Hi,
I have form GET method, example:
index.asp?Type=1&Type=3&Type=4&....
So,
I have something like this at the receiver side to retrieve multiple
Type value and insert into tables.
Set QINSERT = Server.CreateObject("ADODB.Recordset")
For Each item In Request.QueryString("Type")
SQL= " INSERT INTO tblType (TypeID, UserID) VALUES ('" &
Request.QueryString("Type")(item) & Session("ID") & "')"
Set QINSERT = conn.execute(SQL)
Next
But within the FOR statement, it ended up Internet 500 Error. What
did I do wrong ? Is Request.QueryString("Type")(item) correct ?
Session("ID") is OK. TypeID, UserID are correct too.
Please help to tell me what is wrong.
Regards,
magix 5 3570
On Dec 26, 11:04*am, "mag...@gmail.com" <mag...@gmail.comwrote:
Hi,
I have form GET method, example:
index.asp?Type=1&Type=3&Type=4&....
So,
I have something like this at the receiver side to retrieve multiple
Type value and insert into tables.
* *Set *QINSERT *= Server.CreateObject("ADODB.Recordset")
* *For Each item In Request.QueryString("Type")
* * * * * * * * * * * * * * * * * * * * * * * * * * * * SQL= " INSERT INTO tblType (TypeID, UserID) VALUES ('" &
Request.QueryString("Type")(item) & Session("ID") & "')"
* * * * Set QINSERT = conn.execute(SQL)
* *Next
* *But within the FOR statement, it ended up Internet 500 Error. What
did I do wrong ? Is Request.QueryString("Type")(item) correct ?
Session("ID") is OK. TypeID, UserID are correct too.
Please help to tell me what is wrong.
Regards,
magix
Issue resolved and closed. ma****@gmail.com wrote on 26 dec 2007 in
ma****@gmail.com wrote on 26 dec 2007 in
>For Each item In Request.QueryString("Type")
Issue resolved and closed.
1 Since you are not the owner of usenet,
you cannot close an issue,
even if you opened it.
2 If you resolved your programming mistake,
it would be considerate to tell others,
that have already spent time thinking about it,
how and what.
====
Doing what you did with Request.QueryString,
if done on the open web,
is very dangerous for SQL injection.
Always validate all incoming data first,
or ask Bob for that other way,
which name always escapes me,
as I never use it.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
"Evertjan." <ex**************@interxnl.netwrote in message
news:Xn********************@194.109.133.242...
ma****@gmail.com wrote on 26 dec 2007 in
>ma****@gmail.com wrote on 26 dec 2007 in
>>For Each item In Request.QueryString("Type")
Issue resolved and closed.
1 Since you are not the owner of usenet,
you cannot close an issue,
even if you opened it.
2 If you resolved your programming mistake,
it would be considerate to tell others,
that have already spent time thinking about it,
how and what.
====
Doing what you did with Request.QueryString,
if done on the open web,
is very dangerous for SQL injection.
Always validate all incoming data first,
or ask Bob for that other way,
which name always escapes me,
as I never use it.
It's called parameters. And it isn't an alternative. It's as well as.
It's useful for preventing other potential problems - not just Sql
Injection.
--
Mike Brind
Mike Brind wrote on 29 dec 2007 in
microsoft.public.inetserver.asp.general:
>
"Evertjan." <ex**************@interxnl.netwrote in message
news:Xn********************@194.109.133.242...
>ma****@gmail.com wrote on 26 dec 2007 in
>>ma****@gmail.com wrote on 26 dec 2007 in For Each item In Request.QueryString("Type")
Issue resolved and closed.
1 Since you are not the owner of usenet, you cannot close an issue, even if you opened it.
2 If you resolved your programming mistake, it would be considerate to tell others, that have already spent time thinking about it, how and what.
====
Doing what you did with Request.QueryString, if done on the open web, is very dangerous for SQL injection.
Always validate all incoming data first, or ask Bob for that other way, which name always escapes me, as I never use it.
It's called parameters.
Ah yes, I was thinking about parainches or orthoyards,
but I am glad it turns out to be metric after all.
And it isn't an alternative. It's as well as.
That is what alternative means, though I did not use that word.
It's useful for preventing other potential problems - not just Sql
Injection.
Please elaborate for us.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
"Evertjan." <ex**************@interxnl.netwrote in message
news:Xn********************@194.109.133.242...
Mike Brind wrote on 29 dec 2007 in
microsoft.public.inetserver.asp.general:
>> "Evertjan." <ex**************@interxnl.netwrote in message news:Xn********************@194.109.133.242...
>>ma****@gmail.com wrote on 26 dec 2007 in ma****@gmail.com wrote on 26 dec 2007 in For Each item In Request.QueryString("Type")
Issue resolved and closed.
1 Since you are not the owner of usenet, you cannot close an issue, even if you opened it.
2 If you resolved your programming mistake, it would be considerate to tell others, that have already spent time thinking about it, how and what.
====
Doing what you did with Request.QueryString, if done on the open web, is very dangerous for SQL injection.
Always validate all incoming data first, or ask Bob for that other way, which name always escapes me, as I never use it. It's called parameters.
Ah yes, I was thinking about parainches or orthoyards,
but I am glad it turns out to be metric after all.
>And it isn't an alternative. It's as well as.
That is what alternative means, though I did not use that word.
>It's useful for preventing other potential problems - not just Sql Injection.
Please elaborate for us.
The main additional benefit is that you don't need to delimit values in
concatenated SQL strings, which removes the source of a number of errors
posted here, such as datatype mismatches and syntax errors. With
parameters, you would still perform server-side validation of values (for
range, datatype etc), but you are right - you don't need to specifically
validate against Sql injection attempts.
--
Mike Brind This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: fasanay |
last post by:
Hi everybody I have got the following PHP code which I am trying to convert to
ASP any help will be appreciated...I have done most of it but I cant find a
replace function for Unset in asp which...
|
by: Roy |
last post by:
Anyone have any links and/or code samples demonstrating how this can be
done? Current procedure is that john doe clicks an item on a datagrid
of mine and after however long, gets the info he wants....
|
by: James Curran |
last post by:
I'd like to make the following proposal for a new feature for the C#
language. I have no connection with the C# team at Microsoft. I'm posting
it here to gather input to refine it, in an "open...
|
by: Dan |
last post by:
I am trying to use
Request.Form("__EVENTTARGET") to get the name of the control that caused a post back. It keeps returning "".
I am not really sure why, this happens for all of my controls...
|
by: Greg Cyrus |
last post by:
Hi,
in a Page_Load I use:
Response.Redirect("http://localhost/WebApplication3/frmDefault.aspx")
Now the IExplorer shows "http://localhost/WebApplication3/frmKopf.aspx" in
the adress-field....
| |
by: fasanay |
last post by:
Hi everybody I have got the following PHP code which I am trying to convert to
ASP any help will be appreciated...I have done most of it but I cant find a
replace function for Unset in asp which...
|
by: abcd |
last post by:
I can get the value on the form at the server side by using
Request.form("max")
when max field is disabled I dont get value. For GUI and business logic
purpose I have disabled some fields with...
|
by: Charles Crume |
last post by:
Hello Everyone;
My site was hacked the other day -- someone was able to rename my
index.shtml file and put their own index.html file on my server. Not sure
how it was done, but looking through...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |