Yesterday, I posted a problem which, by the way, I haven't been able to
solve yet. But in Aaron's reply, he questioned why I did several things the
way I did. My short answer is that I have a lot to learn, but now I'd like
to ask anyone who reads this, including Aaron, for some clarification. I
imagine others might benefit, too.
"Aaron Bertrand - MVP" <aa***@TRASHasp faq.com> wrote A few suggestions.
(3) why do you constantly set rs = createobject("A DODB.Recordset" ) but
never destroy any of them?
I went back and took care of it with this: set rs = nothing
My question is, is this enough?
(4) why are you allowing values from request.queryst ring into your SQL
statements unchecked? Have you tried something like...
DisplaySortable Tickets.asp?str Status=a';DELET E%20TKT_STATUS; SELECT%20' b
Never thought of that. Is that really an issue for an Intranet, though?
(5) why are you using ADODB.Recordset at all? These all seem to be
forward-only, static recordsets.
I don't really understand this question/statement. Is there another kind of
recordset?
Here is a rewrite of the first portion.
<!-- #INCLUDE FILE="includes/functions.asp" -->
<!-- #INCLUDE FILE="includes/argodbinc.asp" -->
<!-- #INCLUDE FILE="includes/colors.inc" -->
<%
function fixVal(s)
s = replace(request .QueryString(s) , "'", "''"))
end function
Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement? 37  2836 
"middletree " wrote ... I went back and took care of it with this: set rs = nothing
My question is, is this enough?
aye, remember to close the connection aswell when you're done with it.
DisplaySortable Tickets.asp?str Status=a';DELET E%20TKT_STATUS; SELECT%20' b
Never thought of that. Is that really an issue for an Intranet, though?
Yeppo - imagine the fun that could be had by a clued up developer just
before he leaves disgruntled...g oodbye important database content...you can
read up on this - try doing a Google search for SQL Injection.
Replacing the ' I believe is one solution...
I don't really understand this question/statement. Is there another kind
of recordset?
You can use 'curosors' within recordsets, the allow you to move BACK and
FORTH between the records you return in the recordset, if you do not need to
ever move back, and only forward - as Aaron mentions above etc...
s = replace(request .QueryString(s) , "'", "''"))
Does this just take the apostrophes from the querystring?
It wont 'take' them away - it simply replaces them with 2 apostrophes
Is that just to keep it from being used by a malicious person who would put
an evil SQL statement?
hehe - 'evil' - hehe - yes :)
Note, I am not as clued up as many here, so the above are only my
suggestions/opinions and thoughts - dont take 'em as gospel (unless I'm
correct in which case feel free to send me crates of copperfields sweet
sherry!)
Hope I helped,
Regards
Rob
"middletree " <mi********@hto mail.com> wrote in message
news:Om******** ********@TK2MSF TNGP11.phx.gbl. ..
I went back and took care of it with this: set rs = nothing
My question is, is this enough?
Do:
rs.Close
Set rs = Nothing
(4) why are you allowing values from request.queryst ring into your SQL statements unchecked? Have you tried something like...
DisplaySortable Tickets.asp?str Status=a';DELET E%20TKT_STATUS; SELECT%20' b
Never thought of that. Is that really an issue for an Intranet, though?
Yes! Sure, you can fire someone for dropping a table or something, but that
doesn't mean you should allow it to happen.
(5) why are you using ADODB.Recordset at all? These all seem to be forward-only, static recordsets.
I don't really understand this question/statement. Is there another kind
of recordset?
YEah. If Aaron did not already post this link, read this when you have a
few moments.
http://www.aspfaq.com/2191
function fixVal(s)
s = replace(request .QueryString(s) , "'", "''"))
end function
Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?
It's to keep the ' from your SQL query, since ' is a delimiter in SQL.
Example:
sVar = "O'Brien"
sSQL = "SELECT Something FROM SomeTable WHERE LastName='" & sVar & "'"
That will result in a string of:
SELECT Something FROM SomeTable WHERE LastName='O'Bri en'
That ' in the O'Brien will be the end of the string, and then SQL will see
Brien' and get confused. The way to escape the ' is to double it up, so the
string would wind up looking like:
SELECT Something FROM SomeTable WHERE LastName='O''Br ien'
Passing the value through the fixVal function will double up any instances
of '.
