background preloader

ASP Classic Database Query

Facebook Twitter

SQL Injection Attacks by Example. A customer asked that we check out his intranet site, which was used by the company's employees and customers.

SQL Injection Attacks by Example

This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration. "SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. We speculate that the underlying SQL code looks something like this: A standalone query of.

Retrieving both a recordset and output parameters from a Stored Procedure. Stjulian wrote: > Within a block of programming to call a adCmdStoredProc through the > ADODB.Command object (appending parameters, etc), can the recordeset > be retrieved with > > set rs = adoCmd.execute > > as well as output parameters with > > myoutparameter = .Parameters("@myoutparameter").Value > > if said stored procedure contains a SELECT recordset as well as > single value SELECTs to my output parameter(s)?

Retrieving both a recordset and output parameters from a Stored Procedure

> > What would this look like in .asp? > You need to realize: a stored procedure must return all resultsets BEFORE returning any output or return parameters. This means you must completely process all returned recordsets (usually by closing them) before attempting to read the output or return parameters. SELECT TOP 1. There are many good uses of the SELECT TOP 1 method of querying.

SELECT TOP 1

Essentially, the select top 1 method is used to find the min or max record for a particular column’s value. There is some debate as to whether this is the ‘correct’ method of querying, however it should be known that this method does not break any guidelines and is supported by all standards of SQL. The TOP 1 means to only return one record as the result set. which record is returned, depends on the column that is specified in the order by clause.

If you want to find the record with the minimum value for a particular column, you would query the record with the ORDER BY being ascending (ASC). If you want to find the maximum record with that value, you would query it with the ORDER BY descending (DESC). For example, say you wanted to find the record in a table for a customer that has the largest order. However, using the SELECT..TOP 1 method of querying, you can perform the same query using the following notation. Calling a Stored Procedure with a Command. You can use a command to call a stored procedure.

Calling a Stored Procedure with a Command

The code sample at the end of this topic refers to a stored procedure in the Northwind sample database, called CustOrdersOrders, which is defined as follows. CREATE PROCEDURE CustOrdersOrders @CustomerID nchar(5) AS SELECT OrderID, OrderDate, RequiredDate, ShippedDate FROM Orders WHERE CustomerID = @CustomerID ORDER BY OrderID See your SQL Server documentation for more information about how to define and call stored procedures. Using the stored procedure allows you to access another capability of ADO: the Parameters collection Refresh method. By using this method, ADO can automatically fill in all information about the parameters required by the command at run time. How to call SQL Server stored procedures from ASP. For a Microsoft Visual Basic .NET version of this article, see 306574 ( ) This article demonstrates three methods of calling a stored procedure from Active Server Pages using ActiveX Data Objects (ADO).

How to call SQL Server stored procedures from ASP

The following example uses the Command object to call a sample stored procedure sp_test. This stored procedure accepts an integer and has a return value of an integer as well: <%@ LANGUAGE="VBSCRIPT" %><! Note in the above examples, various methods of accessing the Parameters collection of the Command object are used. For the latest Knowledge Base articles and other support information on Visual InterDev and Active Server Pages, see the following page on the Microsoft Technical Support site: Article ID: 164485 - Last Review: May 2, 2006 - Revision: 4.0 Retired KB Content Disclaimer This article was written about products for which Microsoft no longer offers support. Return value in stored procedure SQL Server. Sql - passing parameters into stored procedures classic asp.

ADO CreateParameter Method.