Advertisement

07.10.2008 at 06:59AM PDT, ID: 23553735 | Points: 500
[x]
Attachment Details

How to Create Stored Procedure using Parameters for ASP Code to combat SQL Injection

Asked by souldj in Active Server Pages (ASP), MS SQL Server, SQL Server 2005

Tags: ASP, VBSCRIPT, SQL, IE 6

For most of my sites, this is the ocde I use and I would like to convert this to Stored Procedures using paramtised variables

<%
      
      'Response.Write DB_con
      'Response.End ()
      
      
      p_username = Request.Form ("username")
      p_password = Lcase(Request.Form ("password"))
      Session ("username") = p_username

            
       Set MyConn=Server.CreateObject("ADODB.Connection")
            'Response.Write DB_Con
            'Response.End
            MyConn.Open DB_Con
                        
            MySQL="Select  * from tbl_admin Where username  = '" & p_username & "'"


            Set MyRs=MyConn.Execute(MySQL)


      if MyRs.EOF then
            'There is no such email and so the recordset is empty
            Response.Redirect "default.asp?retry=username"
             
            
       else
            'the username is valid, now check the password
            real_password      =      trim (MyRs("password"))
            
            'compare the recordset field for password with the database field for password
            if p_password      =      real_password then
            'the password is good
            dim dob
            'dob = MyRS("dob")
            'Response.Write dob
            'Response.End
            Response.Cookies ("adminisloggedin")("username") = p_username
            Response.Cookies ("adminisloggedin")("firstname")      =      MyRs("firstname")
            Response.Cookies ("adminisloggedin")("lastname")      = MyRs("lastname")
            Response.Cookies ("adminisloggedin")("rank")=MyRS("rank")
            Response.Cookies ("adminisloggedin")("dateoflogin") = MyRS("dateoflastlogin")
            recordtoupdate = MyRS("autoid")
            
            
            
            'if p_save = "yes" then
            '      Response.Cookies ("isloggedin").expires = #December 31, 2002 00:00:00#
            'end if
            
            'Report the date of login into the database.
            
            Dim objRecordset
                  Set objRecordset = Server.CreateObject("ADODB.Recordset")
                  
                  objRecordset.Open "tbl_admin", DB_CON, adOpenKeyset, adLockPessimistic, adCmdTable

      iRecordToUpdate = Cint(recordtoupdate)
      
      If iRecordToUpdate <> 0 Then
            If Not objRecordset.EOF Then
                  objRecordset.MoveFirst
                  Do Until objRecordset.Fields("autoid") = iRecordToUpdate
                        objRecordset.MoveNext
                  Loop

                  ' String / Text Data Type
            ObjRecordset.Fields("dateoflastlogin") = date
            
                        objRecordset.Update
            End If
      End If

            
      

            
            
            
            Response.Redirect "frame.asp"
            else
            'the username is valid but the password is incorrect
            Response.Redirect "default.asp?retry=password"
            
            
            end if
      
      end if
MyRs.close
Set MyRs= Nothing
MyConn.Close
set MyConn=nothing%>



I would like some one to help me re write this code with stored procedures for the log in routine.Start Free Trial
 
Keywords: How to Create Stored Procedure using…
Title
1 SQL injection
2 Email/SQL Injection prevention
3 Effective method for preventing SQL Inj…
4 How to Rank in MS Access
5 sql script injection
6 SQL Injection Function...
 
Loading Advertisement...
 
[+][-]07.10.2008 at 10:38AM PDT, ID: 21975775

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.21.2008 at 08:35AM PDT, ID: 22051471

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.21.2008 at 11:07AM PDT, ID: 22052899

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.22.2008 at 01:06AM PDT, ID: 22057147

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.22.2008 at 01:23AM PDT, ID: 22057218

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.22.2008 at 06:07AM PDT, ID: 22058883

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.22.2008 at 06:26AM PDT, ID: 22059065

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.22.2008 at 11:15AM PDT, ID: 22062054

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628