Session Variables Being Lost

[axLW]

Hello.

I have a booking form on my website (fake example below).

http://mywebsite.com/booking-page4.asp

When the booking form reaches page 4, the values are saved into a Session using the following:

Session("Variable1") = Request.Form ("Variable1")
Session.Timeout = 60

The customer then clicks 'PAY' and is sent to Sage Pay within the same browser window to authorise their payment:

https://live.sagepay.com/process-payment-etc

They authorise their payment and Sage Pay then redirects them back to the payment success page (on my website):

http://mywebsite.com/payment-sucess.asp

step 1. mywebsite booking form
step 2. session created
step 3. redirected to sage pay website
step 4. payment authorised
step 5. redirected to mywebsite payment success

I am concerned that the Session Variables originally created on my website will be lost during the journey from my website to Sage Pay and back again.

Is there anything I can do to ensure they are not lost or is it simply to do with the customer's browser settings (like not accepting cookies for example).

It is IMPERATIVE that these values are not lost because I need them to be present in the payment success page.

 

[ChrisHirst]

Saving the values in a database along with the session ID as a reference ID that SagePay returns in the POST data along with the accepted/failed signals is safer.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[axLW]

Good idea.

I can't believe I'm struggling with this... haven't done this for about 5 years at least.

Please look here:

Test Add Record

The directory I'm writing to definitely has 'Write' permissions.

Any idea why I'm getting this error?

The database is definitely found correctly, the table and field names are correct. Not using any special characters either.

<html>
<body>

<%

PaxName = "antony"

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("x\db.mdb") & ";"
myconn.open (connection)

sql = "INSERT INTO table (PaxName) VALUES (" & PaxName & ")"

on error resume next
myconn.Execute sql,recaffected
if err<>0 then
  Response.Write("No update permissions!")
else
  Response.Write("<h3>" & recaffected & " record added</h3>")
end if
myconn.close

Response.write ("<br>")
Response.write (sql)
Response.write ("<br>")
Response.write (err)

%>

</body>
</html>

 

[ChrisHirst]

It's been a few years for me as well, but as I recall, that error is due to using a "read only" cursor for the recordset rather than read only file/folder permissions.

myconn.CursorLocation = adUseClient
myconn.CursorType = adOpenDynamic

Is the correct combination for a multi-user database for writing and reading the DB.

If you are only displaying records set the CursorType to adOpenStatic as it is a little quicker when reading data than adOpenDynamic is.


I've attached an include file with all the ADO constants defined just in case you need it.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[guitarzan]

The directory I'm writing to definitely has 'Write' permissions
But who has write permissions to the folder? You will need to give the IUSR user write permissions.

Also, this may give you more to work with:

if err<>0 then
  Response.Write([highlight #FCE94F]"Error#: " & Err.Number & ": " & Err.Description[/highlight])
else
  Response.Write("<h3>" & recaffected & " record added</h3>")
end if

 

[axLW]

Error#: -2147217900: Syntax error in INSERT INTO statement.

This is my SQL statement:

sql = "INSERT INTO table (PaxName) VALUES (" & PaxName & ")"

I have tried adding single quotes like so:

sql = "INSERT INTO table (PaxName) VALUES ('" & PaxName & "')"

and I get the same error so obviously there's another problem... here is the code in full that produces the syntax error:

<html>
<body>

<%

PaxName = "antony"

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("x\db.mdb") & ";"
myconn.open (connection)



sql = "INSERT INTO table (PaxName) VALUES ('" & PaxName & "')"

on error resume next
myconn.Execute sql,recaffected


if err<>0 then
  Response.Write("Error#: " & Err.Number & ": " & Err.Description)
else
  Response.Write("<h3>" & recaffected & " record added</h3>")
end if 

myconn.close

Response.write ("<br>")
Response.write (sql)
Response.write ("<br>")
Response.write (err)

%>

</body>
</html>

 

[axLW]

it's working now.

used the single quote sql and change the name of my table from table to testtable.

how silly of me.

thanks again all.

 

[gk53]

I hope you understand risk of SQL injection when using inline insert statement
what if
PaxName = "antony; delete from PaxName;"

sql = "INSERT INTO table (PaxName) VALUES ('" & PaxName & "')"

In your case it will give you sql error, but code executes on database side, so it will delete all records in PaxName table
Make sure you validated value in PaxName.
I would recommend add record using recordset

 

[Swi]

I'd go with using a parameterized query.

