Skip to main content
wfzen
wfzen
Inspiring
December 3, 2015
Answered

retrieve data from SQL

  • December 3, 2015
  • 1 reply
  • 1263 views

I need to display data based on the column name.  The name is captured from the URL parameter and passed to Flash with Javascript.

Flash retrieve it with:

var varMedia = ExternalInterface.call("getParameter1");

Then I use the following function to retrieve and display data:

function displayRatingOnSQL():void

{

  var myTextLoader:URLLoader = new URLLoader();

  myTextLoader.dataFormat = URLLoaderDataFormat.VARIABLES;

  myTextLoader.addEventListener(Event.COMPLETE, onLoaded);

  function onLoaded(e:Event):void

  {

  var tAverage = (e.target.data.Average);

  var tTotalVotes = (e.target.data.TotalVotes);

  var tTotalRate1 = (e.target.data.star1);

  var tTotalRate2 = (e.target.data.star2);

  var tTotalRate3 = (e.target.data.star3);

  var tTotalRate4 = (e.target.data.star4);

  var tTotalRate5 = (e.target.data.star5);

  var temp = tTotalRate5 + "\n" + tTotalRate4 + "\n" + tTotalRate3 + "\n" + tTotalRate2 + "\n" + tTotalRate1;

  totalForEachStar.text = temp;

  tAve.text = tAverage;

  totalVotes.text = "(" + tTotalVotes + ")";

  }

  var extraString = Math.random();

  myTextLoader.load(new URLRequest("http://dntin1web01/tpas/SQL/GniePageRatePageRead.asp?qs="+ extraString));

}

In ASP page, I have the following to pick up name for the column to extract data:

Dim tPageMedia

tPageMedia = Request.Form("varMedia")


Then I try to use the following to retrieve:

SQL = SQL & "WHERE ( [PageName] = " & "'" & tPageMedia & "') "


I got nothing. It works if I put a hard coded name replacing the dynamic one.


How can I pass the varMedia to ASP page? The variable in Javascript is var1.

    This topic has been closed for replies.
    Correct answer wfzen

    I was probably too tired, but I fixed the problem by adding the variable value to the parameter of the URL to call ASP. It's working now. THANKS!

    1 reply

    wfzen
    wfzenAuthor
    Inspiring
    December 3, 2015

    Is it possible to pass a value to myTextLoader.load(new URLRequest..) before it loads the data? It seems I can pass value from Javascript to ASP either.

    Thanks for the help,

    wfzen
    wfzenAuthorCorrect answer
    Inspiring
    December 3, 2015

    I was probably too tired, but I fixed the problem by adding the variable value to the parameter of the URL to call ASP. It's working now. THANKS!

    sinious
    sinious
    Legend
    December 5, 2015

    Thank you for the warning. Although we're using this in our intranet, any more info on "getting injected?" I'm elearning developer so not that familiar with SQL etc... issues.


    THANKS!


    My stack doesn't include ASP so I'll just explain the basic principal. As a developer you should always control all of the data you use in such a way that a user cannot do something you didn't intend. One example of that is letting their form data be placed directly into your SQL. Consider:

    $sql = 'SELECT * FROM `' . $_POST['tablename'] . '`';

    Imagine the trouble you could get into if the user simply changed the form element with the name 'tablename'. They could control what table you read from. Same thing goes overall, regardless if it's a filename you intend to read, a table column, etc. If they can change it, chances are they will.

    If you google SQL injection you'll get a lot of tips on exactly how to best protect against it and plenty of examples of what it is, for ASP.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices