ADODB.Recordset error '800a0bb9' error? - brain melted - Microsoft IIS Web Server and ASP.NET forum at WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

ADODB.Recordset error '800a0bb9' error? - brain melted

ASP problem

KRMwebdesign

9:26 pm on Jan 10, 2011 (gmt 0)

Can ANYONE please tell me what is wrong with my code below. I keep getting an error saying:
"ADODB.Recordset error '800a0bb9'

Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another."

My brain is melted at this stage :( Here is my ASP code:
<% if session("sessLevel") = "1" then
sql="SELECT * FROM Members WHERE Email = '" & session("Email") & "' AND Password = '" & session("Password") & "'"
end if
Set cnn1 = Server.CreateObject("ADODB.Connection")
cnn1.open MySite
Set rsOuter = Server.CreateObject("ADODB.RecordSet")
counter = 0
rsOuter.Open sql,cnn1,0,1
if NOT rsOuter.EOF then
%>
code here

<%
end if
set cnn1 = nothing
set rsOuter = nothing
%>

Ocean10000

9:53 pm on Jan 10, 2011 (gmt 0)

I believe the variable sql is being left blank due to the sessLevel session variable not equaling "1".

I updated your code(below) to move the end if so only if the sessLevel is "1" will it try to execute the code.

<% if session("sessLevel") = "1" then
sql="SELECT * FROM Members WHERE Email = '" & session("Email") & "' AND Password = '" & session("Password") & "'"
Set cnn1 = Server.CreateObject("ADODB.Connection")
cnn1.open MySite
Set rsOuter = Server.CreateObject("ADODB.RecordSet")
counter = 0
rsOuter.Open sql,cnn1,0,1
if NOT rsOuter.EOF then
%>
code here

<%
end if
set cnn1 = nothing
set rsOuter = nothing
end if
%>

KRMwebdesign

10:35 pm on Jan 10, 2011 (gmt 0)

Thanks Ocean10000! That has solved my problem. I got so dopey and tired I could hardly see the code anymore :) Thanks again.

Fotiman

2:28 pm on Jan 11, 2011 (gmt 0)

As a side note, you should probably sanitize your session("Email") and session("Password") values. The code example above might be vulnerable to SQL Injection attacks.

KRMwebdesign

2:46 pm on Jan 11, 2011 (gmt 0)

Can you explain a little more Fotiman? I want to learn more about SQL injection so I can prevent it. I know I can use stored queries for my access database and use them in place of open SQL statements but as regards sessions I don't know a way around this. Can you explain? Thanks for any help you can provide.

Fotiman

3:43 pm on Jan 11, 2011 (gmt 0)

There is a great Wikipedia article that explains it nicely:
[en.wikipedia.org...]

Essentially, a user could enter a value into the session("Email") or session("Password") variable that contained SQL code, which thereby changed your original SQL query to do something it wasn't intended to do. For example, suppose they set session("Password") to be "' or '1'='1". Your SQL string would then become:

SELECT * FROM Members WHERE Email = 'fotiman@example.com' AND Password = '' or '1'='1';

There's also a risk of someone injecting SQL that drops your table (deleting all records).

KRMwebdesign

4:14 pm on Jan 11, 2011 (gmt 0)

I actually can't get access to my website using the examples given by Wikipedia.

I put in username: myemail@mydomain.com and password: ' or '1'='1';/*' but couldn't gain access. I also tried: username: myemail@mydomain.com and password: ' or '1'='1 but couldn't gain access. Am I doing it wrong?

One of my sites was hacked last year. It was pretty big site (almost 3,000 members) and most of the records were deleted. I don't want that to happen again so I'm trying to find ways to prevent SQL injection attacks.

Fotiman

4:58 pm on Jan 11, 2011 (gmt 0)

Without seeing what else your code is doing, it's hard to say. You could try writing out the sql query to the page to see what it thinks it's doing.

On the lighter side:
[xkcd.com...]

;)