Solved

Update / Insert / Delete (Parameters)

Posted on 2009-07-11
14
236 Views
Last Modified: 2012-06-27
Hello All;

Trying to wrap up this part of the SQL Server Conversion and Possibly secure the site
From possible SQL Injection.

OK.
What I need to know, is is there any special coding that needs to be done besides just adding what I have.
And I "THINK" that this needs to be added for every Column that is going to be:
Updated / Inserted / Deleted

SPOcmd.Parameters.Append SPOcmd.CreateParameter("@SPUsername", adVarChar,adParamInput, 25, strSUsername)

But, is there anything else that needs to be done to tighten these types of Statements up?

Thanks All;
Carrzkiss


<%

Set InMemocmd=Server.CreateObject("ADODB.Command")

InMemocmd.ActiveConnection=objConn

if trim(request.form("MWC")="Memo") then

MineID = Int(request.Form("id"))

strMyMemo = request.Form("MyMemo")

strMyMemo = trim(Replace(strMyMemo, vbCrLf, "<br />"))

strMyMemo = trim(Replace(strMyMemo, "'", "''"))

strMemoTitle = trim(request.Form("MyMemoTitle"))

strMemoTitle = trim(Replace(strMemoTitle, "'", "''"))

MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values ('" & MineID & "','" &strMemoTitle& "','" &strMyMemo& "')"

'response.Write MemoSQL & "<br / >"

'response.End()

InMemocmd.CommandText=MemoSQL

InMemocmd.Execute

%>

Open in new window

0
Comment
Question by:Wayne Barron
  • 10
  • 4
14 Comments
 
LVL 142

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 24833546
this should do:
<%
Set InMemocmd=Server.CreateObject("ADODB.Command")
InMemocmd.ActiveConnection=objConn
if trim(request.form("MWC")="Memo") then
MineID = Int(request.Form("id"))
strMyMemo = request.Form("MyMemo")
strMyMemo = trim(Replace(strMyMemo, vbCrLf, ""))
strMemoTitle = trim(request.Form("MyMemoTitle")) 
MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values (@MineID, @strMemoTitle , @strMyMemo )"
InMemocmd.CommandText=MemoSQL
InMemocmd.Parameters.Append InMemocmd.CreateParameter("@MineID", adInteger, adParamInput,, MineID )
InMemocmd.Parameters.Append InMemocmd.CreateParameter("@strMemoTitle", adVarchar, adParamInput, 500, strMemoTitle )
InMemocmd.Parameters.Append InMemocmd.CreateParameter("@strMemo", adVarchar, adParamInput, 500, strMyMemo )
InMemocmd.Execute
%>

Open in new window

0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833641
That is what I was thinking, but wanting to make sure before I did it.

Thank you Angel.

Carrzkiss
0
 
LVL 30

Author Closing Comment

by:Wayne Barron
ID: 31602523
Thank You Angel
Carrziss
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833710
It seems that I have run into an issue that I cannot see to get around.

On this line

InMemocmd.Parameters.Append InMemocmd.CreateParameter("@strMemoTitle", adVarchar, adParamInput, 500, strMemoTitle )

I get this error
=====================================
ADODB.Command error '800a0d5d'
Application uses a value of the wrong type for the current operation.
/wl/Data/NewInserts.asp, line 65
=====================================
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833714
that field is
varchar(MAX)
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833722
I changed its values to    4000,
And that got rid of the error.

Now I have another error
>>Must declare the scalar variable

Going to work on that one now.

Carrzkiss
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833730
Fixed it.

Had to change all Variables to a ?

MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values (@MineID, @strMemoTitle , @strMyMemo )"

to

MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values (?, ? , ? )"

That will do it.
Now I can complete the test and then implement the rest of them.

Have a good one Angel.
Carrzkiss
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833740
Wanted to add in the actual working code.
(With some code correction from Angel's Code)

Hope this helps someone.
Thank You Angel.
Carrzkiss
<%

Set InMemocmd=Server.CreateObject("ADODB.Command")

InMemocmd.ActiveConnection=objConn

if trim(request.form("MWC")="Memo") then

MineID = Int(request.Form("id"))

strMyMemo = request.Form("MyMemo")

strMyMemo = trim(Replace(strMyMemo, vbCrLf, ""))

strMemoTitle = trim(request.Form("MyMemoTitle")) 

MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values (?, ? , ? )"

InMemocmd.CommandText=MemoSQL

InMemocmd.Parameters.Append InMemocmd.CreateParameter("@MineID", adInteger, adParamInput,, MineID )

InMemocmd.Parameters.Append InMemocmd.CreateParameter("@MyMemoTitle", adVarchar, adParamInput, 500, strMemoTitle )

InMemocmd.Parameters.Append InMemocmd.CreateParameter("@MyMemo", adVarchar, adParamInput, 500, strMyMemo )

InMemocmd.Execute

%>

Open in new window

0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24833903
the ? vs @parameter  depends on some connection options .. using oledb, you should be able to use @parameter. with odbc, it might be ? ...
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24835081
This is my Connection

<%
      Set ObjConn = CreateObject("ADODB.Connection")
      objConn.ConnectionString = "Provider=SQLOLEDB;Data Source=machineName;Database=MyDatabase;User ID=myuserconnname;Password=********;"
      objConn.Open
%>

So, I should be able to use it, but does seem like I can??  (SQLOLEDB)
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24835169
what if you put:
InMemocmd.NamedParameters = true

Open in new window

0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24835489
Still gives the same error
>>Must declare the scalar variable
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24835496
? :/
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24835530
I feel the same here :)
No problems.
It works with the ? so I am happy with that.

Do not worry about Angel.
Have an awesome day.

Carrzkiss
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now