P
Paul M
Hi
Where are asp functions placed on the page
Paul M
Where are asp functions placed on the page
Paul M
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
J
Jon Spivey
Hi,
Anywhere you like, eg
<%
function DoSomething(..)
'
DoSomething = .....
end function
%>
<%=DoSomething('something')%>
It's probably best practice to place them at the top of the page - ie befoe
<html> just to make your code easier to follow and so your designer doesn't
mess things up when he touches the page.
Anywhere you like, eg
<%
function DoSomething(..)
'
DoSomething = .....
end function
%>
<%=DoSomething('something')%>
It's probably best practice to place them at the top of the page - ie befoe
<html> just to make your code easier to follow and so your designer doesn't
mess things up when he touches the page.
P
Paul M
Thanks Jon
Maybe you can help me with this
I have posted it on the client forum but you don't seem to be working there
so I will ask you here
I have a form Which with username and password fields.the form submits to a
login validation asp script
To stop SQL injection I need to Filter out server side character like single
quote, double quote, slash, back slash, semi colon, extended character like
NULL, carry return, new line, etc,
I know I need to add some validation asp script to the validation asp page
but I have been looking on the web and I can't find any tutorials
Paul M
Maybe you can help me with this
I have posted it on the client forum but you don't seem to be working there
so I will ask you here
I have a form Which with username and password fields.the form submits to a
login validation asp script
To stop SQL injection I need to Filter out server side character like single
quote, double quote, slash, back slash, semi colon, extended character like
NULL, carry return, new line, etc,
I know I need to add some validation asp script to the validation asp page
but I have been looking on the web and I can't find any tutorials
Paul M
K
Kevin Spencer
If you're using SQL Server or another full-strength database server, the
easiest way to avoid SQL Injection is to use Stored Procedures. With Access,
you can actually use parameterized queries. They aren't as powerful as
Stored Procedures, but often can do what you need.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.
easiest way to avoid SQL Injection is to use Stored Procedures. With Access,
you can actually use parameterized queries. They aren't as powerful as
Stored Procedures, but often can do what you need.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.
P
Paul M
Thanks Kevin
Can you help with parameterized queries and how to use them
Paul M
Can you help with parameterized queries and how to use them
Paul M
K
Kevin Spencer
Hi Paul,
Here are a few resources:
http://www.4guysfromrolla.com/webtech/021799-1.shtml
http://www.xefteri.com/articles/show.cfm?id=6
http://www.webconcerns.co.uk/asp/accessqueries/accessqueries.asp
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.
Here are a few resources:
http://www.4guysfromrolla.com/webtech/021799-1.shtml
http://www.xefteri.com/articles/show.cfm?id=6
http://www.webconcerns.co.uk/asp/accessqueries/accessqueries.asp
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.
J
Jon Spivey
For username and password the only issue you'll have is with single quotes
(') so you can just do
<%
function StripQuotes(s)
StripQuotes = replace(s, "'", ""))
end function
sPass= StripQuotes(request.form("pass"))
sUser = StripQuotes(request.form("user"))
%>
We're just replacing a single quote with nothing.
(') so you can just do
<%
function StripQuotes(s)
StripQuotes = replace(s, "'", ""))
end function
sPass= StripQuotes(request.form("pass"))
sUser = StripQuotes(request.form("user"))
%>
We're just replacing a single quote with nothing.
P
Paul M
Thanks guys I must be doing something wrong because when I insert the
function I get "The page cannot be displayed" error
Here is the section of code that I am using
<%
'First we create a connection object
Set Conn = Server.CreateObject("ADODB.Connection")
'Next, we open the connection object by calling the connection string
'that FrontPage created and stored in the global.asa file when the "store"
'connection was created
Conn.Open Application("string removed for this post ConnectionString")
'Then we create a record set object and a SQL statement
Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE
user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
Request.Form("pass_word") & "'")
'Loop through the database to check for the users information
Do until RS.EOF
Pass = RS("pass_word")
Name = RS("user_name")
RS.MoveNext
loop
'Close the recordset and database connection
RS.Close
Conn.Close
'If the password given is not in the database then we don't do anything.
'Otherwise, we create the session objects
IF pass = "" Then
Message = "The Password you entered is either wrong or not found in our
database. Please press the BACK button and try again or if you have not yet
created a username and password then click on the registration link."
Else
Session("password") = Pass
Session("username") = Name
'Now we will check to see it there is a session object for an original URL.
'This would have been created (as you will see later) if the user first
tried
'to visit a protected page. If so, we send them there. If not, we stay here.
