Assistance with ASP Redirect

Discussion in 'ASP General' started by Endora, Aug 12, 2004.

  1. Endora

    Endora Guest

    Hello,

    The database I'm working with has these 2 fields:

    - "CD", which stands for "Consolidated Design Number" (not Compact
    DISC)

    and

    - "URL", which is the full URL (http://...)

    Users need to be able to type a CD number into a form text box and,
    upon submission, be redirected to a non-database-driven html index
    (home page) for all the info associated with that paricular CD. A
    drop-down might be simpler, but it would be way too long since there
    are many, many numbers.

    Here's what I have. Can't seem to get it to work.

    Any assistance would be very much appreciated. Thanks!

    <%
    sDSN = "Driver={Microsoft Access Driver
    (*.mdb)};Dbq=path-to-my-db.mdb;"
    %>
    <%
    set ac = CreateObject("ADODB.Connection")
    set ar = CreateObject("ADODB.Recordset")
    ac.Open sDSN '"DSN=my-db","myuser","mypass"
    sSQL = "SELECT URL FROM mytable WHERE CD=" & Request.Form("CD")
    set ar = ac.Execute(sSQL)
    if NOT ar.EOF then
    URL = ar("URL")
    Response.Redirect url
    else
    ' new customer or bad ID
    End If
    %>
     
    Endora, Aug 12, 2004
    #1
    1. Advertising

  2. Endora

    Evertjan. Guest

    Endora wrote on 12 aug 2004 in microsoft.public.inetserver.asp.general:

    > Any assistance would be very much appreciated. Thanks!
    >
    > <%
    > sDSN = "Driver={Microsoft Access Driver
    > (*.mdb)};Dbq=path-to-my-db.mdb;"
    > %>
    > <%
    > set ac = CreateObject("ADODB.Connection")
    > set ar = CreateObject("ADODB.Recordset")
    > ac.Open sDSN '"DSN=my-db","myuser","mypass"
    > sSQL = "SELECT URL FROM mytable WHERE CD=" & Request.Form("CD")
    > set ar = ac.Execute(sSQL)
    > if NOT ar.EOF then
    > URL = ar("URL")
    > Response.Redirect url
    > else
    > ' new customer or bad ID
    > End If
    > %>
    >


    Do use the Jet engine driver.
    You do not use and need a recordset here.
    The permissions for the database path must be OK.

    <%
    set CONNECT = server.CreateObject("ADODB.Connection")
    CONNECT.Open "PROVIDER=Microsoft.Jet.OLEDB.4.0;DATA SOURCE="_
    & Server.MapPath("/db/your.mdb") & ";"

    sSQL = "SELECT URL FROM mytable WHERE CD=" & Request.Form("CD")
    set dat=CONNECT.Execute(sSQL)
    if not dat.eof then Response.Redirect dat("URL")

    response.write "Something is very wrong here"
    %>

    The above using of Request.Form("CD") directly in an SQL string is
    dangeroes, because a hacker can get entry in your database by injection.
    Validate the result first as an integer number!

    If there is more than one record with the same CD, only one is used.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 12, 2004
    #2
    1. Advertising

  3. Endora

    Endora Guest

    Re: Assistance with ASP Redirect Evertjan

    This worked beautifully, thank you, Evertjan!

    One note: "CD number" is a bit of a misnomer. My fault, I didn't
    explain properly. It should probably just be called "CD Value", but
    the misleading name is beyond my control...

    At any rate, in the DB it is not an integer, so I actually ended up
    with:

    sSQL = "SELECT URL FROM mytable WHERE CD='" &
    Request.QueryString("CD") & "'"

    Again, much appreciated. It is up and running.
     
    Endora, Aug 13, 2004
    #3
  4. Endora

    Evertjan. Guest

    Re: Assistance with ASP Redirect Evertjan

    Endora wrote on 13 aug 2004 in microsoft.public.inetserver.asp.general:
    > sSQL = "SELECT URL FROM mytable WHERE CD='" &
    > Request.QueryString("CD") & "'"


    It is very dangerous to put a clientside string like
    Request.QueryString("CD")
    directly in the SQL.

    Hackers can easily construct a string for http://mysite,com/db.asp?CD=...
    that alters or deletes part of your database!

    So again always validate the querystring first.

    See: What is SQL Injection?
    <http://www.4guysfromrolla.com/webtech/061902-1.shtml> and more

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 13, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?VHJveQ==?=

    Response.redirect does not redirect from .aspx page

    =?Utf-8?B?VHJveQ==?=, Oct 18, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    5,371
    Srowe1975
    Oct 15, 2008
  2. =?Utf-8?B?bWFzdGVybWluZA==?=

    Need Assistance: session state error - ASP v1.1 vs ASP v2.0

    =?Utf-8?B?bWFzdGVybWluZA==?=, Dec 7, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    2,194
    =?Utf-8?B?bWFzdGVybWluZA==?=
    Dec 7, 2005
  3. Sal
    Replies:
    1
    Views:
    1,026
  4. Enigma Webmaster

    ADSI - ASP Assistance Required.

    Enigma Webmaster, Aug 1, 2004, in forum: ASP General
    Replies:
    1
    Views:
    128
    Dave Navarro
    Aug 6, 2004
  5. The Antarctican

    Need assistance with .asp, form, and submit

    The Antarctican, Jun 25, 2012, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    1,200
    The Antarctican
    Jun 25, 2012
Loading...

Share This Page