M
middletree
Yesterday, I posted a problem which, by the way, I haven't been able to
solve yet. But in Aaron's reply, he questioned why I did several things the
way I did. My short answer is that I have a lot to learn, but now I'd like
to ask anyone who reads this, including Aaron, for some clarification. I
imagine others might benefit, too.
I went back and took care of it with this: set rs = nothing
My question is, is this enough?
Never thought of that. Is that really an issue for an Intranet, though?
I don't really understand this question/statement. Is there another kind of
recordset?
Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?
solve yet. But in Aaron's reply, he questioned why I did several things the
way I did. My short answer is that I have a lot to learn, but now I'd like
to ask anyone who reads this, including Aaron, for some clarification. I
imagine others might benefit, too.
Aaron Bertrand - MVP said:A few suggestions.
(3) why do you constantly set rs = createobject("ADODB.Recordset") but
never destroy any of them?
I went back and took care of it with this: set rs = nothing
My question is, is this enough?
(4) why are you allowing values from request.querystring into your SQL
statements unchecked? Have you tried something like...
DisplaySortableTickets.asp?strStatus=a';DELETE%20TKT_STATUS;SELECT%20' b
Never thought of that. Is that really an issue for an Intranet, though?
(5) why are you using ADODB.Recordset at all? These all seem to be
forward-only, static recordsets.
I don't really understand this question/statement. Is there another kind of
recordset?
Here is a rewrite of the first portion.
<!-- #INCLUDE FILE="includes/functions.asp" -->
<!-- #INCLUDE FILE="includes/argodbinc.asp" -->
<!-- #INCLUDE FILE="includes/colors.inc" -->
<%
function fixVal(s)
s = replace(request.QueryString(s), "'", "''"))
end function
Does this just take the apostrophes from the querystring? Is that just to
keep it from being used by a malicious person who would put an evil SQL
statement?