[thelist] plz help with Getrows()

Ken Schaefer Ken at adOpenStatic.com
Wed Jul 19 19:54:01 CDT 2006 

Could I also make a generic comment about this piece of code? It's vulnerable
to SQL injection. I suggest you fix it.

SQL Injection seems to have a higher profile amongst developers now. They
filter input from users. But "two stage" injection seems to still "slip under
the radar" so to speak. Someone supplies some malicious input, and you escape
it, and you store it in your database. However, later on, you extract it on
another page, and use it unfiltered in a subsequent query (like you are doing
here).

Use ADO Command objects and named parameters, and you'll avoid this problem.

In terms of your actual problem - attach a debugger to your code and step
through it. And you'll see exactly what the value of
"mid(rsCatagoryList("ID"),2,36)" is each time you loop, since that seems to
determine what ends up in the recordset.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Sydney: learn all about IIS 7.0 - See you there!

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Anthony Baratta
: Sent: Thursday, 20 July 2006 1:26 AM
: To: thelist at lists.evolt.org
: Subject: Re: [thelist] plz help with Getrows()
: 
: Best to look at a bit more code. You say this is "looping". I would assume
: that it's looping on the rsCatagoryList record set, correct? If not - make
: sure that you are moving through that record set correctly.
: 
: Setup some response writes, so that you print out what is contained in
: mid(rsCatagoryList("ID"),2,36) for each loop. Also print out your SQL
: (strSQL1)  and verify it's setup correctly for each loop.
: 
: -----Original message-----
: From: Brian Delaney brian.delaney at mccmh.net
: Date: Wed, 19 Jul 2006 06:35:12 -0700
: To: "thelist at lists.evolt.org" thelist at lists.evolt.org
: Subject: [thelist] plz help with Getrows()
: 
: > I am using this code to convert a SQL recordset rsServiceList1 to an
: > array for comparison.
: >
: > Set rsServiceList1 = Server.CreateObject("ADODB.Recordset")
: > strSQL1 = "Select * from Services where catagoryid = " & "'" &
: > mid(rsCatagoryList("ID"),2,36) & "'" & " order by name "
: > rsServiceList1.Open strSQL1, ResourceCatalogDBConn
: >
: > rsServiceList1 could contain 4 or up to 20 rows. Example - ID,Name for
: > each row. The first time it returns the correct amount of 4.
: > The problem is that this repeats 12 times and it only returns 4 every
: time.
: >
: > DBServicesArray1 = rsServiceList1.GetRows
: >
: > Please Advise.
: >
: > thanks

More information about the thelist mailing list