Asp+ XML

C

Charissa

I have a asp code, which use to extract code in xml form, but seem
like the data cannot be extract from the database. Could anyone tell
me the problem with these code?


<%@ Language=VBScript %>
<% Response.Buffer = True %>

<%
username=Request.Cookies("SecondHand")("username")
password=Request.Cookies("SecondHand")("password")
%>
<%
Response.ContentType = "text/xml"

Dim cnnNorthWind, rsReturn
Dim sSQLStatement

sSQLStatement = "SELECT * FROM members where password =
'"&Request.Cookies("SecondHand")("password")&"'"

On Error Resume Next
Set cnnNorthWind = Server.CreateObject("ADODB.Connection")
cnnNorthWind.ConnectionString = "DSN=db1"
cnnNorthWind.CursorLocation = 3
cnnNorthWind.Open
Set rsReturn = cnnNorthWind.Execute(sSQLStatement)
Set cnnNorthWind = Nothing

If Err.number <> 0 Then
Response.Write "<Error>" & vbNewLine
Response.Write vbTab & "<Description>" & Err.Description & _
"</Description>" & vbNewLine
Response.Write "</Error>" & vbNewLine
Response.End
End If

Response.Write ("<?xml version='1.0'
encoding='ISO-8859-1'?><?xml-stylesheet type='text/xsl'
href='member.xsl' version='1.0' encoding='ISO-8859-1'?> ") & vbNewLine
Response.Write "<members>" & vbNewLine

While Not rsReturn.EOF


Response.Write vbTab & vbTab & "<member_name>" &
rsReturn("member_name") & _
"</member_name>" & vbNewLine
Response.Write vbTab & vbTab & "<username>" & rsReturn("username") &
_
"</username>" & vbNewLine
Response.Write vbTab & vbTab & "<password>" & rsReturn("password") &
_
"</password>" & vbNewLine
Response.Write vbTab & vbTab & "<email>" & rsReturn("email") & _
"</email>" & vbNewLine
Response.Write vbTab & vbTab & "<contact_no>" &
rsReturn("contact_no") _
& "</contact_no>" & vbNewLine
Response.Write vbTab & vbTab & "<usertype>" & rsReturn("usertype") &
_
"</usertype>" & vbNewLine



Response.Flush

rsReturn.MoveNext
Wend

Response.Write "</members>"
Set rsReturn = Nothing
%>
 
S

Steven Dilley

Charissa said:
I have a asp code, which use to extract code in xml form, but seem
like the data cannot be extract from the database. Could anyone tell
me the problem with these code?

sSQLStatement = "SELECT * FROM members where password =
'"&Request.Cookies("SecondHand")("password")&"'"

Have you tried "Select * from members for XML auto"?
 
A

Andy Dingley

I have a asp code, which use to extract code in xml form, but seem
like the data cannot be extract from the database.

So what does it do ? Throw an error ? Return an empty recordset ?
Could anyone tell me the problem with these code?
<%@ Language=VBScript %>

VBScript sucks. Switch to JScript (M$oft's JavaScript) You'll be
grateful in the long run. Much better error handling, same language
you'll be coding on the clients, and regexes are better integrated
with the language.
<%
username=Request.Cookies("SecondHand")("username")
password=Request.Cookies("SecondHand")("password")
%>

Chucking passwords around in cookies isn;t the best code in the world,
but it ought to do something for the minute.

Response.ContentType = "text/xml"

Don't set .ContentType too early. You might want to return a text
error message.

sSQLStatement = "SELECT * FROM members where password =
'"&Request.Cookies("SecondHand")("password")&"'"

This is nasty. What happens if two users have the same password ?

Secondly, the password is "tainted". You've just pulled it from the
cookies collection, so it could have almost anything in it. What
happens when 3V1L H4XX0R D00D embeds some SQL in there and uses it to
read chunks of your database ?

Keep the "user filter parameter" (i.e. username) in a string
variable. Load it from the cookie (or whatever) early on, then
untaint it. Check the length, check the allowed character set, force
it to uppercase (or whatever). Then use this string variable to
build your SQL.

NEVER build dynamic SQL directly from user-supplied and unchecked
random stuff. Go search comp.risks for "buffer overflow attacks" if
you want the horror stories.

And don't build dynamic SQL anyway, especially not for user
validation. Use a stored query with a parameter.


cnnNorthWind.ConnectionString = "DSN=db1"

Don't know about this - Do you really have such a DSN set up, and is
it working ?

cnnNorthWind.CursorLocation = 3

I've no idea what this means (it's years since I wrote ASP code).
You don't need it for trivial examples, because the default should
work fine.

If you use the enum constants instead, I'd know what it meant
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ado270/htm/mdaenumac_13.asp

Set rsReturn = cnnNorthWind.Execute(sSQLStatement)
Set cnnNorthWind = Nothing

Why ?
If Err.number <> 0 Then
Response.Write "<Error>" & vbNewLine
Response.Write vbTab & "<Description>" & Err.Description & _
"</Description>" & vbNewLine
Response.Write "</Error>" & vbNewLine

What's with the "<Error>" ? This isn't XML- you haven't written the
prolog yet.

If it dies at this level, just write its obituary as text.
Response.End

Using Response.End in the middle of a page makes for unsupportable
code. Think "structured programming" - the concept is only 30-odd
years old.


Response.Write ("<?xml version='1.0'
encoding='ISO-8859-1'?><?xml-stylesheet type='text/xsl'
href='member.xsl' version='1.0' encoding='ISO-8859-1'?> ") & vbNewLine

This is just _WRONG_

Use a fecking DOM, don't write XML explicitly. NEVER !!!!

ASP is pretty sucky in places, but ADO and MSXML are the best things
about it - use them.

"</member_name>" & vbNewLine
Response.Write vbTab & vbTab & "<username>" & rsReturn("username") &

Don't return SQL text fields directly to a HTTP Response. Look at
Server.HTMLEncode()

"</username>" & vbNewLine
Response.Write vbTab & vbTab & "<password>" & rsReturn("password") &
_
"</password>" & vbNewLine

returning plaintexts passwords isn't good practice.
Response.Flush

..Flush() is evil. Don't do it unless you have to.
rsReturn.MoveNext
Wend

Response.Write "</members>"
Set rsReturn = Nothing
%>


I can't see anything obviously wrong with this, and you mis-posted it
to an XML group.

I suggest you change the SQL and see what happens.
Try "SELECT * FROM members" and see if you can get it to return you
the whole lot. Then fix the querying problem, or see if you really
have anything in the cookie that you're expecting.


I suspect the cookie is empty. You should test for this and squawk
about it if it is.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top