a problem with input parameter which has Decimal DataType. Stored procedure works but it rounds all
values, i.e 5.555 input becomes 6 and 1.3 input becomes 1.
In table QTY has data type decimal(5) - precision(8) scale(3).
Please, suggest what's wrong with this:

newqty = Request.Form("quantity")
..........
cmd.Parameters.Append(cmd.CreateParameter("qty", adDecimal, adParamInput, 5, newqty))
cmd.Parameters("qty").Precision = 8
cmd.Parameters("qty").NumericScale = 3

View Replies View Related

URL Stored In Database

I have included in my database a location (web URL) of a file that the person using my site can click on and it will work as a normal hyperlink and go to that page.

In case that doesn't make sense,

Say this is my database:

IMEtitle
Sarah

LocationURL
http://this.com/here.html

I want to display on my page Sarah and Sarah be hyperlinked. The hyperlink is pulled from the database as well as Sarah.

Here is the code I have,

<a href = "<% =recordset("LocationURL") %>"> <%Response.Write recordset("IMEtitle")%></a>

Everything appears fine, but when I click the link it says just adds it to the end, it looks something like this:
http://www.nps.navy.mil/Content/DLR...S/Southwest.swf#

Whereas it should look like:
http://www.nps.edu/DL/DLRC/media_de...S/Southwest.swf

I have done this sort of thing in PHP, but I am not sure how to do it in ASP.

View Replies View Related

Points To Be Stored

there will be 4 files for 2 questions. Qn1.asp Q2.asp Check1.asp Check2.asp
Check1.asp consist of the codes below to check Q1.asp and Check2.asp is to check Q2.asp
What do i need to put in the "" in both check1.asp and check2.asp so that if the user answer both the qn correctly it will 2 out of 2.. both wrong 0 out of 2 and so on.. I want the points to be stored inside a database..
<%

r1=Trim(request.form("r1"))
r2=Trim(request.form("r2"))
r3=Trim(request.form("r3"))
I=Trim(request.form("I"))
urans=Trim(request.form("Answer1"))
result= Round(CLng(r3)*CLng(I)/(CLng(r2)+CLng(r3)))

if (CStr(result) = CStr(urans)) then
" "
elseif (CStr(result) <> CStr(urans)) then
" "
End if
%>

View Replies View Related

Stored Procedures

could anyone provide me with some simple example code of asp classic
calling adodb? specifically, i'd like the code to:
- call a couple of stored procedures that have optional parameters
- share a connection over the two calls

View Replies View Related

Stored In MSSQL

I am new to programming and I managed to store images in MSSQL.
The problem I have is that when I retrieve the image from the database
and display it in my browser it opens a new window. I would like to use
the image control, but it requires a url. Is there anyway of viewing that image
in the image control or keeping it in the same page where my information is
but displaying it where and when I want it

View Replies View Related

Stored Procedure And LIKE

how to use LIKE in a Stored Procedure ?I can use it as "where tbl LIKE @string"but it doesn't work truly.how can I use % ' & ?you know, we use LIKE in classic asp and sql as '%"&YYY&"%'.but how can it be used in Stored Procedure ?

View Replies View Related

Stored Procedures

If I have a html table with, lets say three columns, and I have to fill each column with different data from database, could I use a stored procedures to write three separate sql queries?All I need than is to create a loop for each column.

I have never tried before writing a code with more than one sql query, and that isn't working out for me this time. I've read about this stored procedures. I don't know if that's the answer.

View Replies View Related

Stored ASP Code

I have an HTML & ASP code stored in my database.When I retrieve the stored record and do a Response.write("MyStoredCode"), the HTML executes and I can see the page, but the ASP code doesn't get executed.Is there a way I can fix that?

View Replies View Related

Using Stored Procedures In ASP

Can anyone gives me an example how to use stored procedures in ASP. I know how to create views but he must I call a stored procedure ?