IF Session("Ori_URL") = "" Then 'do nothing
Else
Response.redirect(session("Ori_URL"))
End IF
End IF
%>
function I get "The page cannot be displayed" error
Here is the section of code that I am using
<%
'First we create a connection object
Set Conn = Server.CreateObject("ADODB.Connection")
'Next, we open the connection object by calling the connection string
'that FrontPage created and stored in the global.asa file when the "store"
'connection was created
Conn.Open Application("string removed for this post ConnectionString")
'Then we create a record set object and a SQL statement
Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE
user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
Request.Form("pass_word") & "'")
'Loop through the database to check for the users information
Do until RS.EOF
Pass = RS("pass_word")
Name = RS("user_name")
RS.MoveNext
loop
'Close the recordset and database connection
RS.Close
Conn.Close
'If the password given is not in the database then we don't do anything.
'Otherwise, we create the session objects
IF pass = "" Then
Message = "The Password you entered is either wrong or not found in our
database. Please press the BACK button and try again or if you have not yet
created a username and password then click on the registration link."
Else
Session("password") = Pass
Session("username") = Name
'Now we will check to see it there is a session object for an original URL.
'This would have been created (as you will see later) if the user first
tried
'to visit a protected page. If so, we send them there. If not, we stay here.
IF Session("Ori_URL") = "" Then 'do nothing
Else
Response.redirect(session("Ori_URL"))
End IF
End IF
%>
K
Kevin Spencer
In IE, Open Internet Options, go to the Advanced tab, and uncheck "Show
friendly HTTP Error messages." You should then be able to run the page and
see the actual error.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.
friendly HTTP Error messages." You should then be able to run the page and
see the actual error.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.
S
Stefan B Rusynko
Stick to one thread in one newsgroup
- posting the same thing in 2 newsgroups is counter productive
See detailed responses to same post in the client newsgroup
| Thanks guys I must be doing something wrong because when I insert the
| function I get "The page cannot be displayed" error
| Here is the section of code that I am using
|
| <%
| 'First we create a connection object
| Set Conn = Server.CreateObject("ADODB.Connection")
|
| 'Next, we open the connection object by calling the connection string
| 'that FrontPage created and stored in the global.asa file when the "store"
| 'connection was created
| Conn.Open Application("string removed for this post ConnectionString")
|
| 'Then we create a record set object and a SQL statement
| Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE
| user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
| Request.Form("pass_word") & "'")
|
| 'Loop through the database to check for the users information
| Do until RS.EOF
| Pass = RS("pass_word")
| Name = RS("user_name")
| RS.MoveNext
| loop
|
| 'Close the recordset and database connection
| RS.Close
| Conn.Close
|
| 'If the password given is not in the database then we don't do anything.
| 'Otherwise, we create the session objects
| IF pass = "" Then
| Message = "The Password you entered is either wrong or not found in our
| database. Please press the BACK button and try again or if you have not yet
| created a username and password then click on the registration link."
| Else
| Session("password") = Pass
| Session("username") = Name
|
| 'Now we will check to see it there is a session object for an original URL.
| 'This would have been created (as you will see later) if the user first
| tried
| 'to visit a protected page. If so, we send them there. If not, we stay here.
| IF Session("Ori_URL") = "" Then 'do nothing
| Else
| Response.redirect(session("Ori_URL"))
| End IF
| End IF
| %>
|
|
|
| | > For username and password the only issue you'll have is with single quotes
| > (') so you can just do
| > <%
| > function StripQuotes(s)
| > StripQuotes = replace(s, "'", ""))
| > end function
| >
| > sPass= StripQuotes(request.form("pass"))
| > sUser = StripQuotes(request.form("user"))
| > %>
| >
| > We're just replacing a single quote with nothing.
| >
| > --
| > Cheers,
| > Jon
| > Microsoft MVP
| >
| > | >> Thanks Kevin
| >> Can you help with parameterized queries and how to use them
| >> Paul M
| >> | >>> If you're using SQL Server or another full-strength database server, the
| >>> easiest way to avoid SQL Injection is to use Stored Procedures. With
| >>> Access, you can actually use parameterized queries. They aren't as
| >>> powerful as Stored Procedures, but often can do what you need.
| >>>
| >>> --
| >>> HTH,
| >>>
| >>> Kevin Spencer
| >>> Microsoft MVP
| >>> .Net Developer
| >>> Neither a follower nor a lender be.
| >>>
| >>> | >>>> Thanks Jon
| >>>> Maybe you can help me with this
| >>>> I have posted it on the client forum but you don't seem to be working
| >>>> there so I will ask you here
| >>>> I have a form Which with username and password fields.the form submits
| >>>> to a
| >>>> login validation asp script
| >>>> To stop SQL injection I need to Filter out server side character like
| >>>> single
| >>>> quote, double quote, slash, back slash, semi colon, extended character
| >>>> like
| >>>> NULL, carry return, new line, etc,
| >>>> I know I need to add some validation asp script to the validation asp
| >>>> page
| >>>> but I have been looking on the web and I can't find any tutorials
| >>>> Paul M
| >>>>
| >>>> | >>>>> Hi,
| >>>>> Anywhere you like, eg
| >>>>> <%
| >>>>> function DoSomething(..)
