asp question ADODB.Recordset and calling a procedure - asp-classic

I have to make an quick update on a legacy asp page never really having done anything with classical asp want to check if this is valid.
Can I do this:
set conn = server.CreateObject("ADODB.Connection")
conn.Open ("connection string info")
Set rsIdent = server.CreateObject("ADODB.Recordset")
SQL = "EXEC procedureName #sParam = '" & someVariable & "'"
rsIdent.Open SQL, conn
iSome_ID = rsIdent.Fields("ident_value")
rsIdent.Close()
Set rsIdent = nothing
Where procedureName is a stored procedure that accepts a paramter, does some processing and returns a single record in a column called "ident_value"?

#Curtis: See How to call SQL Server stored procedures from ASP.

Related

Parameterizing sql in asp

I'm not terribly familiar with asp, but I have one project with a page of it.
<%
'declare the variables
Dim Connection
Dim ConnString
Dim Recordset
Dim SQL
Dim userName
userName = Request.Form("userName")
'define the connection string, specify database driver
ConnString="JJJJJ"//connection information
'declare the SQL statement that will query the database
SQL = "SELECT info AS Lunch, "
SQL = SQL & "FROM dbo.AgentActivityLog WHERE UserId = '" & userName & "'
'create an instance of the ADO connection and recordset objects
Set Connection = Server.CreateObject("ADODB.Connection")
Set Recordset = Server.CreateObject("ADODB.Recordset")
'Open the connection to the database
Connection.Open ConnString
'Open the recordset object executing the SQL statement and return records
Recordset.Open SQL,Connection
'first of all determine whether there are any records
If Recordset.EOF Then
Response.Write("No records returned.")
Else
'process record
Next
Recordset.MoveNext
Loop
End If
'close the connection and recordset objects to free up resources
Recordset.Close
Set Recordset=nothing
Connection.Close
Set Connection=nothing
%>
How do I parameterize the username? I have no way to debug, no knowledge of how this language works, so whatever I tried failed and I have no idea why.
I would suggest you look at the Answer on following link as it will fill in the answers you seek:
VBA, ADO.Connection and query parameters
From the code provided critical missing piece is the ADODB.Command for the SQL to actually be run and to add the parameter the query you would :
Set Param = Command.CreateParameter("#userid",adVarChar,adParamInput)
Param.Value = userName
Command.Paramters.Append Param

Insert long string into Access DB using parametrised query in classic ASP

I'm trying to update a classic ASP application and as part of the update I've tried to replace dynamic SQL using string concatenation with a parametrised query.
The problem is that the parameters won't accept a value which is longer than 210 characters.
I get the following error...
ADODB.Parameter error '800a0d5d'
Application uses a value of the wrong type for the current operation.
/admin/Save_product_subcategories.asp, line 30
My first attempt looks like this...
SQLString = "UPDATE Product_SubCategories
SET SubCategory=?, Description=?
WHERE SubCategoryID=?"
Set courseCommand = Server.CreateObject("ADODB.Command")
courseCommand.ActiveConnection = objConn
courseCommand.CommandText = SQLString
courseCommand.Parameters(0).value = cleanCategory
courseCommand.Parameters(1).Value = cleanDescription
courseCommand.Parameters(2).value = cleanSubCategoryId
I've tried manually setting the parameter type and increasing the size of the parameter...
courseCommand.Parameters(1).Type = 203
courseCommand.Parameters(1).Size = 300
courseCommand.Parameters(1).Type = adLongVarWChar
I've also tried creating a parameter with the command.CreateParameter method but that gives the same error.
param = courseCommand.CreateParameter(,,,,cleanDescription)
'or
param = courseCommand.CreateParameter(,adLongVarWChar,,,cleanDescription)
'or
param = courseCommand.CreateParameter(,adLongVarWChar,,300,cleanDescription)
courseCommand.Parameters(1) = param
I'm beginning to think that my only option is to go back to dynamic sql.
Edit:
I tried to Append the parameter instead of adding it to the collection using the array index but none of the parameters worked after that.
Provider error '80020005'
Type mismatch.
/admin/Save_product_subcategories.asp, line 31
For anyone else looking for this the answer is to use a Recordset.
SQLString = "select * from Product_SubCategories where 1=0"
Set rs= Server.CreateObject("ADODB.Recordset")
rs.open SQLString , objConn, 1,3 'open as keyset ,lock optimistic that will create empty recordset for you
' Add new record
rs.AddNew
'assign values
rs("SubCategoryID")=cleanSubCategoryId
rs("Description")=cleanDescription
rs("SubCategory")=cleanCategory
' send new record with values to database
rs.Update
'close recordset
rs.close
'destroy recordset object
se rs=nothing

Script to select, update, insert and delete from MySQL with asp.net (VB)?

