Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Executing SQL Prod ... and any good debuggers? 1

Status
Not open for further replies.
Autosys

Autosys

Programmer
Jun 1, 2004
90
0
0
GB
Hi there ..

A bit new to ASP o sorry for the experts out there who are reading this.

I'm having trouble executing a sql 2000 proc through my asp/vbscript code. (Snippet below) .. Any ideas?

I find it a bit hard to find out where I'm going wrong as I'm doing it in notepad ... are there any good (& free if possible) asp debuggers that you know of?

Perhaps something that can step through the code line by line or at least return me an error?

Your help would be much appreciated thx.

strSQL1 = "exec sp_register '" & strUsername & "','" & strPassword & "','" & strName & "','" & strSurname & "','" & strAge & "','" & strSuburb & "','" & strStreet & "','" & strPostcode & "','" & strPhone & "','" & strEmail

strConnection = "Provider=SQLOLEDB.1;Persist Security Info=False;User ID=myID;Password=myPassword;Initial Catalog=MYDB;Data Source=MyServer"

Set conn = Server.CreateObject("ADODB.Connection")

conn.open strConnection
conn.execute(strSQL1)
 
Sort by date Sort by votes
There's a couple things that may help you.

First. If you get an error, it might be nice to get the error message.

Second. It's often helpful to see the query that is being built, because that will often times help you see the problem.

As such, I would recommend this...

Code: 
strSQL1 = "exec sp_register '" & strUsername & "','" & strPassword & "','" & strName & "','" & strSurname & "','" & strAge & "','" & strSuburb & "','" & strStreet & "','" & strPostcode & "','" & strPhone & "','" & strEmail

strConnection = "Provider=SQLOLEDB.1;Persist Security Info=False;User ID=myID;Password=myPassword;Initial Catalog=MYDB;Data Source=MyServer"

Set conn = Server.CreateObject("ADODB.Connection")

conn.open strConnection
conn.execute(strSQL1)
[blue]
If Err.Number <> 0 Then
   Response.Write(Err.Description & "<br />" & strSQL1)
End If
[/blue]

Now, when you run this, you will get an error. If it's not obvious what the problem is, then you can copy/paste the query to SQL Server 2000's query analyzer and run it there.

In this case, you are missing the last single-quote.

[tt][blue]strSQL1 = "exec sp_register '" & strUsername & "','" & strPassword & "','" & strName & "','" & strSurname & "','" & strAge & "','" & strSuburb & "','" & strStreet & "','" & strPostcode & "','" & strPhone & "','" & strEmail[!] & "'"[/!][/blue][/tt]

Now, having said all that, I encourage you to do a google search on [google]SQL Injection[/google]. Read the first couple articles to truly understand this problem. Please don't think "Since I've never heard of this, it can't be that big of a problem". That would be the wrong attitude to take.

-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Upvote 0 Downvote
Thanks so much for your detailed explanation gmmastros .. I'm going to look into all of your suggestions, and of course the obvious missing quote one.

I'm familiar with sql injection, but not an expert in preventing it which is something i need to look into in order to make sure that people won't be able to drop tables etc and do nasty things to my site!

thanks again for you quick response.!
 
Upvote 0 Downvote
further to my previous post ...

added the missing quote ... then it still failed (but that was obviously a prob good spot!) ..

then added the error trapping bit and ouput my sql command as you suggested ... pasted it into sql query and it turned out i tried to put varchar data into an int column.

fantastic advice ... some of it is coming back to me thanks a lot!

S
 
Upvote 0 Downvote
With ASP, it's important to validate the inputs before sending data to SQL Server (or any database).

One of my favorite functions is...

Code: 
Function IsInteger(Data)
	
  If Trim(Data) = "" Then
    IsInteger = False
  Else
    IsInteger = IsNumeric(Data & ".0e0")
  End If

End Function

I put that function in an include file. Then, I check each value before I even think about calling the database.

Ex:

[tt][blue]
If Not IsInteger(strAge) Then
Response.Write("Age must be a number.")
Else
' Other code to use the age.
End If
[/blue][/tt]

-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Upvote 0 Downvote
next on my list ... checking each field on the form for strings not allowed .. sure i'll find a place for your int checking thanks mate ..!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
Parse a database field that is comma delimited and input the results into another table
Replies
0
Views
80
penguinspeaks
penguinspeaks
leifoet
  • Locked
  • Question
First execute an input command and only then proceed with displaying the next record of the table
Replies
0
Views
64
leifoet
leifoet
JScannell
  • Locked
  • Question
Border issue with Google Chrome on an Android phone
Replies
0
Views
78
JScannell
JScannell
leifoet
  • Locked
  • Question
Problem: sql-Select with request.form
2
Replies
22
Views
195
leifoet
leifoet
Swi
  • Locked
  • Question
JQUERY AJAX POST and how to receive data via Classic ASP
Replies
0
Views
115
Swi
Swi

Part and Inventory Search

Sponsor

Back
Top