Solved

SQL Statement refuses to complete itself in code

Posted on 2014-02-19
7
232 Views
Last Modified: 2014-04-29
On my website, I get people to register and then I email then a link which verifies their email address is correct. The link is simply their email address in an encrpyted format which is decrpted when they return back to the verification page.

Encrpting Code and decrpt is here

    
Private Function EncryptString(strString)

Dim CharHexSet, intStringLen, strTemp, strRAW, i, intKey, intOffSet
Randomize Timer

intKey = Round((RND * 1000000) + 1000000)   '##### Key Bitsize
intOffSet = Round((RND * 1000000) + 1000000)   '##### KeyOffSet Bitsize

    If IsNull(strString) = False Then
         strRAW = strString
         intStringLen = Len(strRAW)
                   
                   For i = 0 to intStringLen - 1
                        strTemp = Left(strRAW, 1)
                        strRAW = Right(strRAW, Len(strRAW) - 1)
                        CharHexSet = CharHexSet & Hex(Asc(strTemp) * intKey) & Hex(intKey)
                   Next
         
         EncryptString = CharHexSet & "|" & Hex(intOffSet + intKey) & "|" & Hex(intOffSet)
    Else
         EncryptString = ""
    End If
End Function

Private Function DeCryptString(strCryptString)

Dim strRAW, arHexCharSet, i, intKey, intOffSet, strRawKey, strHexCrypData

    strRawKey = Right(strCryptString, Len(strCryptString) - InStr(strCryptString, "|"))
    intOffSet = Right(strRawKey, Len(strRawKey) - InStr(strRawKey,"|"))
    intKey = HexConv(Left(strRawKey, InStr(strRawKey, "|") - 1)) - HexConv(intOffSet)
    strHexCrypData = Left(strCryptString, Len(strCryptString) - (Len(strRawKey) + 1))
    
     arHexCharSet = Split(strHexCrypData, Hex(intKey))
         
         For i=0 to UBound(arHexCharSet)
              strRAW = strRAW & Chr(HexConv(arHexCharSet(i))/intKey)
         Next
         
    DeCryptString = strRAW
End Function

Private Function HexConv(hexVar)
Dim hxx, hxx_var, multiply          
         IF hexVar <> "" THEN
              hexVar = UCASE(hexVar)
              hexVar = StrReverse(hexVar)
              DIM hx()
              REDIM hx(LEN(hexVar))
              hxx = 0
              hxx_var = 0
              FOR hxx = 1 TO LEN(hexVar)
                   IF multiply = "" THEN multiply = 1
                   hx(hxx) = mid(hexVar,hxx,1)
                   hxx_var = (get_hxno(hx(hxx)) * multiply) + hxx_var
                   multiply = (multiply * 16)
              NEXT
              hexVar = hxx_var
              HexConv = hexVar
         END IF
End Function
    
Private Function get_hxno(ghx)
         If ghx = "A" Then
              ghx = 10
         ElseIf ghx = "B" Then
              ghx = 11
         ElseIf ghx = "C" Then
              ghx = 12
         ElseIf ghx = "D" Then
              ghx = 13
         ElseIf ghx = "E" Then
              ghx = 14
         ElseIf ghx = "F" Then
              ghx = 15
         End If
         get_hxno = ghx
End Function

Open in new window



The verify page code is

 verifyid = Request.QueryString ("verifyid")

   emailid = DeCryptString (verifyid)

   strId  = CStr(emailid)
        LOGINSQL = "UPDATE tbl_members SET status = 'live' WHERE emailaddress = '" & strId &"'"
        
        response.Write LoginSQL
        Response.End ()
        
        
        set cmdHitting = Server.CreateObject("ADODB.Command")
            cmdHitting.ActiveConnection = DB_CON
            cmdHitting.CommandText = LOGINSQL
            cmdHitting.CommandType = 1
            cmdHitting.CommandTimeout = 0
            cmdHitting.Prepared = true
            cmdHitting.Execute()

Open in new window

           
                       


My problem is the SQL statement LOGINSQL stops at the email address and does not read the append code for the closed apostrophe.
0
Comment
Question by:souldj
  • 2
7 Comments
 
LVL 33

Accepted Solution

by:
Big Monty earned 168 total points
ID: 39872019
this is not a good way to build sql statements, google "sql injection" and you'll see why )

to fix this issue, you need to replace any single quotes with double quotes, so change

  strId  = CStr(emailid)

to

  strId  = CStr( Replace( emailid, "'", "''" ) )

Open in new window


or you would be better of using parameterized queries
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 166 total points
ID: 39872058
Are there special characters being sent to the url?  Maybe you need to urlencode the email before sending it to the url?  http://www.w3schools.com/Asp/met_urlencode.asp

Try and see what the input looks like
verifyid = Request.QueryString ("verifyid")
 emailid = DeCryptString (verifyid)
response.write verifyid&"<br>"&emailid
response.end ' for testing

Open in new window

0
 
LVL 15

Assisted Solution

by:pateljitu
pateljitu earned 166 total points
ID: 39874121
I would agree with @Big Monty and @Scott Fell, it is better to replace single quotes to avoid SQL injection and also URL encode querystring

Solution:
There seems to be some problem with decryption logic, but when I tried to wrap decrypted text around HTMLEncodeing I was able to view email address with complete SQL statement.

your verify code will looks as below:

verifyid = Request.QueryString ("verifyid")

   emailid = server.HTMLEncode(replace(DeCryptString(verifyid),"'","''"))

   strId  = CStr(emailid)
        LOGINSQL = "UPDATE tbl_members SET status = 'live' WHERE emailaddress = '" & strId 
        
        response.Write LoginSQL
        Response.End ()

Open in new window

0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 39874715
fyi... http://www.classicasp.org/ has just about everything you need including hash and encrypt/decrypt http://www.classicasp.org/lib/asp/org/classicasp/doc/index.htm 

You have to download the entire file, but you only have to upload the one file that has the functions.  All open source.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Error Creating Foreign Keys in SQL Database 7 36
SQL Server 2012 r2 - calculations/operation on many Temp Tables 6 22
sql 2014,  lock limit 5 32
Button to go back 3 25
In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question