Wrox Programmer Forums
|
Classic ASP Databases Discuss using ASP 3 to work with data in databases, including ASP Database Setup issues from the old P2P forum on this specific subtopic. See also the book forum Beginning ASP.NET Databases for questions specific to that book. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Databases section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old March 6th, 2007, 02:23 AM
Authorized User
  
Join Date: Oct 2006
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
Default Weird ASP/SQL Problem
Weird ASP/SQL Problem


Consider the following HTML Form, it has a textbox and a search button.

Code:
<form method=post action="search.asp">
<input name="txtName" type="text" id="txtEmail" />
<input type="submit" name="Submit3" value="Search" />
</form>
The search.asp page:

Code:
select * from tbl_group_contact where userName ='"& request("txtName") &"'

if I put this query in the search.asp page then it will search by name based on the name I entered in the textbox. But if I leave the textbox empty and click on the search button, SQL fetches all the rows from the table. If you havent noticed this before, try it now!!


Well, this is not my problem/question. my question is if I place a combo box instead of the textbox and assign a NULL value to one of the option field like:

Code:
<select name="txtType" id="txtType">
<option value="" selected="selected">All</option>
</select>

and press the search button, then it does not fetch all the rows as it did for the empty textbox.

Any idea why?

-----------------------------------------------
www.chargertek.in - Cheapest WebHosting
__________________
-----------------------------------------------
www.chargertek.in - Cheapest WebHosting
 
Old March 6th, 2007, 08:42 AM
Wrox Author
  
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default
>< You are setting yourself up for SQL injection on this one. Consider what would happen if I placed this code into the text box:

' OR 0 = 0; DROP TABLE tbl_group_contact --

Your sql string literally becomes this:
select * from tbl_group_contact where userName ='' OR 0 = 0; DROP TABLE tbl_group_contact --'

(anything after -- is commented out)

Do a google search on paramertized queries in ADO as those are alot safer.

In regards to your specific problem, check for the absence of data in the username field, if it is blank return an error message to the user so that the sql statement isnt executed.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
 
Old March 6th, 2007, 08:51 AM
Authorized User
  
Join Date: Oct 2006
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
Default
First of all how would anyone know that my table name is tbl_group_contact?

Unless I show them the actual code

-----------------------------------------------
www.chargertek.in - Cheapest WebHosting
 
Old March 6th, 2007, 05:49 PM
Friend of Wrox
  
Join Date: Jul 2003
Posts: 599
Thanks: 6
Thanked 3 Times in 3 Posts
Default
Try Response.Write on the query on the search.asp page. Copy that, put it in QA and see if you still get all the rows. Also, if it works in QA, post a couple of rows so we can see what you're pulling.

dparsons has a good point. It may be possible to drop all of your tables with some kind of wildcard. I don't know about that but it really does no one any good to be querying a database with an empty WHERE statement. Some error checking/validation on either page you do good.
 
Old March 7th, 2007, 09:15 AM
Wrox Author
  
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default
Your missing the point cancer and that is the wrong attituded to have about this sort of thing. A script kiddie may not know exactly what your table names are, but, suppose that instead of a Drop statement they made this call:

SELECT table_name from Information_Schema.Tables where table_type='Base Table'

So now they have rendered your logon query useless and have now queried the Tables schema and are returning a list of ALL tables in your database. So this statement "First of all how would anyone know that my table name is tbl_group_contact?" is a moot point because after executing the above query, I would know EVERY table in your database.


================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========





Similar Threads
Thread Thread Starter Forum Replies Last Post
weird ASP/VB/Oracle problem.... Bij81 Classic ASP Databases 0 October 28th, 2005 03:57 AM
weird problem! Please Help johnjohn Classic ASP Databases 5 December 21st, 2004 10:27 AM
Weird Access Problem MattyJ Access 2 October 1st, 2004 02:10 PM
weird Oracle problem! pankaj_daga Oracle 2 July 12th, 2004 09:33 PM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.