Assistance with ASP Redirect

[Endora]

Hello,

The database I'm working with has these 2 fields:

- "CD", which stands for "Consolidated Design Number" (not Compact
DISC)

and

- "URL", which is the full URL (http://...)

Users need to be able to type a CD number into a form text box and,
upon submission, be redirected to a non-database-driven html index
(home page) for all the info associated with that paricular CD. A
drop-down might be simpler, but it would be way too long since there
are many, many numbers.

Here's what I have. Can't seem to get it to work.

Any assistance would be very much appreciated. Thanks!

<%
sDSN = "Driver={Microsoft Access Driver
(*.mdb)};Dbq=path-to-my-db.mdb;"
%>
<%
set ac = CreateObject("ADODB.Connection")
set ar = CreateObject("ADODB.Recordset")
ac.Open sDSN '"DSN=my-db","myuser","mypass"
sSQL = "SELECT URL FROM mytable WHERE CD=" & Request.Form("CD")
set ar = ac.Execute(sSQL)
if NOT ar.EOF then
URL = ar("URL")
Response.Redirect url
else
' new customer or bad ID
End If
%>

 

[Evertjan.]

Endora wrote on 12 aug 2004 in microsoft.public.inetserver.asp.general:

Any assistance would be very much appreciated. Thanks!

<%
sDSN = "Driver={Microsoft Access Driver
(*.mdb)};Dbq=path-to-my-db.mdb;"
%>
<%
set ac = CreateObject("ADODB.Connection")
set ar = CreateObject("ADODB.Recordset")
ac.Open sDSN '"DSN=my-db","myuser","mypass"
sSQL = "SELECT URL FROM mytable WHERE CD=" & Request.Form("CD")
set ar = ac.Execute(sSQL)
if NOT ar.EOF then
URL = ar("URL")
Response.Redirect url
else
' new customer or bad ID
End If
%>

Do use the Jet engine driver.
You do not use and need a recordset here.
The permissions for the database path must be OK.

<%
set CONNECT = server.CreateObject("ADODB.Connection")
CONNECT.Open "PROVIDER=Microsoft.Jet.OLEDB.4.0;DATA SOURCE="_
& Server.MapPath("/db/your.mdb") & ";"

sSQL = "SELECT URL FROM mytable WHERE CD=" & Request.Form("CD")
set dat=CONNECT.Execute(sSQL)
if not dat.eof then Response.Redirect dat("URL")

response.write "Something is very wrong here"
%>

The above using of Request.Form("CD") directly in an SQL string is
dangeroes, because a hacker can get entry in your database by injection.
Validate the result first as an integer number!

If there is more than one record with the same CD, only one is used.

 

[Endora]

This worked beautifully, thank you, Evertjan!

One note: "CD number" is a bit of a misnomer. My fault, I didn't
explain properly. It should probably just be called "CD Value", but
the misleading name is beyond my control...

At any rate, in the DB it is not an integer, so I actually ended up
with:

sSQL = "SELECT URL FROM mytable WHERE CD='" &
Request.QueryString("CD") & "'"

Again, much appreciated. It is up and running.

 

[Evertjan.]

Endora wrote on 13 aug 2004 in microsoft.public.inetserver.asp.general:

sSQL = "SELECT URL FROM mytable WHERE CD='" &
Request.QueryString("CD") & "'"

It is very dangerous to put a clientside string like
Request.QueryString("CD")
directly in the SQL.

Hackers can easily construct a string for http://mysite,com/db.asp?CD=...
that alters or deletes part of your database!

So again always validate the querystring first.

See: What is SQL Injection?
<http://www.4guysfromrolla.com/webtech/061902-1.shtml> and more