Does that make sense?
Ray at work
p.s. For pleasure reading, download the whole aspfaq.com FAQ in pdf format
and read it over the weekend. It's very cool of Aaron to offer that whole
thing as a pdf.
"middletree " <mi********@hto mail.com> wrote in message
news:Om******** ********@TK2MSF TNGP11.phx.gbl. .. "Aaron Bertrand - MVP" <aa***@TRASHasp faq.com> wrote A few suggestions.
(3) why do you constantly set rs = createobject("A DODB.Recordset" ) but
never destroy any of them?
I went back and took care of it with this: set rs = nothing
My question is, is this enough?
You should close them when you are done with them:
rs.close
set rs = nothing (4) why are you allowing values from request.queryst ring into your SQL
statements unchecked? Have you tried something like...
DisplaySortable Tickets.asp?str Status=a';DELET E%20TKT_STATUS; SELECT%20' b
Never thought of that. Is that really an issue for an Intranet, though?
Do you want to risk it? One day you might wake up with no records in the
database an not know what happened to them. :) Here is a rewrite of the first portion.
<!-- #INCLUDE FILE="includes/functions.asp" -->
<!-- #INCLUDE FILE="includes/argodbinc.asp" -->
<!-- #INCLUDE FILE="includes/colors.inc" -->
<%
function fixVal(s)
s = replace(request .QueryString(s) , "'", "''"))
end function
Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?
This replaces one single quotes with two single quotes. This is how you
escape the single quote. It should take care of the evil SQL statement I
think, but it also takes care of situations where your data contains a
single quote. For example, if I wanted to insert the string:
I don't like this
Then your SQL string would end when it encountered the single quote in that
string. The code above would replace the single quote so the string looked
like this:
I don''t like this
Your SQL string would then be valid.
Hope this helps.
Regards,
Peter Foti
middletree wrote: Yesterday, I posted a problem which, by the way, I haven't been able
to solve yet. But in Aaron's reply, he questioned why I did several
things the way I did. My short answer is that I have a lot to learn,
but now I'd like to ask anyone who reads this, including Aaron, for
some clarification. I imagine others might benefit, too.
"Aaron Bertrand - MVP" <aa***@TRASHasp faq.com> wrote A few suggestions. (3) why do you constantly set rs = createobject("A DODB.Recordset" )
but
never destroy any of them?
I went back and took care of it with this: set rs = nothing
My question is, is this enough?
There are situations where an open recordset cannot be set to nothing. It is
best to explicitly close it before setting it to nothing:
rs.close:set rs=nothing
(4) why are you allowing values from request.queryst ring into your
SQL statements unchecked? Have you tried something like...
DisplaySortable Tickets.asp?str Status=a';DELET E%20TKT_STATUS; SELECT%20'
b
Never thought of that. Is that really an issue for an Intranet,
though?
Yes. Has there never been a disgruntled employee in your company?
Some very secure networks have been hacked. Are you sure yours is up to the
task of defeating a determined hacker?
(5) why are you using ADODB.Recordset at all? These all seem to be
forward-only, static recordsets.
Ummm, this is a contradiction :-) I'm sure the word "static" was used
accidently here.
I don't really understand this question/statement. Is there another
kind of recordset?
No. It's Aaron's way of saying that you do not have to explicitly use
createobject to create the recordset object. Bottom line: whether you use an
explicit "Set rs=server.creat eobject("adodb. recordset")" statement or not,
you will get an adodb.recordset object from the connection.exec ute method.
However, there is a slight performance hit when you use createobject to
create the recordset. Here's why: when you use createobject, you're telling
ADO to build a recordset object, and set a reference to that object in your
variable. This is great if you are planning to create an ad hoc recordset by
appending fields to the Fields collection, or if you are planning to use the
Open method to open a non-default recordset after setting the appropriate
cursor type and location properties.
