I am trying to read a text area (id= Message) and save it into the database. The problem is that if the user enters a single quote (') in the text, both the codes below fail to handle it.
Request("Message")
or
Replace(Request("Message"),"'","")
both fail with the error message
Security violation occurred
Incorrect value was passed for field "Message"
.
Seems like it fails as soon as it reads Request("Message")
I suspect this might be a hosting level security measure to protect against SQL injection. If this is the case the only solution might be to ask your host to disable it (and protect from this yourself) or to add some JavaScript to replace or HTML encode apostrophes when the form is submitted.
Are you testing this on a local computer or just on a site hosted with a web hosting company?
You should use a Command-object to securely save userentered data to the database.
set cmd = Server.CreateObject("ADODB.Command")
set cmd.ActiveConnection = conn
cmd.CommandText = "INSERT INTO table(message) VALUES(?)"
cmd.CommandType = 1
recordsAffected = 0
call cmd.Execute(recordsAffected, array(Request("Message")&""))
if recordsAffected <> 1 then
Response.Write "Something went wrong!"
else
Response.Write "Data saved!"
end if
The code above assumes you have an open connection to the database stored in the variable conn.
Related
I am using ASP.NET (VB.NET) with SQL Server and wish to allow a user to create server logins and database users from a web form.
I have gotten this working by executing commands that create the login and user:
Dim cmd As New OleDb.OleDbCommand(
"CREATE LOGIN [" & login & "] FROM WINDOWS WITH DEFAULT_DATABASE = Db; " & _
"CREATE USER " & username & " FOR LOGIN [" & login & "]; ",
connection)
cmd.ExecuteNonQuery()
The login and username are user inputs that I am sanitizing (as best I can) and inserting directly in the CommandText. While this is working, I don't feel as if I should be doing it this way.
I'm hoping for something similar to parameterized queries, like so:
Dim cmd As New OleDb.OleDbCommand(
"CREATE LOGIN [#login] FROM WINDOWS WITH DEFAULT_DATABASE = Db; " & _
"CREATE USER #username FOR LOGIN [#login]; ",
connection)
cmd.Parameters.AddWithValue("#login", login)
cmd.Parameters.AddWithValue("#username", username)
cmd.ExecuteNonQuery()
However, this does not work because CREATE LOGIN and CREATE USER do not seem to allow parameterized values, as mentioned by podiluska:
Incorrect syntax near '#username'.
Is there a better way of creating logins and users from user input?
You can't parameterise the CREATE USER and CREATE LOGIN commands.
You could create a stored procedure that uses parameters on the (deprecated) sp_addlogin and sp_adduser, but to create the user with a windows login, you need to use CREATE LOGIN and hence dynamic SQL.
One possible option is to use a stored procedure, which I had previously avoided due to sp_addlogin and sp_adduser being deprecated (as mentioned by podiluska).
However, it seems possible to use CREATE LOGIN and CREATE USER in a stored procedure by building them in a string with EXEC, which is described in this question. The parameterized query code snippet included in the question can then be adapted to use stored procedures with minor changes:
cmd.CommandType = CommandType.StoredProcedure
cmd.CommandText = "sp_storedprocname"
I am trying to send an email in classic asp site with an attachment. I am recieving the error "The process cannot access the file because it is being used by another process. "
The file is sitting in a shared folder on the same physical server that is hosting the site. If I check in computer management on the server I can confirm that a user has it open.
My question then is: Am I able to send a copy of the file that is saved to disk using cdo.message if that file is in use? I stripped away the rest of my code to do a test and I was still getting the same error using this.
'Create the Message Object
Set objMsg = Server.CreateObject("CDO.Message")
'Set the properties of the Message
With objMsg
Set .Configuration = cdoConfig
.From = sFrom
.To = sTo
.Subject = sSubject
.TextBody = sBody
.Send
End With
No you can't circumvent this restriction nor would you want to else you could be sending a corrupt file.
I am working on IIS 7, SQL Express 2008.