View Replies View Related

Stored Proc

What is the simplest way to open up a stored query in Access - I'v got this far but I need to open: qry_Listings.

set cnn = Server.CreateObject("ADODB.Connection")
strCon = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &
Server.MapPath("../database/listings.mdb") '//This one is for Access
2000/2002
cnn.Open strCon

View Replies View Related

Stored Procedure

I have a stored procedure that I am executing with this SQL

osp_instrument_swap @InstrumentFrom = 'testname', @InstrumentIDTo = 37,
@Schedules = '593, 594, 596, 598, 599, 600, 601, 602, 603, 604, 605, 606,
607, 608, 609, 610, 611, 612, 613, 616'

the @Schedules are ID fields in a table that are integers. I would like to do an Update blah, Where ScheduleID in (@Schedules) instead of looping. How can I do this? I have to sent the values to the sproc as text, right? Where do I covert to the int data type and how?

View Replies View Related

Open A Mpp Stored

I've saved an MPP into SQL Server and wish to open the same from an asp application. How do I get it ?

View Replies View Related

Use Stored Procedure In ASP

My below given code is running 100% but now i have to pass this SQL Query from stored procedures...

I have created the stored procedure in my database and give the parameter to the student_id

can any one temme that how can i implement this stored procedure code in my given code:

View Replies View Related

Stored Procedures

In order to access return values and output parameters from a stored procedure, the recordset must first be closed. Is this correct? If so, can someone please shed some more light on ADO, stored procedures, their parameters and recordsets. Specifically, I've seen some code that accesses the output parameters and return values by switching to the next recordset.

[vbs]
Set adoRS = adoRS.NextRecordset
[/vbs]
and then some other funny stuff ...
[vbs]
Response.Write "<p>Return value = " & CmdSP.Parameters("RETURN_VALUE").Value & "</p>"
[/vbs]

Is a second recordset always created when you have output parameters and/or return values? And what are these properties of the parameter object? How do you guys work with ADO?

View Replies View Related

Why We Use Stored Procedure

why we use Stored procedure in VB/ASP? Why i am asking is we can do the same with SQL Query? What does this do the differnce?I need the main difference bet. these?

View Replies View Related

#include Vs. Stored Procedure

I have a query that selects from multiple tables and is complicated, thus making the number of code lines very big. I'd like to separate it from the page that displays the query results.

I have been told that a stored procedure will do the trick, but I've just come across another option, 'include file'. I'm used to programming in ColdFusion so I am familiar with the concept of including files.

View Replies View Related

How Session Cookie Is Stored?

There are two cookie types:

1) session cookie.
2) persistent cookie is the same as tracking cookie?

Is that correct?

For windows machine, the files in C:Documents and SettingsAdministratorCookies
are all persistent cookie, it doesn't have session cookie?

How session cookies are stored? Session cookie should expire once the browser is closed.

View Replies View Related

Object Stored In Session

I created a class ImageEdit to help me get more from an image component i'm using. The class has few private properties and public methods. One of the methods is the Load() method which requires 1 parameter: the complete path to the image.

As long as i have the class definition included in the page and create and instance of the class on a page and use the properties and methods, everything is fine. The problem arises when i try to set this instance in a session variable like so:

set session("imageedit") = new ImageEdit

And this also seems to work fine as long as i'm still executing the code on the same page the new object has been created on. However... i can not get this object to work on any other page. Weather i use this: Code:

View Replies View Related

Executing Stored Procedures

set rs = Server.CreateObject("ADODB.Recordset")
objConn.usp_RetrieveCategories rs

Method 2:

set rs = objConn.Execute("usp_RetriveCategories")

Which method is considered to efficient. Is it method 1 or method 2?.
The stored procedures returns no values.

View Replies View Related

Stored Procedure In Oracle

I'm trying to access a stored procedure in oracle using asp/jscript.

I get an error message complaining about the parameters;
[Oracle][ODBC][Ora]ORA-06550: line 1, column 7: PLS-00306: wrong number or types of arguments in call to 'UPDATE_BAKERY_USER' ORA-06550: line 1, column 7: PL/SQL: Statement ignored

A Response.write returns this:
CommandText: { call BUNGE.UPDATE_BAKERY_USER(?, ?, ?) }

The stored procedure changes a users password, so the parameters are:
plogin
pold_password
pnew_password

Can anyone please help me verify my code?

Code:....