However, when you use connection.exec ute, ADO does the following:
1. creates a Command object to handle the execution of the query
2. creates a Recordset object to contain the results of the query (unless
you tell it not to by using the adExecuteNoReco rds option in the third
argument of the Execute statement)
3. Sets a reference to the new recordset object in the variable which is
receiving the results.If that variable already references another object,
that reference is destroyed, causing the referenced object to be destroyed
as well.
So, if you use createobject, you've created a recordset that will only be
destroyed when the connection.exec ute method is run. It's a performance hit,
but it's very slight. However:
Best practice is to skip the createobject statement when using Execute to
retrieve data into a recordset.
Here is a rewrite of the first portion. <!-- #INCLUDE FILE="includes/functions.asp" -->
<!-- #INCLUDE FILE="includes/argodbinc.asp" -->
<!-- #INCLUDE FILE="includes/colors.inc" -->
<%
function fixVal(s)
s = replace(request .QueryString(s) , "'", "''"))
end function
Does this just take the apostrophes from the querystring?
No. It replaces single apostrophes with two apostrophes, so that the
database engine will interpret them as literal quotes instead of delimiters.
Is that
just to keep it from being used by a malicious person who would put
an evil SQL statement?
Yes, but a better technique would be to use a stored procedure and a Command
object (or the procedure-as-connection-method technique).
HTH,
Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
"middletree " <mi********@hto mail.com> wrote in message
news:Om******** ********@TK2MSF TNGP11.phx.gbl. .. Yesterday, I posted a problem which, by the way, I haven't been able to
solve yet. But in Aaron's reply, he questioned why I did several things
the way I did. My short answer is that I have a lot to learn, but now I'd like
to ask anyone who reads this, including Aaron, for some clarification. I
imagine others might benefit, too.
"Aaron Bertrand - MVP" <aa***@TRASHasp faq.com> wrote A few suggestions. (3) why do you constantly set rs = createobject("A DODB.Recordset" ) but
never destroy any of them?
I went back and took care of it with this: set rs = nothing
My question is, is this enough?
(4) why are you allowing values from request.queryst ring into your SQL
statements unchecked? Have you tried something like...
DisplaySortable Tickets.asp?str Status=a';DELET E%20TKT_STATUS; SELECT%20' b
Never thought of that. Is that really an issue for an Intranet, though?
I trust my intranet users less than I trust the general public!
See http://www.sqlsecurity.com/DesktopDe...ndex=2&tabid=3
(5) why are you using ADODB.Recordset at all? These all seem to be forward-only, static recordsets.
I don't really understand this question/statement. Is there another kind
of recordset?
I almost never (read never) need a recordset object.
Here is a rewrite of the first portion. <!-- #INCLUDE FILE="includes/functions.asp" -->
<!-- #INCLUDE FILE="includes/argodbinc.asp" -->
<!-- #INCLUDE FILE="includes/colors.inc" -->
<%
function fixVal(s)
s = replace(request .QueryString(s) , "'", "''"))
end function
Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?
Mike wrote: I almost never (read never) need a recordset object.
:-)
So you never need to retrieve data from a database?
Are you sure you didn't mean to say "I never use createobject to create my
recordset objects"?
Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
The key word there is "object." If I never create an object using
createobject do I ever have an object. I say no! So to reiterate. "I
almost never (read never) need a recordset object"
:-)
Mike
"Bob Barrows" <re******@NOyah oo.SPAMcom> wrote in message
news:eW******** ******@tk2msftn gp13.phx.gbl... Mike wrote: I almost never (read never) need a recordset object.
:-)
So you never need to retrieve data from a database?
Are you sure you didn't mean to say "I never use createobject to create my
recordset objects"?
Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Whoah...
<%
Set rs = YourADOConnecti on.Execute(Your SQLQuery)
Response.Write VarType(rs)
'or
Response.Write IsObject(rs)
'etc.
%>
Ray at work
"Mike" <Mi**@nospam.co m> wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. .. The key word there is "object." If I never create an object using
createobject do I ever have an object. I say no! So to reiterate. "I
almost never (read never) need a recordset object"
:-)
Mike
OK, thanks.
