Re: ASP coding help required please
From: Bob Barrows (reb01501_at_NOyahoo.SPAMcom)
Date: 03/31/04
- Next message: Bob Barrows: "Re: Problems with Using VB to Write VB Script"
- Previous message: Bob Barrows: "Re: Problems with Using VB to Write VB Script"
- In reply to: Stephen Cairns: "Re: ASP coding help required please"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 31 Mar 2004 07:43:29 -0500
Stephen Cairns wrote:
> sSQL = "UPDATE dbo_Nagents_classification SET Type =
> Request.Form(Classification) where account_no =
> Request.Form(account_no)"
>
> I need to take the details from the form when setting the Type and
> using the where clause.
Correct
> Is this how I do it??
No. Your database will not know anything about the Request object. And even
if it did, you have not referred to the variables correctly.
The best method would be to create a stored procedure that accepts the type
and account number as parameters.Then pass the parameter values from your
asp code.
Are we talking SQL Server here? If so, create this procedure (I am making
guesses as to the datatypes and sizes of these parameters - in the future,
please provide this information upfront so as to reduce the back-and-forth
requests for more information):
CREATE PROCEDURE UpdNagents (
@type varchar(50),
@acct varchar(20)
) AS
UPDATE dbo_Nagents_classification SET Type = @acct
WHERE account_no = @acct
Then, in asp, do this:
dim cn, sType, sAcct
sType = Request.Form("Classification")
sAcct = Request.Form("account_no")
'write some code here to validate that these variables
'contain what they are supposed to contain.
'Then, if the variables are OK, do this:
set cn=server.createobject("adodb.connection")
cn.open "<valid connection string>"
cn.UpdNagents sType, sAcct
This approach is the most efficient and secure way of executing a query in
your database. Using the dynamic sql approach you are attempting is not
very secure because it allows hackers to inject sql into the data they
submit. See:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
You are at an early stage of your programming experience. You should learn
the right ways to do things instead of the easy ways. Unfortunately, most
books for beginners take the lazy approach of teaching the easy, but wrong
ways to do things such as this.
Avoid the dynamic sql approach, but if you are determined to use it, see:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=%23fW7AQWgDHA.3104%40TK2MSFTNGP11.phx.gbl&rnum=1&prev=/groups%3Fas_q%3Ddynamic%2520sql%2520rules%26safe%3Dimages%26ie%3DUTF-8%26oe%3DUTF-8%26as_ugroup%3D*.asp.*%26as_uauthors%3DBob%2520Barrows%26lr%3D%26hl%3Den
Bob Barrows
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
- Next message: Bob Barrows: "Re: Problems with Using VB to Write VB Script"
- Previous message: Bob Barrows: "Re: Problems with Using VB to Write VB Script"
- In reply to: Stephen Cairns: "Re: ASP coding help required please"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
