Is This Use Of Stored Procs Vulnerable To SQL Injections?
A collegue developer was criticising a code practice that i have been using, saying that it is vulnerable to SQL injections:
If i excecute a stored procedure like this within my ASP code, is this make my the sql query vulnerable to injections?
conn.Execute("exec pTopCategories " & SupplierID)
View Replies
ADVERTISEMENT
I am trying to figure out a good way to go by protecting from sql injections, but still letting people be able to post those symbols etc...
View Replies
View Related
I know that cookies are stored with a txt file in the client PC. but are cookies even stored in RAM? cuz i can access the cookie information but i cannot see the cookie a txt related to that in my PC...
View Replies
View Related
I am running the following code to an access database
' Recordset Object
Dim rs
' connecting to database
con.Open connStr
' executing stored procedure
Set rs = con.Execute ("exec SpotDesc")
' showing all records
While Not rs.EOF
Response.Write rs(0) & " " & rs(1) & "<br>"
rs.MoveNext
Wend
' closing connection and freeing resources
con.Close
Set rs = Nothing
This works and runs the stored procedure SpotDesc.
One question I have is that this line brings back the results
Response.Write rs(0) & " " & rs(1) & "<br>"
but requires me to know how many colums are being returned, ie rs(0) is column 1 and rs(1) is column 2
Is there a way of writing this line and it places all the columns there wheter it be 1, 2, or 3?
Ie a way of know how many columns are returned...
Is there also a way to show the column heading?
View Replies
View Related
Just a quick question. I am using Sql Server 2000 and calling stored procedures from asp.
At this stage i am forgoing using the ADO command object and am simply create dynamic like sql statement for store procedure execution.
My question is, I find the code below quite messy, particularly when it comes to checking for option parameters using if statements. Is their a better way to write this, keeping in mind i have to check in a value exists before adding the appropriate parameter
to the stored procedure call.
Is there are more elegant way?....
View Replies
View Related
I'm trying to access a stored procedure on our AS400 that is written in RPG. I know that the stored procedure works (I've called it from an RPG program on the AS400), and I know that the connection to the AS400 is good, because this same ASP page is reading data via SQL. However, when I try to call the stored procedure, I can't tell if anything is actually happening. All that I know is that the end result is not being changed, so I suspect that the procedure isn't being called correctly.
My stored procedure is used to encrypt/decrypt data. It has 3 parameters - a 1 character flag telling it whether to encrypt or decrypt, a 25 character field for the plaintext data, and a 50 character field for the encrypted data. The last two parameters are used for either input or output, depending on the value of the first
flag (if the flag is "E", then the plaintext is used as input and the program fills the encrypted data field. If the flag is "D", then vice - versa).
Here is the code where I call my stored procedure. I'm trying to decrypt data from the queryString and place it in some program variables. I'm new to ASP, and can't find any good examples for my situation, so I pieced this together from what examples I found
online. Can anyone tell me what I'm missing?
View Replies
View Related
A while back people were looking into stored procedures and code to list which ones exist
Does anyone know the code to list all the stored procedures in a my sql database?
View Replies
View Related
I need to also add an AND after the where like
WHERE (Id = @CId)
and MAX(end) < NOW()
CREATE PROCEDURE dbo.[sp_rsgroup]
@Id int
AS
SELECT ISNULL(Group, '') AS GroupCalc, MIN(start) AS START, COUNT(Id) AS Count
FROM Table
WHERE (Id = @CId)
GROUP BY ISNULL(Group, '')
ORDER BY start
GO
View Replies
View Related
I have a problem with input parameter which has Decimal DataType. Stored procedure works but it rounds all
values, i.e 5.555 input becomes 6 and 1.3 input becomes 1.
In table QTY has data type decimal(5) - precision(8) scale(3).