| >>>>> '
| >>>>> DoSomething = .....
| >>>>> end function
| >>>>> %>
| >>>>>
| >>>>> <%=DoSomething('something')%>
| >>>>>
| >>>>> It's probably best practice to place them at the top of the page - ie
| >>>>> befoe <html> just to make your code easier to follow and so your
| >>>>> designer doesn't mess things up when he touches the page.
| >>>>>
| >>>>> --
| >>>>> Cheers,
| >>>>> Jon
| >>>>> Microsoft MVP
| >>>>>
| >>>>> | >>>>>> Hi
| >>>>>> Where are asp functions placed on the page
| >>>>>> Paul M
| >>>>>>
| >>>>>
| >>>>>
| >>>>
| >>>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
- posting the same thing in 2 newsgroups is counter productive
See detailed responses to same post in the client newsgroup
| Thanks guys I must be doing something wrong because when I insert the
| function I get "The page cannot be displayed" error
| Here is the section of code that I am using
|
| <%
| 'First we create a connection object
| Set Conn = Server.CreateObject("ADODB.Connection")
|
| 'Next, we open the connection object by calling the connection string
| 'that FrontPage created and stored in the global.asa file when the "store"
| 'connection was created
| Conn.Open Application("string removed for this post ConnectionString")
|
| 'Then we create a record set object and a SQL statement
| Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE
| user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
| Request.Form("pass_word") & "'")
|
| 'Loop through the database to check for the users information
| Do until RS.EOF
| Pass = RS("pass_word")
| Name = RS("user_name")
| RS.MoveNext
| loop
|
| 'Close the recordset and database connection
| RS.Close
| Conn.Close
|
| 'If the password given is not in the database then we don't do anything.
| 'Otherwise, we create the session objects
| IF pass = "" Then
| Message = "The Password you entered is either wrong or not found in our
| database. Please press the BACK button and try again or if you have not yet
| created a username and password then click on the registration link."
| Else
| Session("password") = Pass
| Session("username") = Name
|
| 'Now we will check to see it there is a session object for an original URL.
| 'This would have been created (as you will see later) if the user first
| tried
| 'to visit a protected page. If so, we send them there. If not, we stay here.
| IF Session("Ori_URL") = "" Then 'do nothing
| Else
| Response.redirect(session("Ori_URL"))
| End IF
| End IF
| %>
|
|
|
| | > For username and password the only issue you'll have is with single quotes
| > (') so you can just do
| > <%
| > function StripQuotes(s)
| > StripQuotes = replace(s, "'", ""))
| > end function
| >
| > sPass= StripQuotes(request.form("pass"))
| > sUser = StripQuotes(request.form("user"))
| > %>
| >
| > We're just replacing a single quote with nothing.
| >
| > --
| > Cheers,
| > Jon
| > Microsoft MVP
| >
| > | >> Thanks Kevin
| >> Can you help with parameterized queries and how to use them
| >> Paul M
| >> | >>> If you're using SQL Server or another full-strength database server, the
| >>> easiest way to avoid SQL Injection is to use Stored Procedures. With
| >>> Access, you can actually use parameterized queries. They aren't as
| >>> powerful as Stored Procedures, but often can do what you need.
| >>>
| >>> --
| >>> HTH,
| >>>
| >>> Kevin Spencer
| >>> Microsoft MVP
| >>> .Net Developer
| >>> Neither a follower nor a lender be.
| >>>
| >>> | >>>> Thanks Jon
| >>>> Maybe you can help me with this
| >>>> I have posted it on the client forum but you don't seem to be working
| >>>> there so I will ask you here
| >>>> I have a form Which with username and password fields.the form submits
| >>>> to a
| >>>> login validation asp script
| >>>> To stop SQL injection I need to Filter out server side character like
| >>>> single
| >>>> quote, double quote, slash, back slash, semi colon, extended character
| >>>> like
| >>>> NULL, carry return, new line, etc,
| >>>> I know I need to add some validation asp script to the validation asp
| >>>> page
| >>>> but I have been looking on the web and I can't find any tutorials
| >>>> Paul M
| >>>>
| >>>> | >>>>> Hi,
| >>>>> Anywhere you like, eg
| >>>>> <%
| >>>>> function DoSomething(..)
| >>>>> '
| >>>>> DoSomething = .....