Swi

 

[axLW]

Ok, I know how to open a recordset and retrieve/display the details but I have never inputted a record using recordset.

SWI do you have an example if you think that's a better option?

 

[axLW]

If I post my full code do you think you can "PARAMETERIZE" my query?

 

[axLW]

This is my full working insert code (with fake item names):

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("myDATABASEpath") & ";"
myconn.open (connection)

sql = "INSERT INTO myTABLE (field1,field2,field3,field4,field5,"
sql = sql & "field6,field7,field8) VALUES ("
sql = sql & "'" & formITEM1 & "',"
sql = sql & "'" & formITEM2 & "',"
sql = sql & "'" & formITEM3 & "',"
sql = sql & "'" & formITEM4 & "',"
sql = sql & "'" & formITEM5 & "',"
sql = sql & "'" & formITEM6 & "',"
sql = sql & "'" & formITEM7 & "',"
sql = sql & "'" & formITEM8 & "')"


on error resume next
myconn.Execute sql,recaffected
myconn.close

 

[ChrisHirst]

If SQL Injection is a consideration for the usage of the site I have a class method/function that I used for "sanitising" user input.

public function StripChars(ByVal p_sIn) 
dim l_asBlock 
dim i
  l_asBlock = array("select", "drop", ";", "--", "insert","delete", "xp_") 
  for i = lBound(l_asBlock) to uBound(l_asBlock) 
    p_sIn = replace(p_sIn, l_asBlock(i), "") 
  next 
StripChars = p_sIn 
end function

You can easily extend the range of commands that will be stripped by adding them to the array l_asBlock

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[axLW]

Sorry Chris, my mind goes blank when I look at that...

I don't understand it.

 

[gk53]

use recordset example with your code will be

<html>
<body>

<%

PaxName = "antony"

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("x\db.mdb") & ";"
myconn.open (connection)

set rs = Server.CreateObject("ADODB.recordset")

sql = "select * from  PaxName where PaxName = ''"

rs.open sql, cn, 1, 3 '1 - adOpenKeyset , 3 - adLockOptimistic
rs.addNew
rs("PaxName") = PaxName 
rs.Update
rs.close

if err<>0 then
  Response.Write("Error#: " & Err.Number & ": " & Err.Description)
else
  Response.Write("<h3> 1 record added</h3>")
end if 

myconn.close

Response.write ("<br>")
Response.write ("<br>")
Response.write (err)

%>

</body>
</html>

 

[ChrisHirst]

Sorry Chris, my mind goes blank when I look at that...
[/quote]
Okay, basically it is a just a "replace" function that will "break" a malicious SQL query by replacing characters or words that can damage or destroy your database also known as "sanitising" the input. If you have a text input or textarea so that users can add data you put it through the StripChars() function before concatenating the data to your query.

Also if the page is going to be publicly accessible do not print the error description to the page in the production version, while you are testing is fine, but if you reduce the error feedback to the bare minimum, you do not help the crackers and script kiddies to figure out what the operating system and the database server is.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[axLW]

Getting the following error on the bold line below:

<html>
<body>

<%

PaxName = "antony"

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("x\db.mdb") & ";"
myconn.open (connection)

set rs = Server.CreateObject("ADODB.recordset")

sql = "select * from  PaxName where PaxName = ''"

[b]rs.open sql, cn, 1, 3 '1 - adOpenKeyset , 3 - adLockOptimistic
[/b]rs.addNew
rs("PaxName") = PaxName 
rs.Update
rs.close

if err<>0 then
  Response.Write("Error#: " & Err.Number & ": " & Err.Description)
else
  Response.Write("<h3> 1 record added</h3>")
end if 

myconn.close

Response.write ("<br>")
Response.write ("<br>")
Response.write (err)

%>

</body>
</html>

ADODB.Recordset error '800a0bb9'

Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another.

 

[guitarzan]

Your connection is called myconn, not cn

 

[axLW]

You know I did see that. I should have just changed it myself.

Sorry for being lazy. Thanks again for the solution.

If it makes the website a bit more secure it can only be a good thing.