Welcome to WebmasterWorld Guest from 34.238.189.171

Forum Moderators: ocean10000

Message Too Old, No Replies

Selecting data from 2 tables - creating sessions (sql, vbscript)

I need to create session variables

     
12:21 pm on Sep 18, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:Sept 11, 2009
posts: 108
votes: 0


Hi there,
I have 2 tables "table1", "table2" and I need to select a username and password from both tables using the 'OR' command and create session variables. I wonder can anyone tell me if this is correct.

My SQL statement is as follows:
sqlcomm = "SELECT * from table1, table2 WHERE table1.username = '" & username & "' AND table1.password = '" & password & "' OR table2.username = '" & username & "' AND table2.password = '" & password & "'"

My vbscript is as follows:
if NOT MyRecordset.EOF then
session("username") = MyRecordset("table1.username") OR session("username") = MyRecordset("table2.username")
session("password") = MyRecordset("table1.password") OR session("password") = MyRecordset("table2.password")
response.redirect("success.asp")
End if

?

Thanks for any help offered.

2:38 pm on Sept 18, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 1, 2005
posts:733
votes: 0


Warning: Your code is susceptible for SQL Injection [en.wikipedia.org]. I'd take a look at that before you go further.

Your VB Script is more complex than necessary. As you already have the successful Login/Password combination the following is sufficient:

if NOT MyRecordset.EOF then
session("username") = username
session("password") = password
response.redirect("success.asp")
End if
2:47 pm on Sept 18, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:Sept 11, 2009
posts: 108
votes: 0



I know about the SQL Injection threat. I've been hit with it before. They took down a site I've been running successfully for 6 years. I had a number of revenue streams ready to rock and roll but now I've been put in a position where I have to clean almost every field in a huge database. I might as well start again :(

I have a script to combat the SQL injection but just out of interest do you know of any other way of combating it? For instance, what code would you use above to combat SQL injection. Would you add a code snippet or is there a way of writing the code to stop the injection.

Thanks for the warning by the way and thanks for your help.

5:56 pm on Sept 18, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 1, 2005
posts:733
votes: 0


I prefer to use Stored Procedures for querying the database (or Parametrized Queries, but AFAIK they are not available in classic ASP)

Here is an intro to protecting against SQL Injection with ASP [4guysfromrolla.com]

9:32 am on Sept 20, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:Sept 11, 2009
posts: 108
votes: 0


Thanks for your help once again Marcel. I will have a look.

Slan
Kevin.

[edited by: marcel at 6:55 am (utc) on Sep. 21, 2009]
[edit reason] sorry no signatures, please see TOS 13 [/edit]

2:58 am on Sept 23, 2009 (gmt 0)

Full Member

10+ Year Member

joined:May 14, 2001
posts:262
votes: 0


Parameterized queries are not available in classic asp? Where did you get that idea?

Use the command object just like you do for stored procs and use parameters just the same.

5:13 am on Sept 23, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 1, 2005
posts:733
votes: 0


Parameterized queries are not available in classic asp? Where did you get that idea?
Use the command object just like you do for stored procs and use parameters just the same.

Thanks, I didn't realise that. I've never developed in Classic ASP (Before ASP.Net I was using Delphi), although I have done a lot of maintenance for existing Classic ASP code, and unfortunately I have not once come across a parametrized query... Almost always inline SQL, and sometimes a stored procedure.

Could you show some example code of a parametrized query in Classic ASP to help KRMWebdesign out?

edit: nevermind, I found a tutorial on it: [planet-source-code.com...]

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members