asp problem

M

^MisterJingo^

Hi all,
I've been asked to take a look at some asp code and am having trouble
finding where the problem lies.
The asp app itself contains a link to a second page, passing some
parameters on the query string. These parameters are used to stream a
file for downloading. This all works fine.
Just before stream occurs, I need to log the passed parameters into a
database. THis is done by calling the following function:

sub saveClipInfo(category,no,clipMode)
dateNow = year(now)&"-"&month(now)&"-"&day(now)& " "&time()
sql = "INSERT INTO tbl_podcasts
(category,clipNo,userID,forename,surname,studentYear,clipMode,dateNow)
VALUES ('"&category&"',"&no&", '"&session("userID")&"',
'"&session("forename")&"', '"&session("surname")&"',
"&right(trim(session("sYear")),1)&", '"&clipMode&"', '"&dateNow&"')"
conn.execute(sql)
end sub

Even though the paramters are being passed correctly, nothing is added
to the database. To make the problem more confusing, this function is
used elsewhere and works correctly. So it seems to be a problem with
the stream page?

Any help would be appreciated.
 
B

Bob Barrows [MVP]

^MisterJingo^ said:
Hi all,
I've been asked to take a look at some asp code and am having trouble
finding where the problem lies.
The asp app itself contains a link to a second page, passing some
parameters on the query string. These parameters are used to stream a
file for downloading. This all works fine.
Just before stream occurs, I need to log the passed parameters into a
database.
Click to expand...

What database? Type and version please. This information is alomostalways
relevant when asking a database-related question, and is definitely relevant
in this case.
THis is done by calling the following function:

sub saveClipInfo(category,no,clipMode)
dateNow = year(now)&"-"&month(now)&"-"&day(now)& " "&time()
sql = "INSERT INTO tbl_podcasts
(category,clipNo,userID,forename,surname,studentYear,clipMode,dateNow)
VALUES ('"&category&"',"&no&", '"&session("userID")&"',
'"&session("forename")&"', '"&session("surname")&"',
"&right(trim(session("sYear")),1)&", '"&clipMode&"', '"&dateNow&"')"
Click to expand...

For debugging purposes, put these statements here:

Response.Write sql
Response.End

Run the page and make sure the sql statement is what you intend it to be.
conn.execute(sql)
Click to expand...

Is "conn" defined somewhere? Do you have "On Error Resume Next" somewhere
masking errors?

Further points to consider:
Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
ASP Server DLL Problem 0
Classic ASP, CDO.Message, and Server2012 0
Big problem I need to solve with some unix utils 1
recordset problem 14
Asp Session 0
ASP 2
Using xp_sendmail in ASP? 0

Members online

Total: 28 (members: 1, guests: 27)
Robots: 173

Forum statistics

Threads
473,774
Messages
2,569,596
Members
45,129
Latest member
FastBurnketo

Latest Threads

Top