View Replies View Related

Calling A Stored Procedure

I am new to asp, basically new to everything. but I am trying to create a log table and and trouble calling my stored procedure from my asp page, see code:

Microsoft VBScript runtime (0x800A000D)
Type mismatch: 'sp_logsession'
/app/lib.asp, line 71

i am using the following code to execute it in my asp page:

SET objConn = Server.CreateObject("ADODB.Connection")
objConn.Open Application("deConn")

Execute sp_logsession(browser,timenow,remoteaddress,idsess ion,refer)

is there anyone who could help me to get this working?

View Replies View Related

Stored Procedure Outputs!

I have a stored procedure in SQL Server 2000 named sp_FolioM with this code:
-----------
CREATE PROCEDURE sp_FolioM (@FolioTraspaso int OUTPUT)

AS

DECLARE @Existe int

SELECT @FolioTraspaso = ValorEntero FROM Parametros
WHERE Clave = 'NUMMOV'

UPDATE Parametros SET ValorEntero = ValorEntero + 1
WHERE CLAVE = 'NUMMOV'
GO
--------

Now, when i run the Query of Select ValorEntero FROM Parametros WHERE Clave = 'NUMMOV'

it returns a column with 4 rows (values)
......

In Asp i have the following code to capture the output value and i think it only writes the last value ( row #4, last one )

Values:
108106
108106
38149
38149

ASP CODE:
--------
<%@ LANGUAGE="VBSCRIPT" %>
<!--#include virtual="/../../ADOVBS.INC"-->
<HTML>
<HEAD><TITLE>Place Document Title Here</TITLE></HEAD>
<BODY>
<%
Dim objConn, objCmd, objParam
set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "driver={SQL Server};server=APALACIOS;uid=sa;pwd=;database=PDigital"
Set objCmd = Server.CreateObject("ADODB.Command")
objCmd.CommandText = "sp_FolioM"
objCmd.CommandType = adCmdStoredProc
objcmd.ActiveConnection = objConn
Set objParam = objCmd.CreateParameter ("@FolioTraspaso",adInteger,adParamOutput,4)
objCmd.Parameters.Append objParam
ObjCmd.Execute
%>
Valor: <%=objCmd.Parameters("@FolioTraspaso")%><br>
</BODY>
</HTML>

i only see Valor: 38149

what if i want to write the first value ( row number 1 )?

View Replies View Related

Call Stored Procedure In ASP.NET 2.0

I would like to know if anyone knows how to execute a stored procedure from ASP.NET 2.0. I'm using the NorthWind database and I'm trying to execute the "CustOrderHist" stored procedure. The error I get is "Incorrect syntax near 'CustOrderHist'. "

Public Function GetCustomerOrderHistory(ByVal customerid As String) As
SqlDataReader
Dim conn As New SqlConnection(conString)
Dim cmd As New SqlCommand("CustOrderHist", conn)
cmd.Parameters.AddWithValue("@CustomerID", customerid)
conn.Open()
Dim dtr As SqlDataReader =
cmd.ExecuteReader(CommandBehavior.CloseConnection)
Return dtr
End Function

View Replies View Related

Where Are Exactly Cookies Stored In Computer?

Does anyone know where the cookies are stored in the computer. I guess depending on the brower the client uses, they are stored in diff places.

But when i make a search for cookies, i can find few txt files inside the cookie folder with names userid@websitename[1].txt but i cannot see the any cookies with the domain name iam working ....

View Replies View Related

Running An SQL Stored Procedure With ADO

I am having a problem running an sql stored procedure with ADO/ASP. If I hard code a select statement, the code works, but when I try to use a stored procedure it bombs. Here is my code:

THIS WORKS:

sql="SELECT PartNumber FROM Scrap WHERE DateOpened BETWEEN '20030601', '20030605'"

'Note: I already did my connection object above
set rs=Server.CreateObject("ADODB.Recordset")
rs.Open sql,conn

THIS DOES NOT:

'my stored procedure is LC_Top50_ByCost sql="LC_Top50_ByCost 'DB', '20030601', '20030605'"

set rs=Server.CreateObject("ADODB.Recordset")
rs.Open sql,conn

HERE IS THE ERROR:

Error Type:
ADODB.Recordset (0x800A0E78)
Operation is not allowed when the object is closed.
/MyWeb/T10_Cost.asp, line 202

Line 202 is the first line that I try to access the data in the
recordset.

View Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved