cleany
asked on
How to save ASP forms to your database
how do you save your ASP Form to your database ?
I`ve got like this:(I know it`s dutch...)
(the file is called project_edit.asp)
if someone renames the project_naam (project_name) I want it to update the database with that name.
<!-- #include file = inc/basicFunctions.asp -->
<%
dim project_id
project_id = request("project_id")
mySQL = "SELECT project_id, project_naam, opdracht, toepassingen, klant_naam FROM tbl_project P LEFT JOIN tbl_klant K on K.klant_id=P.klant_id WHERE project_ID = '" & project_ID & "'"
set myRecSet = conn.execute(mySQL)
%>
<form name="edit" method="post" "project_edit.asp">
<input type="text" name="project" value="<%=myrecSet(1)%>">< P>
<textarea cols="70" rows="10" name="opdracht"><%=myrecSe t(2)%>
I`ve got like this:(I know it`s dutch...)
(the file is called project_edit.asp)
if someone renames the project_naam (project_name) I want it to update the database with that name.
<!-- #include file = inc/basicFunctions.asp -->
<%
dim project_id
project_id = request("project_id")
mySQL = "SELECT project_id, project_naam, opdracht, toepassingen, klant_naam FROM tbl_project P LEFT JOIN tbl_klant K on K.klant_id=P.klant_id WHERE project_ID = '" & project_ID & "'"
set myRecSet = conn.execute(mySQL)
%>
<form name="edit" method="post" "project_edit.asp">
<input type="text" name="project" value="<%=myrecSet(1)%>"><
<textarea cols="70" rows="10" name="opdracht"><%=myrecSe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hold on... hold on... this is very very risky.. and this is why...
think of someone editing the html, and submitting the following....
<input type="hidden" name="project_id" value="1;delete from project WHERE 1=1">
this is one example... one can think of a lot more.... the moral of the story is
NEVER EVER PASS FORM DATA STRAIGHT TO DATABASE WITHOUT CHECKING.................. .
you can do a quick check like
project_id = Request.Form("project_id")
if isNumeric(project_id) and project_id <> "" then
if project_id <> "0" then
' we have a valid ID here
end if
end if
check before getting near the database... always.
think of someone editing the html, and submitting the following....
<input type="hidden" name="project_id" value="1;delete from project WHERE 1=1">
this is one example... one can think of a lot more.... the moral of the story is
NEVER EVER PASS FORM DATA STRAIGHT TO DATABASE WITHOUT CHECKING..................
you can do a quick check like
project_id = Request.Form("project_id")
if isNumeric(project_id) and project_id <> "" then
if project_id <> "0" then
' we have a valid ID here
end if
end if
check before getting near the database... always.
Of course you should always run as many checks and security features as you see fit, but that was not the question asked Rana.
ASKER
thanx
ASKER
the identity was set to yes, so it`s really not a problem, but thanx anyway.
leauanJ,
no it was not the question, but an implementation. I would never suggest a fix with security flaws to a friend.
no it was not the question, but an implementation. I would never suggest a fix with security flaws to a friend.
This question has been classified abandoned. I will make a recommendation to the
moderators on its resolution in a week or two. I appreciate any comments
that would help me to make a recommendation.
<note>
Unless it is clear to me that the question has been answered I will recommend delete. It is possible that a Grade less than A will be given if no expert makes a case for an A grade. It is assumed that any participant not responding to this request is no longer interested in its final disposition.
</note>
If the user does not know how to close the question, the options are here:
https://www.experts-exchange.com/help/closing.jsp
Cd&
moderators on its resolution in a week or two. I appreciate any comments
that would help me to make a recommendation.
<note>
Unless it is clear to me that the question has been answered I will recommend delete. It is possible that a Grade less than A will be given if no expert makes a case for an A grade. It is assumed that any participant not responding to this request is no longer interested in its final disposition.
</note>
If the user does not know how to close the question, the options are here:
https://www.experts-exchange.com/help/closing.jsp
Cd&
It is time to clean this abandoned question up.
I am putting it on a clean up list for CS.
<recommendation>
points to IeaunJ -- Grade B
</recommendation>
If anyone participating in the Q disagrees with the recommendation,
please leave a comment for the mods.
Cd&
I am putting it on a clean up list for CS.
<recommendation>
points to IeaunJ -- Grade B
</recommendation>
If anyone participating in the Q disagrees with the recommendation,
please leave a comment for the mods.
Cd&
ASKER
</textarea><p>
<textarea cols="70" rows="20" name="toepassingen"><%=myr
<input type="submit" name="GO!">
</form>