Solved

Update / Insert / Delete (Parameters)

Posted on 2009-07-11
14
237 Views
Last Modified: 2012-06-27
Hello All;

Trying to wrap up this part of the SQL Server Conversion and Possibly secure the site
From possible SQL Injection.

OK.
What I need to know, is is there any special coding that needs to be done besides just adding what I have.
And I "THINK" that this needs to be added for every Column that is going to be:
Updated / Inserted / Deleted

SPOcmd.Parameters.Append SPOcmd.CreateParameter("@SPUsername", adVarChar,adParamInput, 25, strSUsername)

But, is there anything else that needs to be done to tighten these types of Statements up?

Thanks All;
Carrzkiss


<%

Set InMemocmd=Server.CreateObject("ADODB.Command")

InMemocmd.ActiveConnection=objConn

if trim(request.form("MWC")="Memo") then

MineID = Int(request.Form("id"))

strMyMemo = request.Form("MyMemo")

strMyMemo = trim(Replace(strMyMemo, vbCrLf, "<br />"))

strMyMemo = trim(Replace(strMyMemo, "'", "''"))

strMemoTitle = trim(request.Form("MyMemoTitle"))

strMemoTitle = trim(Replace(strMemoTitle, "'", "''"))

MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values ('" & MineID & "','" &strMemoTitle& "','" &strMyMemo& "')"

'response.Write MemoSQL & "<br / >"

'response.End()

InMemocmd.CommandText=MemoSQL

InMemocmd.Execute

%>

Open in new window

0
Comment
Question by:Wayne Barron
  • 10
  • 4
14 Comments
 
LVL 142

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 24833546
this should do:
<%
Set InMemocmd=Server.CreateObject("ADODB.Command")
InMemocmd.ActiveConnection=objConn
if trim(request.form("MWC")="Memo") then
MineID = Int(request.Form("id"))
strMyMemo = request.Form("MyMemo")
strMyMemo = trim(Replace(strMyMemo, vbCrLf, ""))
strMemoTitle = trim(request.Form("MyMemoTitle")) 
MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values (@MineID, @strMemoTitle , @strMyMemo )"
InMemocmd.CommandText=MemoSQL
InMemocmd.Parameters.Append InMemocmd.CreateParameter("@MineID", adInteger, adParamInput,, MineID )
InMemocmd.Parameters.Append InMemocmd.CreateParameter("@strMemoTitle", adVarchar, adParamInput, 500, strMemoTitle )
InMemocmd.Parameters.Append InMemocmd.CreateParameter("@strMemo", adVarchar, adParamInput, 500, strMyMemo )
InMemocmd.Execute
%>

Open in new window

0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833641
That is what I was thinking, but wanting to make sure before I did it.

Thank you Angel.

Carrzkiss
0
 
LVL 30

Author Closing Comment

by:Wayne Barron
ID: 31602523
Thank You Angel
Carrziss
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833710
It seems that I have run into an issue that I cannot see to get around.

On this line

InMemocmd.Parameters.Append InMemocmd.CreateParameter("@strMemoTitle", adVarchar, adParamInput, 500, strMemoTitle )

I get this error
=====================================
ADODB.Command error '800a0d5d'
Application uses a value of the wrong type for the current operation.
/wl/Data/NewInserts.asp, line 65
=====================================
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833714
that field is
varchar(MAX)
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833722
I changed its values to    4000,
And that got rid of the error.

Now I have another error
>>Must declare the scalar variable

Going to work on that one now.

Carrzkiss
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833730
Fixed it.

Had to change all Variables to a ?

MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values (@MineID, @strMemoTitle , @strMyMemo )"

to

MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values (?, ? , ? )"

That will do it.
Now I can complete the test and then implement the rest of them.

Have a good one Angel.
Carrzkiss
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 30

Author Comment

by:Wayne Barron
ID: 24833740
Wanted to add in the actual working code.
(With some code correction from Angel's Code)

Hope this helps someone.
Thank You Angel.
Carrzkiss
<%

Set InMemocmd=Server.CreateObject("ADODB.Command")

InMemocmd.ActiveConnection=objConn

if trim(request.form("MWC")="Memo") then

MineID = Int(request.Form("id"))

strMyMemo = request.Form("MyMemo")

strMyMemo = trim(Replace(strMyMemo, vbCrLf, ""))

strMemoTitle = trim(request.Form("MyMemoTitle")) 

MemoSQL = "INSERT INTO MyMemo (MID, MyMemoTitle, MyMemo) values (?, ? , ? )"

InMemocmd.CommandText=MemoSQL

InMemocmd.Parameters.Append InMemocmd.CreateParameter("@MineID", adInteger, adParamInput,, MineID )

InMemocmd.Parameters.Append InMemocmd.CreateParameter("@MyMemoTitle", adVarchar, adParamInput, 500, strMemoTitle )

InMemocmd.Parameters.Append InMemocmd.CreateParameter("@MyMemo", adVarchar, adParamInput, 500, strMyMemo )

InMemocmd.Execute

%>

Open in new window

0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24833903
the ? vs @parameter  depends on some connection options .. using oledb, you should be able to use @parameter. with odbc, it might be ? ...
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24835081
This is my Connection

<%
      Set ObjConn = CreateObject("ADODB.Connection")
      objConn.ConnectionString = "Provider=SQLOLEDB;Data Source=machineName;Database=MyDatabase;User ID=myuserconnname;Password=********;"
      objConn.Open
%>

So, I should be able to use it, but does seem like I can??  (SQLOLEDB)
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24835169
what if you put:
InMemocmd.NamedParameters = true

Open in new window

0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24835489
Still gives the same error
>>Must declare the scalar variable
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24835496
? :/
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24835530
I feel the same here :)
No problems.
It works with the ? so I am happy with that.

Do not worry about Angel.
Have an awesome day.

Carrzkiss
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now