We help IT Professionals succeed at work.

Hoist the colors! We’ve added location flags to usernames sitewide, so it's easier to connect with the global community on EE. View My Profile

x

problem with SQL statement after host migrated updated webserver

Baub Eis
Baub Eis asked
on
769 Views
Last Modified: 2013-09-19
I have a sight that my webhost migrated to a new server and now one of my classic asp dynamic pages isn't loading correctly for the life of me I can't figure it out.

The site is http://www.performanceboatcenter.com

If you click on 'boats for sale' or the actual URL:

http://www.performanceboatcenter.com/boats_view_all_search.asp?boat_make=ALL&boat_price=0+AND+10000000&boat_LOA=0+AND+100000

I get a 'An error occurred on the server when processing the URL. Please contact the system administrator.
If you are the system administrator please click here to find out more about this error.'

But if I reaplace the boat_make= to an actual category like MTI the page will load, such as this:
http://www.performanceboatcenter.com/boats_view_all_search.asp?boat_make=MTI&boat_price=0+AND+10000000&boat_LOA=0+AND+100000

I'm guessing it has to do something with my recordset, I think this is enough code to look at it?

<%
Dim boats__MMColParam
boats__MMColParam = "boat"
If (Request("MM_EmptyValue") <> "") Then 
  boats__MMColParam = Request("MM_EmptyValue")
End If
%>
<%
Dim Boats__MMColParam1
Boats__MMColParam1 = "0 AND 1000000"
If (Request.QueryString("boat_price") <> "") Then 
  Boats__MMColParam1 = Request.QueryString("boat_price")   
End If
%>
<%
Dim Boats__MMColParam2
Boats__MMColParam2 = "Cigarette"
If (Request.QueryString("boat_make") <> "") Then 
  Boats__MMColParam2 = Request.QueryString("boat_make")
End If
%>
<%
Dim Boats__MMColParam3
Boats__MMColParam3 = "0 AND 100000"
If (Request.QueryString("boat_LOA") <> "") Then 
  Boats__MMColParam3 = Request.QueryString("boat_LOA")
End If
%>

<%
Dim boats
Dim boats_cmd
Dim boats_numRows
Set boats_cmd = Server.CreateObject ("ADODB.Command")
boats_cmd.ActiveConnection = MM_powerboat_STRING
	If request.QueryString("boat_make") = "ALL" then 
	boats_cmd.Commandtext = "SELECT * FROM mathews_powerboat1.boats WHERE boat_category = " & "'" & boats__MMColParam & "'" & " AND boat_price BETWEEN " & Boats__MMColParam1 & " AND boat_LOA BETWEEN " & Boats__MMColParam3 & " ORDER BY boat_LOA ASC"
	Elseif request.QueryString("boat_make") <> "ALL" Then 
	boats_cmd.Commandtext = "SELECT * FROM mathews_powerboat1.boats WHERE boat_category = " & "'" & boats__MMColParam & "'" & " AND boat_price BETWEEN " & Boats__MMColParam1 & " AND boat_LOA BETWEEN " & Boats__MMColParam3 & " AND boat_make = " & "'" & Boats__MMColParam2 & "'" & " ORDER BY boat_LOA ASC"
	End If
boats_cmd.Prepared = true
'rsboats_cmd.Parameters.Append rsboats_cmd.CreateParameter("param1", 200, 1, 50, rsboats__MMColParam) ' adVarChar

Set boats = boats_cmd.Execute
boats_numRows = 0
%>

Open in new window


Not sure if its cause I'm doing a classic asp thing and the new server doesn't quite support that or what the problem is.  Any help or directions in troubleshooting would be great, host is slow getting back to me, as I figure they are busy trying to troubleshoot all of the folks that got migrated also?

Thanks
Baub
Comment
Watch Question

Web Ninja at large
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Scott FellDeveloper
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013

Commented:
Can you have your host service turn on errors temporarily. This is off by default.


Also this is not safe
 Boats__MMColParam2 = Request.QueryString("boat_make")

Open in new window

You should be in the habit of scrubbing your data before you send it to your db.  Otherwise you are open to sql injection.
Scott FellDeveloper
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013

Commented:
Another option, you may want to convert "ALL" to ucase.  This way, if somebody types in "all" or "ALL" or "All" they get the expected result.
Big MontyWeb Ninja at large
CERTIFIED EXPERT

Commented:
excellent point, couldn't agree more :)

Author

Commented:
Waiting to hear back from host.  I'll keep you posted.  As far as the "all" thing, I am the only one making calls to that so I would always use the ALL.  You can't manually type that in anywhere.  I'll keep you guys posted....
Big MontyWeb Ninja at large
CERTIFIED EXPERT

Commented:
did you try displaying the sql statement as I suggested?
Scott FellDeveloper
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks on the SQL injection stuff.  I'm familiar with it I've had to fight it off before.  Thanks for all of your help.

I believe that when I was entering test data to test what was going on i got the phrase 'test' inserted into a 'int' field.  So that was the problem.   So I'm giving the majority of points to Big Daddy.  But I'm gonna give a few to the others that chimed in.  As being a web developer that is a one man show, I don't always have other folks to ask questions and this forum has saved me I don't know how many times.  My appreciation goes out to all of you!
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.