Please, suggest what's wrong with this:
newqty = Request.Form("quantity")
..........
cmd.Parameters.Append(cmd.CreateParameter("qty", adDecimal, adParamInput, 5, newqty))
cmd.Parameters("qty").Precision = 8
cmd.Parameters("qty").NumericScale = 3
View Replies
View Related
I have included in my database a location (web URL) of a file that the person using my site can click on and it will work as a normal hyperlink and go to that page.
In case that doesn't make sense,
Say this is my database:
IMEtitle
Sarah
LocationURL
http://this.com/here.html
I want to display on my page Sarah and Sarah be hyperlinked. The hyperlink is pulled from the database as well as Sarah.
Here is the code I have,
<a href = "<% =recordset("LocationURL") %>"> <%Response.Write recordset("IMEtitle")%></a>
Everything appears fine, but when I click the link it says just adds it to the end, it looks something like this:
http://www.nps.navy.mil/Content/DLR...S/Southwest.swf#
Whereas it should look like:
http://www.nps.edu/DL/DLRC/media_de...S/Southwest.swf
I have done this sort of thing in PHP, but I am not sure how to do it in ASP.
View Replies
View Related
there will be 4 files for 2 questions. Qn1.asp Q2.asp Check1.asp Check2.asp
Check1.asp consist of the codes below to check Q1.asp and Check2.asp is to check Q2.asp
What do i need to put in the "" in both check1.asp and check2.asp so that if the user answer both the qn correctly it will 2 out of 2.. both wrong 0 out of 2 and so on.. I want the points to be stored inside a database..
<%
r1=Trim(request.form("r1"))
r2=Trim(request.form("r2"))
r3=Trim(request.form("r3"))
I=Trim(request.form("I"))
urans=Trim(request.form("Answer1"))
result= Round(CLng(r3)*CLng(I)/(CLng(r2)+CLng(r3)))
if (CStr(result) = CStr(urans)) then
" "
elseif (CStr(result) <> CStr(urans)) then
" "
End if
%>
View Replies
View Related
could anyone provide me with some simple example code of asp classic
calling adodb? specifically, i'd like the code to:
- call a couple of stored procedures that have optional parameters
- share a connection over the two calls
View Replies
View Related
I am new to programming and I managed to store images in MSSQL.
The problem I have is that when I retrieve the image from the database
and display it in my browser it opens a new window. I would like to use
the image control, but it requires a url. Is there anyway of viewing that image
in the image control or keeping it in the same page where my information is
but displaying it where and when I want it
View Replies
View Related
how to use LIKE in a Stored Procedure ?I can use it as "where tbl LIKE @string"but it doesn't work truly.how can I use % ' & ?you know, we use LIKE in classic asp and sql as '%"&YYY&"%'.but how can it be used in Stored Procedure ?
View Replies
View Related
If I have a html table with, lets say three columns, and I have to fill each column with different data from database, could I use a stored procedures to write three separate sql queries?All I need than is to create a loop for each column.
I have never tried before writing a code with more than one sql query, and that isn't working out for me this time. I've read about this stored procedures. I don't know if that's the answer.
View Replies
View Related
I have an HTML & ASP code stored in my database.When I retrieve the stored record and do a Response.write("MyStoredCode"), the HTML executes and I can see the page, but the ASP code doesn't get executed.Is there a way I can fix that?
View Replies
View Related
Can anyone gives me an example how to use stored procedures in ASP. I know how to create views but he must I call a stored procedure ?
View Replies
View Related
What is the simplest way to open up a stored query in Access - I'v got this far but I need to open: qry_Listings.
set cnn = Server.CreateObject("ADODB.Connection")
strCon = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &
Server.MapPath("../database/listings.mdb") '//This one is for Access
2000/2002
cnn.Open strCon
View Replies
View Related
I have a stored procedure that I am executing with this SQL
osp_instrument_swap @InstrumentFrom = 'testname', @InstrumentIDTo = 37,
@Schedules = '593, 594, 596, 598, 599, 600, 601, 602, 603, 604, 605, 606,
607, 608, 609, 610, 611, 612, 613, 616'
the @Schedules are ID fields in a table that are integers. I would like to do an Update blah, Where ScheduleID in (@Schedules) instead of looping. How can I do this? I have to sent the values to the sproc as text, right? Where do I covert to the int data type and how?
