SQL Injection

 
Post new topic   Reply to topic    Aprelium Forum Index -> Classic ASP
View previous topic :: View next topic  
Author Message
boywonder381
-


Joined: 30 May 2019
Posts: 2

PostPosted: Thu May 30, 2019 2:44 pm    Post subject: SQL Injection Reply with quote

I'm having problems trying to setup SQL injection feature. I'm using 2 pages, one for the query and one for the connection. Here is my query:

<%
msg = "select P.txtAp, P.txtLevel1, P.txtPromotionGroup, P.intGroup, P.txtLevel3 , C.txtCode, ISNULL(P.curBudget, 0) as curBudget, P.ysnSurvey, "
msg = msg & " convert(date, dtmExpir 101) as dtmExpir, convert(date, dtmSubm, 101) as dtmSubm"
msg = msg & " from tblApps P inner join tblCodes C on P.txtApp = C.txtApps "
msg = msg & " where P.ynactive = 1 AND P.txtApps = ? "

%>
<!--#include file="vb/connlogin.asp"-->

<%

Here is the connlogin.asp file with the connection setup:

<%

db_computer = db_computer
db_id = db_id

connstr = "Driver={SQL Server}; SERVER=" & db_computer & "; DATABASE=" & db_id &"; UID=" & db_userid & "; PWD="& db_userpw

getProgID = ProtectSQL(request.QueryString("f"))
Set oConn = server.CreateObject("ADODB.Connection")
oConn.Open connstr
oConn.Prepared = true
oConn.commandtext=msg
oConn.Parameters.Append oConn.CreateParameter("@myProgID", adInteger, adParamInput, , getProgID)

set rst = oConn.execute

%>

What I'm I doing wrong?
_________________
boywonderrrr
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 921

PostPosted: Fri May 31, 2019 5:27 pm    Post subject: Re: SQL Injection Reply with quote

This is a coding question about ASP. And without context or a clear description of the issue, it would be difficult to help.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
boywonder381
-


Joined: 30 May 2019
Posts: 2

PostPosted: Mon Jun 03, 2019 8:13 pm    Post subject: Reply with quote

The issue is that it does not generate an error nor does it show the data from the query by using the ?.
_________________
boywonderrrr
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 921

PostPosted: Tue Jun 04, 2019 3:12 pm    Post subject: Reply with quote

boywonder381 wrote:
The issue is that it does not generate an error nor does it show the data from the query by using the ?.


It is very hard to help with such programming errors when the program/script executes without any complaint but does not do what you want.

It is probably better to check with a friend or colleague and have a second look on the program/script. Sometimes, a fresh look can help detect errors that went unnoticed by the original developer.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Classic ASP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group