homepage Welcome to WebmasterWorld Guest from 54.242.126.126
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
Forum Library, Charter, Moderators: ocean10000

Microsoft IIS Web Server and ASP.NET Forum

    
i need help..
whats wrong with this code? error details below the code
popo

10+ Year Member



 
Msg#: 1902 posted 12:50 pm on Jun 16, 2004 (gmt 0)

if request.querystring("case")="games" then
if isempty(request.form("game_name")) then %>
<form name="delete" action="" method="post">
<table width="100%" cellpadding="0" cellspacing="0" border="2" bordercolor="#fff5ee">
<tr>
<td>game name:</td>
<td>game description</td>
<td>mark to delete</td>
</tr>
<%
set oconn=server.createobject("adodb.connection")
oconn.provider="microsoft.jet.oledb.4.0"
oconn.open "c:\inetpub\wwwroot\dragonball\db\dragon.mdb"
set showall=server.createobject("adodb.recordset")
sql="select * from games order by game_name"
showall.open sql,oconn,2,2
do until showall.eof %>
<tr>
<td><%=showall.fields("game_name").value %></td>
<td><%=showall.fields("game_des").value %></td>
<td><input type="checkbox" name="game_name" value="<%=showall.fields("game_name").value %>"></td>
</tr>
<%
showall.movenext
loop
showall.close
set showall=nothing
oconn.close
set oconn=nothing %>
</table>
<input type="submit" value="delete">
</form>
<%
else
set oconn=server.createobject("adodb.connection")
oconn.provider="microsoft.jet.oledb.4.0"
oconn.open "c:\inetpub\wwwroot\dragonball\db\dragon.mdb"
set game=server.createobject("adodb.recordset")
for each item in request.form("game_name")
sql="select * from games where game_name=" & item & ""
***this is line 176***game.open sql,oconn,2,2
set del=server.createobject("scripting.filesystemobject")
gamefile="C:/Inetpub/wwwroot/dragonball/games/" & game.fields("game_name").value
if del.fileexists(gamefile) then
del.deletefile(gamefile)
end if
picfile="C:/Inetpub/wwwroot/dragonball/images/games/" & game.fields("game_pic").value
if del.fileexists(picfile) then
del.deletefile(picfile)
end if
sql2="delete from games where game_name=" & item & ""
oconn.execute sql2
game.close
next
set del=nothing
set game=nothing
oconn.close
set conn=nothing
response.write("games were deleted!")
%>
<script language="javascript">
setTimeout("location='./delete.asp?case=games'",3000)
</script>
<%
end if
end if
end if %>
it says:
Error Type:
Microsoft JET Database Engine (0x80040E10)
No value given for one or more required parameters.
/dragonball/delete.asp, line 176
the 176 line is marked above[in the code].

 

john_k

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 1902 posted 12:58 pm on Jun 16, 2004 (gmt 0)

sql="select * from games where game_name=" & item & ""

Assuming a game name of "Doom", this will result in the following literal string being executed as your query command:


select * from games where game_name= Doom

So you need to add in some apostrophes to your query:

sql="select * from games where game_name='" & item & "'"

The error message you are getting is caused when database engine looks for a parameter with the name Doom. None is provided, so the error message makes sense.

john_k

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 1902 posted 1:04 pm on Jun 16, 2004 (gmt 0)

By the way. Your code is leaving you wide open to an SQL Injection attack. Here is an example.

If the following value is provided in the game_name field

abc' having 1=1 ;

An error will occur that will most likely show the name of one or more tables. Suppose one of the table names is "games". The attacker can then use that to cause real problems by entering the following in the game_name field:
abc'; drop table games ;

You should always clean the values presented by users by (at least) escaping any apostrophes.

popo

10+ Year Member



 
Msg#: 1902 posted 6:03 pm on Jun 16, 2004 (gmt 0)

10q, and no one can do something to my web, the game_name field is a checkbox so you cant enter any value it gust auto take the value of the game_name which is the key in my table(mdb) + only admins can see this page and they wont even try to harm the web. =)

john_k

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 1902 posted 6:28 pm on Jun 16, 2004 (gmt 0)

the game_name field is a checkbox

Maybe on the form you provide. But a script kiddy can easily make their own form.

But, if it is an admin only page, and the submit page code only executes for someone that is logged in, then there is not much danger.

mattglet

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 1902 posted 6:31 pm on Jun 16, 2004 (gmt 0)

popo-

You still should get into the habit of practicing good coding habits. No matter where the code is actually showing, you should always make sure it's as secure as you can possibly make it. If you get into the habit of making all your code secure, you won't have to worry about where the code is, it will always be fine.

-Matt

dwilson

10+ Year Member



 
Msg#: 1902 posted 6:34 pm on Jun 16, 2004 (gmt 0)

SQL Injection attack

That's my favorite reason for insisting that ALL queries in web apps use stored procedures!

Others include performance and code reuse.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved