Selecting data from 2 tables - creating sessions (sql, vbscript) - Microsoft IIS Web Server and ASP.NET forum at WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Selecting data from 2 tables - creating sessions (sql, vbscript)

I need to create session variables

KRMwebdesign

12:21 pm on Sep 18, 2009 (gmt 0)

Hi there,
I have 2 tables "table1", "table2" and I need to select a username and password from both tables using the 'OR' command and create session variables. I wonder can anyone tell me if this is correct.

My SQL statement is as follows:
sqlcomm = "SELECT * from table1, table2 WHERE table1.username = '" & username & "' AND table1.password = '" & password & "' OR table2.username = '" & username & "' AND table2.password = '" & password & "'"

My vbscript is as follows:
if NOT MyRecordset.EOF then
session("username") = MyRecordset("table1.username") OR session("username") = MyRecordset("table2.username")
session("password") = MyRecordset("table1.password") OR session("password") = MyRecordset("table2.password")
response.redirect("success.asp")
End if

Thanks for any help offered.

marcel

2:38 pm on Sep 18, 2009 (gmt 0)

Warning: Your code is susceptible for SQL Injection [en.wikipedia.org]. I'd take a look at that before you go further.

Your VB Script is more complex than necessary. As you already have the successful Login/Password combination the following is sufficient:

if NOT MyRecordset.EOF then
session("username") = username
session("password") = password
response.redirect("success.asp")
End if

KRMwebdesign

2:47 pm on Sep 18, 2009 (gmt 0)

I know about the SQL Injection threat. I've been hit with it before. They took down a site I've been running successfully for 6 years. I had a number of revenue streams ready to rock and roll but now I've been put in a position where I have to clean almost every field in a huge database. I might as well start again :(

I have a script to combat the SQL injection but just out of interest do you know of any other way of combating it? For instance, what code would you use above to combat SQL injection. Would you add a code snippet or is there a way of writing the code to stop the injection.

Thanks for the warning by the way and thanks for your help.

marcel

5:56 pm on Sep 18, 2009 (gmt 0)

I prefer to use Stored Procedures for querying the database (or Parametrized Queries, but AFAIK they are not available in classic ASP)

Here is an intro to protecting against SQL Injection with ASP [4guysfromrolla.com]

KRMwebdesign

9:32 am on Sep 20, 2009 (gmt 0)

Thanks for your help once again Marcel. I will have a look.

Slan
Kevin.

[edited by: marcel at 6:55 am (utc) on Sep. 21, 2009]
[edit reason] sorry no signatures, please see TOS 13 [/edit]

bmcgee

2:58 am on Sep 23, 2009 (gmt 0)

Parameterized queries are not available in classic asp? Where did you get that idea?

Use the command object just like you do for stored procs and use parameters just the same.

marcel

5:13 am on Sep 23, 2009 (gmt 0)

Parameterized queries are not available in classic asp? Where did you get that idea?
Use the command object just like you do for stored procs and use parameters just the same.

Thanks, I didn't realise that. I've never developed in Classic ASP (Before ASP.Net I was using Delphi), although I have done a lot of maintenance for existing Classic ASP code, and unfortunately I have not once come across a parametrized query... Almost always inline SQL, and sometimes a stored procedure.

Could you show some example code of a parametrized query in Classic ASP to help KRMWebdesign out?

edit: nevermind, I found a tutorial on it: [planet-source-code.com...]