tags:

views:

385

answers:

4
+1  Q: 

Passing variables to stored procedure with Classic ASP

Ok so I am trying to pass some string variables from a classic ASP page to an MSSQL2000 db thusly:

strSQL = "exec UpdateEvent " & xID & ",'" & xEventID & "'," & xEventDisplayName & "," & xEventType & "," & xEventStatus & "," & xStartDate & "," & xEndDate & "," & xSurveyTemplateID & ""

Yet I end up with the error (including writing out the strSQL contents):

exec UpdateEvent 1,'1-44KTDL',,,,,,

Microsoft OLE DB Provider for SQL Server error '80040e14'

Line 1: Incorrect syntax near ','.

/eventedit.asp, line 225

Now I am not sure if it is the dash in the EventID variable that is causing my problems (or why all the other variables are coming up with null values when there is data there...) . I have tried many many combinations of quotes and tics to appease the syntax interpreter but to no avail. What am I doing wrong? Is there a better way to do this simple stored procedure call?

+1  A: 

If no data exists for those variables you need to at least put NULLs in there otherwise the SQL will fail.

For example if you paste 

exec UpdateEvent 1,'1-44KTDL',,,,,,

directly into Query Analyzer, you will get the same error.

Ideally you will need to load them into a parameter array, and create defaults for each parameter (e.g. NULL) in case no data is present for it.

This will ensure your Stored Procedure is built correcly.

e.g.

 exec UpdateEvent 1,'1-44KTDL', NULL, NULL, NULL, NULL, NULL, NULL
kevchadders  2009-12-29 13:47:18
+5  A: 

That's very VERY bad; your code is subject to SQL injection attacks and needs to be fixed as soon as possible.

<!--#include virtual="/ASPSAMP/SAMPLES/ADOVBS.INC"-->
<%
Set cmd = Server.CreateObject("ADODB.Command")
' ... open connection and stuff ... '
cmd.CommandText = "UpdateEvent"
cmd.CommandType = adCmdStoredProc
cmd.Parameters.Refresh

cmd.Parameters(1) = xID 
cmd.Parameters(2) = xEventID 
cmd.Parameters(3) = xEventDisplayName 
cmd.Parameters(4) = xEventType 
cmd.Parameters(5) = xEventStatus 
cmd.Parameters(6) = xStartDate 
cmd.Parameters(7) = xEndDate 
cmd.Parameters(8) = xSurveyTemplateID
cmd.Execute
%>
Rubens Farias  2009-12-29 13:48:03
@Rubens Farias: just for me to know: why is the above code robuster than the original. How is such a SQL injection attack accomplished?
Edelcom  2009-12-29 16:26:16
`xID = "; exec drop table tablename; --"` ' this will do the trick; http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Rubens Farias  2009-12-29 16:38:38
A: 

How about this:

http://support.microsoft.com/kb/164485

ryanulit  2009-12-29 13:48:22
A: 

I would suggest that you capture the SQL being generated in your code > run that SQL manually in the database > see if you can spot the problem.

Set a breakpoint in your code where strSQL is populated. Step over that line. Get the value of strSQL at that point.

This may help you to identify the problem, which may be in your syntax or may arise from unexpected values in the parameter variables.

DOK  2009-12-29 13:49:57

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP