Asp+ XML

Discussion in 'XML' started by Charissa, Aug 7, 2003.

  1. Charissa

    Charissa Guest

    I have a asp code, which use to extract code in xml form, but seem
    like the data cannot be extract from the database. Could anyone tell
    me the problem with these code?


    <%@ Language=VBScript %>
    <% Response.Buffer = True %>

    <%
    username=Request.Cookies("SecondHand")("username")
    password=Request.Cookies("SecondHand")("password")
    %>
    <%
    Response.ContentType = "text/xml"

    Dim cnnNorthWind, rsReturn
    Dim sSQLStatement

    sSQLStatement = "SELECT * FROM members where password =
    '"&Request.Cookies("SecondHand")("password")&"'"

    On Error Resume Next
    Set cnnNorthWind = Server.CreateObject("ADODB.Connection")
    cnnNorthWind.ConnectionString = "DSN=db1"
    cnnNorthWind.CursorLocation = 3
    cnnNorthWind.Open
    Set rsReturn = cnnNorthWind.Execute(sSQLStatement)
    Set cnnNorthWind = Nothing

    If Err.number <> 0 Then
    Response.Write "<Error>" & vbNewLine
    Response.Write vbTab & "<Description>" & Err.Description & _
    "</Description>" & vbNewLine
    Response.Write "</Error>" & vbNewLine
    Response.End
    End If

    Response.Write ("<?xml version='1.0'
    encoding='ISO-8859-1'?><?xml-stylesheet type='text/xsl'
    href='member.xsl' version='1.0' encoding='ISO-8859-1'?> ") & vbNewLine
    Response.Write "<members>" & vbNewLine

    While Not rsReturn.EOF


    Response.Write vbTab & vbTab & "<member_name>" &
    rsReturn("member_name") & _
    "</member_name>" & vbNewLine
    Response.Write vbTab & vbTab & "<username>" & rsReturn("username") &
    _
    "</username>" & vbNewLine
    Response.Write vbTab & vbTab & "<password>" & rsReturn("password") &
    _
    "</password>" & vbNewLine
    Response.Write vbTab & vbTab & "<email>" & rsReturn("email") & _
    "</email>" & vbNewLine
    Response.Write vbTab & vbTab & "<contact_no>" &
    rsReturn("contact_no") _
    & "</contact_no>" & vbNewLine
    Response.Write vbTab & vbTab & "<usertype>" & rsReturn("usertype") &
    _
    "</usertype>" & vbNewLine



    Response.Flush

    rsReturn.MoveNext
    Wend

    Response.Write "</members>"
    Set rsReturn = Nothing
    %>
    Charissa, Aug 7, 2003
    #1
    1. Advertising

  2. "Charissa" <> wrote in message
    news:...
    > I have a asp code, which use to extract code in xml form, but seem
    > like the data cannot be extract from the database. Could anyone tell
    > me the problem with these code?
    >
    > sSQLStatement = "SELECT * FROM members where password =
    > '"&Request.Cookies("SecondHand")("password")&"'"
    >


    Have you tried "Select * from members for XML auto"?

    --
    Steve
    Steven Dilley, Aug 7, 2003
    #2
    1. Advertising

  3. Charissa

    Andy Dingley Guest

    On 7 Aug 2003 07:38:53 -0700, (Charissa)
    wrote:

    >I have a asp code, which use to extract code in xml form, but seem
    >like the data cannot be extract from the database.


    So what does it do ? Throw an error ? Return an empty recordset ?

    >Could anyone tell me the problem with these code?


    ><%@ Language=VBScript %>


    VBScript sucks. Switch to JScript (M$oft's JavaScript) You'll be
    grateful in the long run. Much better error handling, same language
    you'll be coding on the clients, and regexes are better integrated
    with the language.

    ><%
    >username=Request.Cookies("SecondHand")("username")
    >password=Request.Cookies("SecondHand")("password")
    >%>


    Chucking passwords around in cookies isn;t the best code in the world,
    but it ought to do something for the minute.


    >Response.ContentType = "text/xml"


    Don't set .ContentType too early. You might want to return a text
    error message.


