Question
sql injection attack - need help changing ASP code
Our web server was attacked yesterday by SQL injection. So I
quickly learned about the holes in the code that was generated by
Dreamweaver MX 2004.
I found the help article on the Adobe website to fix the ASP code; however I need more information for my particular case. I don't know how to get my cursor type and location settings into the new code.
MY ORIGINAL CODE
<%
Dim Recordset1
Dim Recordset1_numRows
Set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Oncology_STRING
Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
Recordset1.CursorType = 0
Recordset1.CursorLocation = 3
Recordset1.LockType = 1
Recordset1.Open()
Recordset1_numRows = 0
%>
THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE AND LOCATION ABOVE.
<%
Dim Recordset1
Dim Recordset1_cmd
Dim Recordset1_numRows
Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir WHERE Oncology_ID = ?"
Recordset1_cmd.Prepared = true
Recordset1_cmd.Parameters.Append Recordset1_cmd.CreateParameter("param1", 5, 1, -1, Recordset1__MMColParam) ' adDouble
Set Recordset1 = Recordset1_cmd.Execute
Recordset1_numRows = 0
%>
What exactly is the 5,1,-1 in the code above?
Any help would be very much appreciated as my ASP page (although secured from SQL injection) is not working properly.
Thanks,
--Jen
--Jen
I found the help article on the Adobe website to fix the ASP code; however I need more information for my particular case. I don't know how to get my cursor type and location settings into the new code.
MY ORIGINAL CODE
<%
Dim Recordset1
Dim Recordset1_numRows
Set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Oncology_STRING
Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
Recordset1.CursorType = 0
Recordset1.CursorLocation = 3
Recordset1.LockType = 1
Recordset1.Open()
Recordset1_numRows = 0
%>
THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE AND LOCATION ABOVE.
<%
Dim Recordset1
Dim Recordset1_cmd
Dim Recordset1_numRows
Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir WHERE Oncology_ID = ?"
Recordset1_cmd.Prepared = true
Recordset1_cmd.Parameters.Append Recordset1_cmd.CreateParameter("param1", 5, 1, -1, Recordset1__MMColParam) ' adDouble
Set Recordset1 = Recordset1_cmd.Execute
Recordset1_numRows = 0
%>
What exactly is the 5,1,-1 in the code above?
Any help would be very much appreciated as my ASP page (although secured from SQL injection) is not working properly.
Thanks,
--Jen
--Jen
AdChoices