Re: Parameterized query problem
- From: "MiniEggs" <b@xxxxx>
- Date: Fri, 27 Nov 2009 18:17:26 -0000
Bob
I'll be in touch again next week if I can't get this (?) to work
The reason I started down the @P1 path was beacuse of the Classic ASP
section of this article
http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection
With regards to the ....
Give us more details if you want help with this.
Did you use SSMS to configure your SQL Server to use mixed
uthentication? -YES
Did you then create a SQL Login? -not sure
Did you then create a user based on that login in your database? -YES (in
that I created a user and ticked the box with the db name in it)
I'm sure I did someting wrong in the setting up of the user
I'm surprised I can't find any examples with screen shots on how to do this
(specifically for IIS/ASP login) as there must have been millions who've
done it .... but as I say I must be doing something obviously wrong
Thanks
Andrew
"Bob Barrows" <reb01501@xxxxxxxxxxxxxxx> wrote in message
news:uG0dqc4bKHA.4688@xxxxxxxxxxxxxxxxxxxxxxx
MiniEggs wrote:
Bob
Yes I have this in the page for ADO constants
<!-- METADATA TYPE="TypeLib" FILE="C:\Program Files\Common
Files\system\ado\msado15.dll" -->
Yes friendly errors are off but I'm still getting the server 500
error. This is not a server in our office (never did get that SQL login
to work
for somereason on the one here)
Give us more details if you want help with this. Did you use SSMS to
configure your SQL Server to use mixed authentication? Did you then create
a SQL Login? Did you then create a user based on that login in your
database?
I've now removed the named parameters again
So are you saying the variable type of parameter does not really
matter and I can use the ? in place of @P1 @P2 etc etc regarless of if it
is a
number/string/date etc ?
Yes. In fact, you need to use the ? tokens in order for this technique to
work.
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/b3d322b882a604bd
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e
You can still use explicit Parameters, but it's overkill in a vbscript
procedure. Just pass the parameter values in a variant array using the
second argument of the Execute method.
This is just a starting point at the queries will be more complex
with more parameters
You might consider using stored procedures ...
http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en&;
--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
.
- Follow-Ups:
- Re: Parameterized query problem
- From: Bob Barrows
- Re: Parameterized query problem
- From: Bob Barrows
- Re: Parameterized query problem
- References:
- Parameterized query problem
- From: MiniEggs
- Re: Parameterized query problem
- From: Bob Barrows
- Re: Parameterized query problem
- From: MiniEggs
- Re: Parameterized query problem
- From: Bob Barrows
- Parameterized query problem
- Prev by Date: Re: Parameterized query problem
- Next by Date: Re: Parameterized query problem
- Previous by thread: Re: Parameterized query problem
- Next by thread: Re: Parameterized query problem
- Index(es):
Relevant Pages
|