    >sSQLStatement = "SELECT * FROM members where password =
    >'"&Request.Cookies("SecondHand")("password")&"'"


    This is nasty. What happens if two users have the same password ?

    Secondly, the password is "tainted". You've just pulled it from the
    cookies collection, so it could have almost anything in it. What
    happens when 3V1L H4XX0R D00D embeds some SQL in there and uses it to
    read chunks of your database ?

    Keep the "user filter parameter" (i.e. username) in a string
    variable. Load it from the cookie (or whatever) early on, then
    untaint it. Check the length, check the allowed character set, force
    it to uppercase (or whatever). Then use this string variable to
    build your SQL.

    NEVER build dynamic SQL directly from user-supplied and unchecked
    random stuff. Go search comp.risks for "buffer overflow attacks" if
    you want the horror stories.

    And don't build dynamic SQL anyway, especially not for user
    validation. Use a stored query with a parameter.



    >cnnNorthWind.ConnectionString = "DSN=db1"


    Don't know about this - Do you really have such a DSN set up, and is
    it working ?


    >cnnNorthWind.CursorLocation = 3


    I've no idea what this means (it's years since I wrote ASP code).
    You don't need it for trivial examples, because the default should
    work fine.

    If you use the enum constants instead, I'd know what it meant
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ado270/htm/mdaenumac_13.asp


    >Set rsReturn = cnnNorthWind.Execute(sSQLStatement)


    >Set cnnNorthWind = Nothing


    Why ?

    >If Err.number <> 0 Then
    > Response.Write "<Error>" & vbNewLine
    > Response.Write vbTab & "<Description>" & Err.Description & _
    > "</Description>" & vbNewLine
    > Response.Write "</Error>" & vbNewLine


    What's with the "<Error>" ? This isn't XML- you haven't written the
    prolog yet.

    If it dies at this level, just write its obituary as text.

    > Response.End


    Using Response.End in the middle of a page makes for unsupportable
    code. Think "structured programming" - the concept is only 30-odd
    years old.



    >Response.Write ("<?xml version='1.0'
    >encoding='ISO-8859-1'?><?xml-stylesheet type='text/xsl'
    >href='member.xsl' version='1.0' encoding='ISO-8859-1'?> ") & vbNewLine


    This is just _WRONG_

    Use a fecking DOM, don't write XML explicitly. NEVER !!!!

    ASP is pretty sucky in places, but ADO and MSXML are the best things
    about it - use them.


    > "</member_name>" & vbNewLine
    > Response.Write vbTab & vbTab & "<username>" & rsReturn("username") &


    Don't return SQL text fields directly to a HTTP Response. Look at
    Server.HTMLEncode()


    > "</username>" & vbNewLine
    > Response.Write vbTab & vbTab & "<password>" & rsReturn("password") &
    >_
    > "</password>" & vbNewLine


    returning plaintexts passwords isn't good practice.

    >
    > Response.Flush


    ..Flush() is evil. Don't do it unless you have to.

    >
    > rsReturn.MoveNext
    >Wend
    >
    >Response.Write "</members>"
    >Set rsReturn = Nothing
    >%>



    I can't see anything obviously wrong with this, and you mis-posted it
    to an XML group.

    I suggest you change the SQL and see what happens.
    Try "SELECT * FROM members" and see if you can get it to return you
    the whole lot. Then fix the querying problem, or see if you really
    have anything in the cookie that you're expecting.


    I suspect the cookie is empty. You should test for this and squawk
    about it if it is.
    Andy Dingley, Aug 7, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bomb Diggy
    Replies:
    0
    Views:
    433
    Bomb Diggy
    Jul 28, 2004
  2. Tony Prichard
    Replies:
    0
    Views:
    718
    Tony Prichard
    Dec 12, 2003
  3. Mark Van Orman

    embedding xml in xml as non-xml :)

    Mark Van Orman, Sep 14, 2004, in forum: XML
    Replies:
    5
    Views:
    466
    Patrick TJ McPhee
    Sep 15, 2004
  4. Matt
    Replies:
    3
    Views:
    331
    Bob Barrows [MVP]
    Apr 23, 2004
  5. Erik Wasser
    Replies:
    5
    Views:
    437
    Peter J. Holzer
    Mar 5, 2006
Loading...

Share This Page