| >>>>> end function
| >>>>> %>
| >>>>>
| >>>>> <%=DoSomething('something')%>
| >>>>>
| >>>>> It's probably best practice to place them at the top of the page - ie
| >>>>> befoe <html> just to make your code easier to follow and so your
| >>>>> designer doesn't mess things up when he touches the page.
| >>>>>
| >>>>> --
| >>>>> Cheers,
| >>>>> Jon
| >>>>> Microsoft MVP
| >>>>>
| >>>>> | >>>>>> Hi
| >>>>>> Where are asp functions placed on the page
| >>>>>> Paul M
| >>>>>>
| >>>>>
| >>>>>
| >>>>
| >>>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
P
Paul M
Point taken Just actions of a desperate man
Paul M
Paul M
U
Uncle Joe
I keep seeing references to SQL injection. What does this mean?
It doesn't sound good.
It doesn't sound good.
S
Stefan B Rusynko
See http://www.securiteam.com/securityreviews/5DP0N1P76E.html
|I keep seeing references to SQL injection. What does this mean?
| It doesn't sound good.
|
| | > If you're using SQL Server or another full-strength database server,
| > the easiest way to avoid SQL Injection is to use Stored Procedures.
| > With Access, you can actually use parameterized queries. They aren't
| > as powerful as Stored Procedures, but often can do what you need.
| >
| > --
| > HTH,
| >
| > Kevin Spencer
| > Microsoft MVP
| > .Net Developer
| > Neither a follower nor a lender be.
| >
| > | >> Thanks Jon
| >> Maybe you can help me with this
| >> I have posted it on the client forum but you don't seem to be
| >> working there so I will ask you here
| >> I have a form Which with username and password fields.the form
| >> submits to a
| >> login validation asp script
| >> To stop SQL injection I need to Filter out server side character
| >> like single
| >> quote, double quote, slash, back slash, semi colon, extended
| >> character like
| >> NULL, carry return, new line, etc,
| >> I know I need to add some validation asp script to the validation
| >> asp page
| >> but I have been looking on the web and I can't find any tutorials
| >> Paul M
| >>
| >> | >>> Hi,
| >>> Anywhere you like, eg
| >>> <%
| >>> function DoSomething(..)
| >>> '
| >>> DoSomething = .....
| >>> end function
| >>> %>
| >>>
| >>> <%=DoSomething('something')%>
| >>>
| >>> It's probably best practice to place them at the top of the page -
| >>> ie befoe <html> just to make your code easier to follow and so
| >>> your designer doesn't mess things up when he touches the page.
| >>>
| >>> --
| >>> Cheers,
| >>> Jon
| >>> Microsoft MVP
| >>>
| >>> | >>>> Hi
| >>>> Where are asp functions placed on the page
| >>>> Paul M
| >>>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
|I keep seeing references to SQL injection. What does this mean?
| It doesn't sound good.
|
| | > If you're using SQL Server or another full-strength database server,
| > the easiest way to avoid SQL Injection is to use Stored Procedures.
| > With Access, you can actually use parameterized queries. They aren't
| > as powerful as Stored Procedures, but often can do what you need.
| >
| > --
| > HTH,
| >
| > Kevin Spencer
| > Microsoft MVP
| > .Net Developer
| > Neither a follower nor a lender be.
| >
| > | >> Thanks Jon
| >> Maybe you can help me with this
| >> I have posted it on the client forum but you don't seem to be
| >> working there so I will ask you here
| >> I have a form Which with username and password fields.the form
| >> submits to a
| >> login validation asp script
| >> To stop SQL injection I need to Filter out server side character
| >> like single
| >> quote, double quote, slash, back slash, semi colon, extended
| >> character like
| >> NULL, carry return, new line, etc,
| >> I know I need to add some validation asp script to the validation
| >> asp page
| >> but I have been looking on the web and I can't find any tutorials
| >> Paul M
| >>
| >> | >>> Hi,
| >>> Anywhere you like, eg
| >>> <%
| >>> function DoSomething(..)
| >>> '
| >>> DoSomething = .....
| >>> end function
| >>> %>
| >>>
| >>> <%=DoSomething('something')%>
| >>>
| >>> It's probably best practice to place them at the top of the page -
| >>> ie befoe <html> just to make your code easier to follow and so
| >>> your designer doesn't mess things up when he touches the page.
| >>>
| >>> --
| >>> Cheers,
| >>> Jon
| >>> Microsoft MVP
| >>>
| >>> | >>>> Hi
| >>>> Where are asp functions placed on the page
| >>>> Paul M
| >>>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
U
Uncle Joe
Yuck. I didn't think I'd like SQL Injection. Now I'm in for a lot more
coding.
coding.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.