micamb
asked on
How to use stores procedures in mysql
This is not really a problem - yet. It is merely me trying to understand how to secure my code from sql injection. I'm using classic asp as it's all I know.
As far as I understand using stored procedures within my mysql database and then calling these procedures would be the way forward. I'd like to get this working.
I was directed towards this web-page in an earlier question: https://www.mikesdotnetting.com/article/5/saved-parameter-queries-with-ms-access-and-asp
However this concerns an MS access database, and I can't get it to work in my mysql database (for obvious reasons I guess).
Let's assume that I have table MyTable with the followong fields: Id (mediumint), GUID (varchar), Name (Text), DateInserted (Datetime), Comments (Text) (DateTime), Status (mediumint)
I need to read from, update, insert and delete in this table.
I would need to create stored procedures for this, right? I can't seem to find a way to do that using phpMydAdmin (which is what I got and will use, regardless). How would I create these procedures?
Remember that this has to work with classic asp.
Best regards
Michael
As far as I understand using stored procedures within my mysql database and then calling these procedures would be the way forward. I'd like to get this working.
I was directed towards this web-page in an earlier question: https://www.mikesdotnetting.com/article/5/saved-parameter-queries-with-ms-access-and-asp
However this concerns an MS access database, and I can't get it to work in my mysql database (for obvious reasons I guess).
Let's assume that I have table MyTable with the followong fields: Id (mediumint), GUID (varchar), Name (Text), DateInserted (Datetime), Comments (Text) (DateTime), Status (mediumint)
I need to read from, update, insert and delete in this table.
I would need to create stored procedures for this, right? I can't seem to find a way to do that using phpMydAdmin (which is what I got and will use, regardless). How would I create these procedures?
Remember that this has to work with classic asp.
Best regards
Michael
Last Comment
ASKER
Thanks David! Im at a family dinner right now, but will check your answer once I get an opportunity. I'll most likely need to know how to invoke the stored procedure in classic asp.
Check out this article. Although written specifically for SQL Server, if written correctly, a stored procedure will prevent injection. Using parameterized stored procedures is the recommended way of coding your apps, rather than building the SQL in the app and passing it to the server.
ASKER
I really appreciate the feedback guys, but I'm afraid my skills are not quite at that level. I wasn't clear enough in the original post.
I wouldn't say those links you have provided are written in Greek, German is more like it - but that still means that I don't understand enough of it to create my own code.
What I need is an example of how to create a stored procedure based on the database contents provided above and a corresponding code in classic asp showing me how to get that data from the stored procedure.
I know it's asking a lot, but I've scoured the internet (maybe badly) and can't find what I'm looking for.
I wouldn't say those links you have provided are written in Greek, German is more like it - but that still means that I don't understand enough of it to create my own code.
What I need is an example of how to create a stored procedure based on the database contents provided above and a corresponding code in classic asp showing me how to get that data from the stored procedure.
I know it's asking a lot, but I've scoured the internet (maybe badly) and can't find what I'm looking for.
You create the procedure with the syntax:
Once you get to writing a procedure or two and get comfortable with that part, if you run into issues let us know.
create procedure usp_my_proc (parameterName1 parameterType1[, parameterNameN, parameterTypeN]) )
begin
...
end
Once you get to writing a procedure or two and get comfortable with that part, if you run into issues let us know.
David is correct (to a degree) that SQL Injection is handled at the application level, but that is either through the use of parameterized queries or stored procedures. I like using stored procedures because, if you need to make some change at the database level, where stored procedures live, you don't need to make any changes to your application layer.
My take is, code that affects the database should live, as much as possible, in the database (i.e. all data access is through stored procedures). Code that affects the application should live, as much as possible, in the application.
Different developers may feel differently, and I'm not saying this way is the only, or even necessarily always the right way, it is just one way. Getting off the subject for a minute... many developers will format data in the database layer.
For example:
My take is, code that affects the database should live, as much as possible, in the database (i.e. all data access is through stored procedures). Code that affects the application should live, as much as possible, in the application.
Different developers may feel differently, and I'm not saying this way is the only, or even necessarily always the right way, it is just one way. Getting off the subject for a minute... many developers will format data in the database layer.
For example:
SELECT FIRST_NAME + ' ' + MID_INIT + '. ' + LAST_NAME AS FullName,
LEFT(SSN, 3) + '-' + SUBSTRING(SSN, 4, 2) + '-' + RIGHT(SSN, 4) AS SSN
'(' + LEFT(PHONE, 3) + ') ' + SUBSTRING(PHONE, 4, 3) + '-' + RIGHT(PHONE, 4) AS PhoneNumber
FROM myTable
ASKER
Hi Doug,
I'm using Jquery mobile which forces me to format the data after it leaves the database (I think).
Question: Does stored procedures put more stress on the database than my conventional classic asp connection approach?
I have a Status field and a listname field. My first page filters my the view so it only contains people with a certain status on a certain list (i.e. 'Active' on 'List B'). This is controlled by dropdown menus on the presentation layer (if this then that kind-of-thing). Would I need a stored procedure pr. possibility (i.e. 'Inactive', 'List B' and 'Active' 'List B' etc.) or is it fine to transfer these choices through the code (show me everyone on List B who's active)?
I managed to set up a stored procedure (hooray) but I'm puzzled by the output. Here it is:
I'm using Jquery mobile which forces me to format the data after it leaves the database (I think).
Question: Does stored procedures put more stress on the database than my conventional classic asp connection approach?
I have a Status field and a listname field. My first page filters my the view so it only contains people with a certain status on a certain list (i.e. 'Active' on 'List B'). This is controlled by dropdown menus on the presentation layer (if this then that kind-of-thing). Would I need a stored procedure pr. possibility (i.e. 'Inactive', 'List B' and 'Active' 'List B' etc.) or is it fine to transfer these choices through the code (show me everyone on List B who's active)?
I managed to set up a stored procedure (hooray) but I'm puzzled by the output. Here it is:
DELIMITER $$
CREATE DEFINER=`DATABASE`@`%` PROCEDURE `PROCEDURENAME`(IN `ListName` TEXT, `Status` TEXT)
BEGIN
SELECT *
FROM TABLE
WHERE STATUS = STATUS AND ListName = ListName;
END$$
DELIMITER ;
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
You're not forgotten. I have three kids making programming a bit of a challenge. I'll update once I try your solution.
Story of my life. Seems like I'm always put on the back burner. I come in second to everyone else. :-)
ASKER
Hi Doug,
Miracles do happen (it IS that time of year). Based on your suggestions and a bit of tweaking I now have a procedure that reads the needed mysql data from the database.
Here's the working code for other peoples reference:
I think I'll mark it as solved, I've found a few pages talking about how to call procedures from classic asp. I'll try those and if I fail, I'll create a new questions in here.
Happy new year!
/Michael
Miracles do happen (it IS that time of year). Based on your suggestions and a bit of tweaking I now have a procedure that reads the needed mysql data from the database.
Here's the working code for other peoples reference:
DELIMITER $$
CREATE DEFINER=`DATABASE`@`%` PROCEDURE `MyFirstSQLProcedure`(IN `ListName` CHAR(20), IN `StatusList` CHAR(20))
READS SQL DATA
BEGIN
SELECT Column0, Column1, Column3, Column4, Column5, Column6, Column7 FROM Ventelister
WHERE Column1 = ListName AND Column7 = StatusList;
END$$
DELIMITER ;
I think I'll mark it as solved, I've found a few pages talking about how to call procedures from classic asp. I'll try those and if I fail, I'll create a new questions in here.
Happy new year!
/Michael
ASP
Active Server Pages (ASP) is Microsoft’s first server-side engine for dynamic web pages. ASP’s support of the Component Object Model (COM) enables it to access and use compiled libraries such as DLLs. It has been superseded by ASP.NET, but will be supported by Internet Information Services (IIS) through at least 2022.
82K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
https://stackoverflow.com/
To ensure you code is crafted well, use http://sqlmap.org/ to test your code.
You'll use the PHP as an example, then map the PHP approach to your ASP code base.