I've just switched from classic ASP to .net and I always used the following to SELECT, INSERT, UPDATE and DELETE from my MySQL databases:
' Create db connection
Function dbConn()
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "driver=x;Server=x;Port=x;Option=x;Database=x;Uid=x;Pwd=x"
Set dbConn = objConn
End Function
' Store data in array
Function SQL(myCommand,strSQL)
Set objConn = dbConn()
If myCommand = 0 Then
Set objRS = objConn.Execute(strSQL)
If NOT objRS.EOF Then arrRS = objRS.GetRows Else arrRS = Null
Else
Set objRS = objConn.Execute(strSQL,,128)
End If
Set objRS = Nothing : Set objConn = Nothing
End Function
For example, to use SELECT I'd just go:
Call SQL(0,"SELECT * FROM Users")
And to display the data:
If IsArray(arrRS) Then
For i = 0 to UBound(arrRS,2)
Response.Write(arrRS(0,i) & ", " & arrRS(1,i))
Next
End If
And to insert, update or delete I'd use:
Call SQL(1,"DELETE FROM Users WHERE UserID = 1")
Does anyone know if this is possible with ASP.Net - VB?
Or is there an even handier solution?
Cheers.
Yes, you can certainly do that with VB.NET. VB.NET supports almost everything ASP classic and vbscript could do. ADO.NET supports almost everything ADO did.
... not that you'd want to do it.
I strongly suggest that you look into the pattern and practices that ASP.NET allows. The newer methods are much better than the old ones.

How to get the insert ID from this ADODB.Recordset?

I'm trying to avoid using straight SQL queries in my web app. I looked around and have come to the conclusion that ADO Recordsets would be the best or at least safest tool for the job. I need to insert records into a database table. Unfortunately I'm at a loss as to how to get the identity value for the record which was just inserted. Here's a reduction of what I've got now:
<%
dim insertID, rs
set rs = Server.CreateObject("ADODB.Recordset")
rs.Open "my_table_name", conn, adOpenForwardOnly, adLockOptimistic
rs.AddNew()
Call m_map_values_to_rs(rs)
rs.Update()
insertID = rs("id")
rs.Close()
rs = Nothing
%>
The code I have is successfully inserting the record, but I can't for the life of me figure out how to get the id field of the Recordset to update after the insert. How can I get the identity column value back from this Recordset?
UPDATE - Here's the solution with regard to the code above.
I had to change the cursor type to adOpenKeyset instead of adOpenForwardOnly. After I did this the record is automatically updated with the "auto number" field's new value after the insert. However it is not what you think it is. The value of rs("id") doesn't become an integer or even a variant. It becomes some sort of Automation type and cannot be evaluated as a number. Nor can CInt() be used directly on that type for some reason. So what you must do is to convert the value to a string and then convert it to an Int. Here's how I managed that:
insertID = CInt( rs("id") & "" )
Thanks to Dee for their answer. It helped immensely.
This article explains the means of getting identity value with example code.
The relevant code snippet is:
<%
fakeValue = 5
set conn = CreateObject("ADODB.Connection")
conn.open "<conn string>"
sql = "INSERT someTable(IntColumn) values(" & fakeValue & ")" & _
VBCrLf & " SELECT ##IDENTITY"
set rs = conn.execute(sql)
response.write "New ID was " & rs(0)
rs.close: set rs = nothing
conn.close: set conn = nothing
%>

SQL injection capturing on classic asp - reposting form puts in lots of ticks

I'm using SQL Server 2005 with classic ASP and on a form repost (I post back to the same page), I replace each text field as follows:
course = trim(replace(request("course"),"'","''"))\
The problem with this is if I have to repost the form multiple times in case of validation errors, the tick marks I replace multiply.
Is there another way to safely vet the string fields without doing this kind of replace?
you better use a parametrized query:
dim cmd : set cmd = server.createObject("ADODB.Command")
dim param
dim sql : sql = "INSERT INTO table(course) VALUES (?)"
cmd.ActiveConnection = yourDBconnection
cmd.CommandType = adCmdText
set param = cmd.CreateParameter("course", adVarChar, , 20, request("course"))
cmd.Parameters.Append param
cmd.CommandText = sql
cmd.Execute
so you are completely safe with sql injection
Only replace the ' for use in the sql string. (which you should better do with parameterized queries..)
The easiest way would be to only do the SQL escaping when you're actually inserting into the database:
course = trim(request("course"))
Make a SafeSQL function:
function SafeSQL(TempStr)
SafeSQL = Replace(TempStr,"'","''")
end function
Then, when you're inserting:
"INSERT INTO table(course) VALUES ('" & SafeSQL(course) & "')"
Disclaimer: I only have a working knowledge of ASP, I don't really know the best practices.
you can do this
course = trim(replace(request("course"),"'","&apos ;"))

Resources