|
 |
asp_databases thread: WHERE clause works on dev PC, but not on client
Message #1 by "Doug Wilson" <doug.wilson@c...> on Wed, 9 Oct 2002 01:02:19
|
|
I have encountered the following error:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC Microsoft Access Driver] Unknown
It occurs on the 'Set rstLogin=' line of the following code:
strSQL = "SELECT * FROM Users " _
& "WHERE Username='" & Request.Form("login") & "' " _
& "AND Password='" & Request.Form("password") & "';"
Set cnnLogin = Server.CreateObject("ADODB.Connection")
cnnLogin.Open("DRIVER={Microsoft Access Driver (*.mdb)};" _
& "DBQ=" & Server.MapPath("invision2.mdb"))
Set rstLogin = cnnLogin.Execute(strSQL)
On my Win2K-SP3/IIS 5/Office 2K workstation, it works fine. However,
when I tried to install it at a customer (same configuration), I get
the error.
I wrote did a response.write strSQL and it has data.
I have tried it with and without a DSN= and it doesn't matter. I think
it's an ODBC issue, but I'm not sure. My dev PC has Microsoft Access
Driver version 4.00.6019 and my customer has 4.00.6200.
I changed the select statement to be "SELECT * From Users" and it
works .. but I need to filter results by user.
I'm stumped ... any ideas ?
Message #2 by "Ken Schaefer" <ken@a...> on Wed, 9 Oct 2002 11:31:46 +1000
|
|
First you should check out:
http://www.adopenstatic.com/faq/80040e14.asp
Password is a "reserved" word, which means that you should not use it for
column/table names, nor for function or variable names. Use something like
UserPassword instead.
Secondly, you are not escaping single quote marks, which leaves you open to
SQL Injection type attacks, eg where a malicious user can circumvent your
login code by typing in SQL commands into the login field, eg:
Username: ' OR 1=1
Password: ' OR 1=1
which gives you an SQL statement:
SELECT * FROM Users WHERE UserName = '' OR 1=1 AND Password = '' OR 1=1
which will always be "true", and they will always be able to login. Check
out:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
SELECT * isn't a great idea either - use the actual fields you need, not *
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Doug Wilson" <doug.wilson@c...>
Subject: [asp_databases] WHERE clause works on dev PC, but not on client
: I have encountered the following error:
: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
: [Microsoft][ODBC Microsoft Access Driver] Unknown
:
: It occurs on the 'Set rstLogin=' line of the following code:
:
: strSQL = "SELECT * FROM Users " _
: & "WHERE Username='" & Request.Form("login") & "' " _
: & "AND Password='" & Request.Form("password") & "';"
:
: Set cnnLogin = Server.CreateObject("ADODB.Connection")
:
: cnnLogin.Open("DRIVER={Microsoft Access Driver (*.mdb)};" _
: & "DBQ=" & Server.MapPath("invision2.mdb"))
:
:
: Set rstLogin = cnnLogin.Execute(strSQL)
:
: On my Win2K-SP3/IIS 5/Office 2K workstation, it works fine. However,
: when I tried to install it at a customer (same configuration), I get
: the error.
:
: I wrote did a response.write strSQL and it has data.
:
: I have tried it with and without a DSN= and it doesn't matter. I think
: it's an ODBC issue, but I'm not sure. My dev PC has Microsoft Access
: Driver version 4.00.6019 and my customer has 4.00.6200.
:
: I changed the select statement to be "SELECT * From Users" and it
: works .. but I need to filter results by user.
Message #3 by "Doug Wilson" <doug.wilson@c...> on Mon, 14 Oct 2002 16:04:27
|
|
I solved the issue by going to the OLEDB connection method ... which seems
to be less MDAC version sensitive. Thanks for the assist.
> First you should check out:
http://www.adopenstatic.com/faq/80040e14.asp
Password is a "reserved" word, which means that you should not use it for
column/table names, nor for function or variable names. Use something like
UserPassword instead.
Secondly, you are not escaping single quote marks, which leaves you open to
SQL Injection type attacks, eg where a malicious user can circumvent your
login code by typing in SQL commands into the login field, eg:
Username: ' OR 1=1
Password: ' OR 1=1
which gives you an SQL statement:
SELECT * FROM Users WHERE UserName = '' OR 1=1 AND Password = '' OR 1=1
which will always be "true", and they will always be able to login. Check
out:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
SELECT * isn't a great idea either - use the actual fields you need, not *
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Doug Wilson" <doug.wilson@c...>
Subject: [asp_databases] WHERE clause works on dev PC, but not on client
: I have encountered the following error:
: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
: [Microsoft][ODBC Microsoft Access Driver] Unknown
:
: It occurs on the 'Set rstLogin=' line of the following code:
:
: strSQL = "SELECT * FROM Users " _
: & "WHERE Username='" & Request.Form("login") & "' " _
: & "AND Password='" & Request.Form("password") & "';"
:
: Set cnnLogin = Server.CreateObject("ADODB.Connection")
:
: cnnLogin.Open("DRIVER={Microsoft Access Driver (*.mdb)};" _
: & "DBQ=" & Server.MapPath("invision2.mdb"))
:
:
: Set rstLogin = cnnLogin.Execute(strSQL)
:
: On my Win2K-SP3/IIS 5/Office 2K workstation, it works fine. However,
: when I tried to install it at a customer (same configuration), I get
: the error.
:
: I wrote did a response.write strSQL and it has data.
:
: I have tried it with and without a DSN= and it doesn't matter. I think
: it's an ODBC issue, but I'm not sure. My dev PC has Microsoft Access
: Driver version 4.00.6019 and my customer has 4.00.6200.
:
: I changed the select statement to be "SELECT * From Users" and it
: works .. but I need to filter results by user.
|
|
|
View Cart