I'm trying to use the Web Site Administration Tool to set up some users in a membership db. I have the tables set up but when I click on the security tab in the web app I get an exception "There is a problem with your selected data store..." the error i get is
"The following message may help in diagnosing the problem: Cannot open database "ticketinventory" requested by the login. The login failed. Login failed for user 'sa'"
The connection string I am using is "data source=kyrian-pc\sqlexpress;Initial Catalog=ticketinventory;Persist Security Info=True;User ID=sa;Password=******;"
(I know to not use sa for a connection string, this is just to get it to work initially and I have removed the password with ** )
I can log into sql with the sa username and password and query the membership tables. If I change the querystring to a fake user name I see the error message in the web app reflect that username so I know it is using the right connection string.
As far as I can tell this should be working but I am obviously missing something. Any ideas?
EDIT
It turns out the issue has something to do with my connection string itself. I created a test page with this code
using (System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings["ApplicationServices"].ConnectionString))
{
conn.Open();
conn.Close();
}
and this throws a login exception. For whatever reason my other connection string are being stored in the appSettings so there is some difference that I am now trying to work out.
Despite checking it 5 or 6 times I had the db name wrong in the connection string. Problem solved.
"The only infinite things are is the universe itself and the stupidity of man, and I'm not sure about the 1st one" - einstein
I'm at the end of my rope on this. It should be so simple.
I just need to know what's wrong with this connection string:
dbc.open ("Driver={SQL Server}; Data Source = ServerName; Initial Catalog = InitialDB; " "User ID = Username; Password = Password;")
I get this error when running that line:
[Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified
I know ServerName is up and accepting connections, I know InitialDB exists, I know User ID and Password are valid for the database. What am I missing?
In notepad create file anyname.udl - let it be empty. After in explorer click it - you will get a dialog to create OLEDB connection string, select expected driver, and all connection param, ensure that "Allow saving password" = True. Press Ok.
Then again open file with notepad. Content is valid connection string
Try this...
dbc.open ("Provider=SQLOLEDB; Driver={SQL Server}; Data Source = ServerName; Initial Catalog = InitialDB; User ID = Username; Password = Password; Network Library=dbmssocn;")
As someone has already pointed out, udl is the best easiest way to create a conn string - here is a link that talks about it. https://web.archive.org/web/20210211044624/http://www.4guysfromrolla.com/webtech/070400-1.shtml
If you are using ADOdb you might want to try
"Provider=SQLNCLI10;Server=SERVER;Database=DATABASE;Uid=USERNAME;Pwd=PASSWORD"
for SQL Server 2008 Native Client or
"Provider=SQLNCLI;Server=SERVER;Database=DATABASE;Uid=USERNAME;Pwd=PASSWORD"
for SQL Server 2005 Native Client.
For ODBC, use
"Driver=SQL Server Native Client 10.0"
for SQL Server 2008 Native Client or
"Driver=SQL Native Client"
for SQL Server 2005 Native Client.
What's with the " " in the middle of the string?
Your connection string appears to be mixing ODBC and OLEDB. I would suggest visiting http://www.connectionstrings.com/ and finding the correct syntax for the desired provider.
Yours:
"Driver={SQL Server}; Data Source = ServerName; Initial Catalog = InitialDB; " "User ID = Username; Password = Password;"
ODBC:
"Driver={SQL Server};Server=ServerName;Database=InitialDB;Uid=Username;Pwd=Password;"
OLEDB:
"Provider=sqloledb;Data Source=ServerName;Initial Catalog=InitialDB;User Id=Username;Password=Password;"
Do you have visual studio?
Connect to the database server, and locate the database you want to connect to.
Right click, select properties. Your connection string to the db is right there.
Copy to wherever you want. -- Should be in web config, but you can paste it directly into code if you so desire.
I'm developing a website and I need to have my asp page connect to a VB script on a remote server send it some variables and get a string returned. Then spit out the returned data.
I've done similar work in Java.
Can anyone point me in the right direction to help me produce a simple proof of concept?
Basically you can send request data to the remote server using a request string:
http://www.example.com/GetMyString.asp?MyVal1=value1&MyVal2=value2
Then on the remote server in the GetMyString.asp page retrieve these values using the Request Object and then send back the string result by using Response.Write
'<%
value1 = Request["MyVal1"]
value2 = Request["MyVal2"]
newvalue = "The values receievd were: "+ value1+ " and "+ value2
Response.Clear()
Response.Write(newvalue)
Response.End()
%>'