Link to home
Create AccountLog in
Avatar of Baub Eis
Baub EisFlag for United States of America

asked on

problem with SQL statement after host migrated updated webserver

I have a sight that my webhost migrated to a new server and now one of my classic asp dynamic pages isn't loading correctly for the life of me I can't figure it out.

The site is http://www.performanceboatcenter.com

If you click on 'boats for sale' or the actual URL:

http://www.performanceboatcenter.com/boats_view_all_search.asp?boat_make=ALL&boat_price=0+AND+10000000&boat_LOA=0+AND+100000

I get a 'An error occurred on the server when processing the URL. Please contact the system administrator.
If you are the system administrator please click here to find out more about this error.'

But if I reaplace the boat_make= to an actual category like MTI the page will load, such as this:
http://www.performanceboatcenter.com/boats_view_all_search.asp?boat_make=MTI&boat_price=0+AND+10000000&boat_LOA=0+AND+100000

I'm guessing it has to do something with my recordset, I think this is enough code to look at it?

<%
Dim boats__MMColParam
boats__MMColParam = "boat"
If (Request("MM_EmptyValue") <> "") Then 
  boats__MMColParam = Request("MM_EmptyValue")
End If
%>
<%
Dim Boats__MMColParam1
Boats__MMColParam1 = "0 AND 1000000"
If (Request.QueryString("boat_price") <> "") Then 
  Boats__MMColParam1 = Request.QueryString("boat_price")   
End If
%>
<%
Dim Boats__MMColParam2
Boats__MMColParam2 = "Cigarette"
If (Request.QueryString("boat_make") <> "") Then 
  Boats__MMColParam2 = Request.QueryString("boat_make")
End If
%>
<%
Dim Boats__MMColParam3
Boats__MMColParam3 = "0 AND 100000"
If (Request.QueryString("boat_LOA") <> "") Then 
  Boats__MMColParam3 = Request.QueryString("boat_LOA")
End If
%>

<%
Dim boats
Dim boats_cmd
Dim boats_numRows
Set boats_cmd = Server.CreateObject ("ADODB.Command")
boats_cmd.ActiveConnection = MM_powerboat_STRING
	If request.QueryString("boat_make") = "ALL" then 
	boats_cmd.Commandtext = "SELECT * FROM mathews_powerboat1.boats WHERE boat_category = " & "'" & boats__MMColParam & "'" & " AND boat_price BETWEEN " & Boats__MMColParam1 & " AND boat_LOA BETWEEN " & Boats__MMColParam3 & " ORDER BY boat_LOA ASC"
	Elseif request.QueryString("boat_make") <> "ALL" Then 
	boats_cmd.Commandtext = "SELECT * FROM mathews_powerboat1.boats WHERE boat_category = " & "'" & boats__MMColParam & "'" & " AND boat_price BETWEEN " & Boats__MMColParam1 & " AND boat_LOA BETWEEN " & Boats__MMColParam3 & " AND boat_make = " & "'" & Boats__MMColParam2 & "'" & " ORDER BY boat_LOA ASC"
	End If
boats_cmd.Prepared = true
'rsboats_cmd.Parameters.Append rsboats_cmd.CreateParameter("param1", 200, 1, 50, rsboats__MMColParam) ' adVarChar

Set boats = boats_cmd.Execute
boats_numRows = 0
%>

Open in new window


Not sure if its cause I'm doing a classic asp thing and the new server doesn't quite support that or what the problem is.  Any help or directions in troubleshooting would be great, host is slow getting back to me, as I figure they are busy trying to troubleshoot all of the folks that got migrated also?

Thanks
Baub
ASKER CERTIFIED SOLUTION
Avatar of Big Monty
Big Monty
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Can you have your host service turn on errors temporarily. This is off by default.


Also this is not safe
 Boats__MMColParam2 = Request.QueryString("boat_make")

Open in new window

You should be in the habit of scrubbing your data before you send it to your db.  Otherwise you are open to sql injection.
Another option, you may want to convert "ALL" to ucase.  This way, if somebody types in "all" or "ALL" or "All" they get the expected result.
excellent point, couldn't agree more :)
Avatar of Baub Eis

ASKER

Waiting to hear back from host.  I'll keep you posted.  As far as the "all" thing, I am the only one making calls to that so I would always use the ALL.  You can't manually type that in anywhere.  I'll keep you guys posted....
did you try displaying the sql statement as I suggested?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks on the SQL injection stuff.  I'm familiar with it I've had to fight it off before.  Thanks for all of your help.

I believe that when I was entering test data to test what was going on i got the phrase 'test' inserted into a 'int' field.  So that was the problem.   So I'm giving the majority of points to Big Daddy.  But I'm gonna give a few to the others that chimed in.  As being a web developer that is a one man show, I don't always have other folks to ask questions and this forum has saved me I don't know how many times.  My appreciation goes out to all of you!