View Replies
View Related
I've saved an MPP into SQL Server and wish to open the same from an asp application. How do I get it ?
View Replies
View Related
My below given code is running 100% but now i have to pass this SQL Query from stored procedures...
I have created the stored procedure in my database and give the parameter to the student_id
can any one temme that how can i implement this stored procedure code in my given code:
View Replies
View Related
In order to access return values and output parameters from a stored procedure, the recordset must first be closed. Is this correct? If so, can someone please shed some more light on ADO, stored procedures, their parameters and recordsets. Specifically, I've seen some code that accesses the output parameters and return values by switching to the next recordset.
[vbs]
Set adoRS = adoRS.NextRecordset
[/vbs]
and then some other funny stuff ...
[vbs]
Response.Write "<p>Return value = " & CmdSP.Parameters("RETURN_VALUE").Value & "</p>"
[/vbs]
Is a second recordset always created when you have output parameters and/or return values? And what are these properties of the parameter object? How do you guys work with ADO?
View Replies
View Related
why we use Stored procedure in VB/ASP? Why i am asking is we can do the same with SQL Query? What does this do the differnce?I need the main difference bet. these?
View Replies
View Related
I have a query that selects from multiple tables and is complicated, thus making the number of code lines very big. I'd like to separate it from the page that displays the query results.
I have been told that a stored procedure will do the trick, but I've just come across another option, 'include file'. I'm used to programming in ColdFusion so I am familiar with the concept of including files.
View Replies
View Related
There are two cookie types:
1) session cookie.
2) persistent cookie is the same as tracking cookie?
Is that correct?
For windows machine, the files in C:Documents and SettingsAdministratorCookies
are all persistent cookie, it doesn't have session cookie?
How session cookies are stored? Session cookie should expire once the browser is closed.
View Replies
View Related
I created a class ImageEdit to help me get more from an image component i'm using. The class has few private properties and public methods. One of the methods is the Load() method which requires 1 parameter: the complete path to the image.
As long as i have the class definition included in the page and create and instance of the class on a page and use the properties and methods, everything is fine. The problem arises when i try to set this instance in a session variable like so:
set session("imageedit") = new ImageEdit
And this also seems to work fine as long as i'm still executing the code on the same page the new object has been created on. However... i can not get this object to work on any other page. Weather i use this: Code:
View Replies
View Related
set rs = Server.CreateObject("ADODB.Recordset")
objConn.usp_RetrieveCategories rs
Method 2:
set rs = objConn.Execute("usp_RetriveCategories")
Which method is considered to efficient. Is it method 1 or method 2?.
The stored procedures returns no values.
View Replies
View Related
I'm trying to access a stored procedure in oracle using asp/jscript.
I get an error message complaining about the parameters;
[Oracle][ODBC][Ora]ORA-06550: line 1, column 7: PLS-00306: wrong number or types of arguments in call to 'UPDATE_BAKERY_USER' ORA-06550: line 1, column 7: PL/SQL: Statement ignored
A Response.write returns this:
CommandText: { call BUNGE.UPDATE_BAKERY_USER(?, ?, ?) }
The stored procedure changes a users password, so the parameters are:
plogin
pold_password
pnew_password
Can anyone please help me verify my code?
Code:....
View Replies
View Related
I am new to asp, basically new to everything. but I am trying to create a log table and and trouble calling my stored procedure from my asp page, see code:
Microsoft VBScript runtime (0x800A000D)
Type mismatch: 'sp_logsession'
/app/lib.asp, line 71
i am using the following code to execute it in my asp page:
SET objConn = Server.CreateObject("ADODB.Connection")
objConn.Open Application("deConn")
Execute sp_logsession(browser,timenow,remoteaddress,idsess ion,refer)
is there anyone who could help me to get this working?