"Rob Meade" <ro********@N O-SPAM.kingswoodw eb.net> wrote in message
news:Az******** *************@n ews-text.cableinet. net... "middletree " wrote ...
I went back and took care of it with this: set rs = nothing
My question is, is this enough?
aye, remember to close the connection aswell when you're done with it.
DisplaySortable Tickets.asp?str Status=a';DELET E%20TKT_STATUS; SELECT%20'
b Never thought of that. Is that really an issue for an Intranet, though?
Yeppo - imagine the fun that could be had by a clued up developer just
before he leaves disgruntled...g oodbye important database content...you
can read up on this - try doing a Google search for SQL Injection.
Replacing the ' I believe is one solution...
I don't really understand this question/statement. Is there another kind of recordset?
You can use 'curosors' within recordsets, the allow you to move BACK and
FORTH between the records you return in the recordset, if you do not need
to ever move back, and only forward - as Aaron mentions above etc...
s = replace(request .QueryString(s) , "'", "''"))
Does this just take the apostrophes from the querystring?
It wont 'take' them away - it simply replaces them with 2 apostrophes
Is that just to keep it from being used by a malicious person who would
put an evil SQL statement?
hehe - 'evil' - hehe - yes :)
Note, I am not as clued up as many here, so the above are only my
suggestions/opinions and thoughts - dont take 'em as gospel (unless I'm
correct in which case feel free to send me crates of copperfields sweet
sherry!)
Hope I helped,
Regards
Rob
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Spammay Blockay |
last post by:
I've been tasked with doing technical interviews at my company,
and I have generally ask a range of OO, Java, and "good programming
technique" concepts.
However, one of my favorite exercises I give interviewees seems
to trip them up all the time, and I wonder if I'm being too much
of a hardass... it seems easy enough to ME, but these guys,...
|
by: byrocat |
last post by:
I'm chasing after a documetn that was available on one of the Microsoft
websites that was titled somethign like "MS SQL Server Best Practices"
and detailed a nyumber of best practices about securing the server.
Included in this was revoking public access to the system table
objects.
Can someone post the URL where I can pick this up, or...
|
by: Hareth |
last post by:
C# 2005 express & vb 2005 express:
1. During runtime, I can edit my codes in C#..... How come this cannot be
done in VB? it says ...."read-only" during runtime......
2. Why does vb automatically show the errors, but C# i have to build the app
b4 errors are underlined in my code?
|
by: john doe |
last post by:
A quick question, about so-called 'best practices', I'm interested in
which of A/B of the two examples people would choose, and why.
public enum MyEnum
{
Option1 = 0,
Option2 = 1,
Option3 = 2,
Option4 = 3
|
by: Alex |
last post by:
Hello
I am intersting in developing and my background is VBA used in Excel and a
brief intro to Java.
I am interested in learning beyond VB and feel that C++ would be a very good
language to get to know and give a lot of flexibility (if not tough to learn).
I would like some advice on the merits of learning C++ versus C# or Visual...
| | |
by: Noor |
last post by:
Hi everyone.
Im kinda newbie to .net programming and very confused after seeing too many
options for building database applicaton.
I have few question for you people and want answers to them.
1) is databinding in .net a best practice?
2) what are the best practices to develop a simple database application?
3) where can i find sample...
|
by: Michael.Suarez |
last post by:
So we develop and maintain several applications used by several people
in the same company, on the same intranet.
There are several applications written in VB6, but going forward all of
the new development will be done in .NET 2.0, including eventual
rewrites of all the VB6 apps.
The VB6 executables are all stored in a network folder, and...
|
by: djc |
last post by:
I had previously (in asp.net 1.1 and asp.net web matrix) just done this to
populate a listbox with data from a database:
------------ this was from the page load event ----------------
'fill recipient address list box
Dim cnn As SqlConnection
cnn = New SqlConnection(Application("cnn").ToString())
Dim cmdGetAllRecipientAddresses As...
|
by: General Fear |
last post by:
Does anyone in this forum know of tech questions for an Access
programmer? I have not been able to find a good web page with Access
tech questions.
I am interviewing Access programmers and want to conduct some tech
tests.
...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it. ...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |
