Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sql commands in asp 3.0

Status
Not open for further replies.
ccook

ccook

Programmer
Feb 21, 2003
6
US
Hello,

First off, im an intern not a fultime programmer...

Well anyhow, i wrote some code with the typical use of an sql string. The string has data from the user in it. I know this has a threat of sql injection. I was told to use sql commands. But, as far as i knew that was a .NET feature. Could someone tell me how this is done in 3.0?

'Current code
Strsql= "my sql statement +" & userdata & "'"
Set rs_admin=Conn.Execute(strsql)
 
Sort by date Sort by votes
Are you trying to do something like this?

strSQL = "SELECT * FROM SomeTable WHERE TableField = '" & UserData & "'"

If you could be somewhat more specific, might be able to help provide a better answer. Everything is absolute. Everything else is relative.
 
Upvote 0 Downvote
Right, sorry about that...

Heres some code...

<%
Dim Conn, dbname, dsnpath
Set Conn=Server.CreateObject(&quot;ADODB.Connection&quot;)
dsnpath= &quot;my pass/lgin&quot;
Conn.Mode = 3
Conn.Open dsnpath

Strsql= &quot;My sql string &quot;

Set rs_admin=Conn.Execute(strsql)
'Reset of code
%>
 
Upvote 0 Downvote
i want to do the same with sql commands. (the only way in .NET asp) (almost)
 
Upvote 0 Downvote
I think that you should be able to copy and paste that for ASP 3.0 without any problem. You might change this command:

Set rs_admin=Conn.Execute(strsql)

to this:

call Conn.Execute(strsql)

That way, you shouldn't have to deal with the rs_admin. Hope this is what you're looking for. Everything is absolute. Everything else is relative.
 
Upvote 0 Downvote
thank you :) A coworker showed me :)

I was looking for...

<%
Dim dbname, dsnpath
Set Conn=Server.CreateObject(&quot;ADODB.Connection&quot;)
dsnpath= &quot;Connection Stuff&quot;

Dim Cmd
Set Cmd = Server.CreateObject(&quot;ADODB.Command&quot;)
Dim RS
Set RS = Server.CreateObject(&quot;ADODB.Recordset&quot;)
Cmd.ActiveConnection = dsnpath
Cmd.CommandText = &quot;select * from tblAdmin&quot;
Cmd.Execute
RS.Open Cmd

Do While NOT RS.eof
Response.Write RS(&quot;AdminPassword&quot;)
Rs.MoveNext
Loop
'btw this is a test page, it wolnt print admin pass's ;)
%>
 
Upvote 0 Downvote
Can you please clarify your question and what you want to do? I don't understand your question.

There are multiple ways to get the same results. Are you wanting to get data from the database? If this is the case, then one way you can do this is open a recordset similar to:

dim strConn,strSql,rs
strConn = &quot;<< your database connection string >>&quot;

strSql = &quot;select * from <<table>> where <<field>> = &quot; & << your user value >>

On Error Resume Next

Set rs = Server.CreateObject(&quot;ADODB.Recordset&quot;)
rs.Open strSql, strConn

if not rs.bof and not rs.eof then
rs.movefirst
do while not rs.eof
response.write(rs(&quot;fieldname&quot;).Value)
rs.movenext
loop
else
response.write(&quot;no records&quot;)
end if

if err.number <> 0 then
response.write(err.number & &quot; :: &quot; & err.description)
else
<< continue on >>
end if

regards,
Brian
AOL IM: FreelanceGaines

AG00280_.gif
 
Upvote 0 Downvote
Actually, if you're looking to return a recordset, you don't really need the Command function, you can just open the recordset directly from the SQL string. Something akin to this:

<%
Dim dbname, dsnpath
Set Conn=Server.CreateObject(&quot;ADODB.Connection&quot;)
Conn.ConnectionString = <connection string here>
' dsnpath= &quot;Connection Stuff&quot;
Conn.Open

Dim RS
Set RS = Server.CreateObject(&quot;ADODB.Recordset&quot;)
RS.ActiveConnection = dsnpath
strsql = &quot;select * from tblAdmin&quot;
RS.Open strsql, Conn, 3, 1

Do While NOT RS.eof
Response.Write RS(&quot;AdminPassword&quot;)
Rs.MoveNext
Loop
'btw this is a test page, it wolnt print admin pass's ;)
%>

This should give you the recordset without the added trouble of the command. HTH Everything is absolute. Everything else is relative.
 
Upvote 0 Downvote
Sorry, BGaines, just realised that I essentially repeated your post. My bad. :-( My apologies Everything is absolute. Everything else is relative.
 
Upvote 0 Downvote
Cool! like the code! But heres the story... (sorry i wasnt so clear) They want me to program the database access with a command object using parameters... for security. Im doing good so far... The code i first put in worked great.

Again thanks so much!
 
Upvote 0 Downvote
That's cool, you can definitely do that too; however, in your code above you don't need to do both:

cmd.execute
<< and >>
rs.open cmd

I think that all you need is:
rs.open cmd

The cmd.execute is used when you don't expect a resultset back. regards,
Brian
AOL IM: FreelanceGaines

AG00280_.gif
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
write HTML code within ASP line
Replies
1
Views
550
xwb
xwb
leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
564
leifoet
leifoet
leifoet
  • Locked
  • Question
Code does not run in Microsoft Edge - it does in Google Chrome
Replies
3
Views
764
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
456
penguinspeaks
penguinspeaks
how2trainyourdragon
  • Locked
  • Question
Request.Server variables blank for classic ASP
Replies
12
Views
1K
GriffMG
GriffMG

Part and Inventory Search

Sponsor

Back
Top