View Replies
View Related
I have a stored procedure in SQL Server 2000 named sp_FolioM with this code:
-----------
CREATE PROCEDURE sp_FolioM (@FolioTraspaso int OUTPUT)
AS
DECLARE @Existe int
SELECT @FolioTraspaso = ValorEntero FROM Parametros
WHERE Clave = 'NUMMOV'
UPDATE Parametros SET ValorEntero = ValorEntero + 1
WHERE CLAVE = 'NUMMOV'
GO
--------
Now, when i run the Query of Select ValorEntero FROM Parametros WHERE Clave = 'NUMMOV'
it returns a column with 4 rows (values)
......
In Asp i have the following code to capture the output value and i think it only writes the last value ( row #4, last one )
Values:
108106
108106
38149
38149
ASP CODE:
--------
<%@ LANGUAGE="VBSCRIPT" %>
<!--#include virtual="/../../ADOVBS.INC"-->
<HTML>
<HEAD><TITLE>Place Document Title Here</TITLE></HEAD>
<BODY>
<%
Dim objConn, objCmd, objParam
set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "driver={SQL Server};server=APALACIOS;uid=sa;pwd=;database=PDigital"
Set objCmd = Server.CreateObject("ADODB.Command")
objCmd.CommandText = "sp_FolioM"
objCmd.CommandType = adCmdStoredProc
objcmd.ActiveConnection = objConn
Set objParam = objCmd.CreateParameter ("@FolioTraspaso",adInteger,adParamOutput,4)
objCmd.Parameters.Append objParam
ObjCmd.Execute
%>
Valor: <%=objCmd.Parameters("@FolioTraspaso")%><br>
</BODY>
</HTML>
i only see Valor: 38149
what if i want to write the first value ( row number 1 )?
View Replies
View Related
I would like to know if anyone knows how to execute a stored procedure from ASP.NET 2.0. I'm using the NorthWind database and I'm trying to execute the "CustOrderHist" stored procedure. The error I get is "Incorrect syntax near 'CustOrderHist'. "
Public Function GetCustomerOrderHistory(ByVal customerid As String) As
SqlDataReader
Dim conn As New SqlConnection(conString)
Dim cmd As New SqlCommand("CustOrderHist", conn)
cmd.Parameters.AddWithValue("@CustomerID", customerid)
conn.Open()
Dim dtr As SqlDataReader =
cmd.ExecuteReader(CommandBehavior.CloseConnection)
Return dtr
End Function
View Replies
View Related
Does anyone know where the cookies are stored in the computer. I guess depending on the brower the client uses, they are stored in diff places.
But when i make a search for cookies, i can find few txt files inside the cookie folder with names userid@websitename[1].txt but i cannot see the any cookies with the domain name iam working ....
View Replies
View Related
I am having a problem running an sql stored procedure with ADO/ASP. If I hard code a select statement, the code works, but when I try to use a stored procedure it bombs. Here is my code:
THIS WORKS:
sql="SELECT PartNumber FROM Scrap WHERE DateOpened BETWEEN '20030601', '20030605'"
'Note: I already did my connection object above
set rs=Server.CreateObject("ADODB.Recordset")
rs.Open sql,conn
THIS DOES NOT:
'my stored procedure is LC_Top50_ByCost sql="LC_Top50_ByCost 'DB', '20030601', '20030605'"
set rs=Server.CreateObject("ADODB.Recordset")
rs.Open sql,conn
HERE IS THE ERROR:
Error Type:
ADODB.Recordset (0x800A0E78)
Operation is not allowed when the object is closed.
/MyWeb/T10_Cost.asp, line 202
Line 202 is the first line that I try to access the data in the
recordset.
View Replies
View Related