• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

retrieve data from SQL

Contributor ,
Dec 02, 2015 Dec 02, 2015

Copy link to clipboard

Copied

I need to display data based on the column name.  The name is captured from the URL parameter and passed to Flash with Javascript.

Flash retrieve it with:

var varMedia = ExternalInterface.call("getParameter1");

Then I use the following function to retrieve and display data:

function displayRatingOnSQL():void

{

  var myTextLoader:URLLoader = new URLLoader();

  myTextLoader.dataFormat = URLLoaderDataFormat.VARIABLES;

  myTextLoader.addEventListener(Event.COMPLETE, onLoaded);

  function onLoaded(e:Event):void

  {

  var tAverage = (e.target.data.Average);

  var tTotalVotes = (e.target.data.TotalVotes);

  var tTotalRate1 = (e.target.data.star1);

  var tTotalRate2 = (e.target.data.star2);

  var tTotalRate3 = (e.target.data.star3);

  var tTotalRate4 = (e.target.data.star4);

  var tTotalRate5 = (e.target.data.star5);

  var temp = tTotalRate5 + "\n" + tTotalRate4 + "\n" + tTotalRate3 + "\n" + tTotalRate2 + "\n" + tTotalRate1;

  totalForEachStar.text = temp;

  tAve.text = tAverage;

  totalVotes.text = "(" + tTotalVotes + ")";

  }

  var extraString = Math.random();

  myTextLoader.load(new URLRequest("http://dntin1web01/tpas/SQL/GniePageRatePageRead.asp?qs="+ extraString));

}

In ASP page, I have the following to pick up name for the column to extract data:

Dim tPageMedia

tPageMedia = Request.Form("varMedia")


Then I try to use the following to retrieve:

SQL = SQL & "WHERE ( [PageName] = " & "'" & tPageMedia & "') "


I got nothing. It works if I put a hard coded name replacing the dynamic one.


How can I pass the varMedia to ASP page? The variable in Javascript is var1.

Views

1.0K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Contributor , Dec 03, 2015 Dec 03, 2015

I was probably too tired, but I fixed the problem by adding the variable value to the parameter of the URL to call ASP. It's working now. THANKS!

Votes

Translate

Translate
Contributor ,
Dec 03, 2015 Dec 03, 2015

Copy link to clipboard

Copied

Is it possible to pass a value to myTextLoader.load(new URLRequest..) before it loads the data? It seems I can pass value from Javascript to ASP either.

Thanks for the help,

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Dec 03, 2015 Dec 03, 2015

Copy link to clipboard

Copied

I was probably too tired, but I fixed the problem by adding the variable value to the parameter of the URL to call ASP. It's working now. THANKS!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Dec 03, 2015 Dec 03, 2015

Copy link to clipboard

Copied

You didn't mention if you were but I would just be very careful when sending any information regarding a database schema over any GET/POST request. Any time I see someone say "pass a column/table/etc name over a request" I want to say you shouldn't do something like that. I just hope you have some validation on your ASP end so you don't end up getting injected.

Glad you resolved your issue. Sorry it's slow, I'm still sleeping late from turkey leftovers!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Dec 03, 2015 Dec 03, 2015

Copy link to clipboard

Copied

Thank you for the warning. Although we're using this in our intranet, any more info on "getting injected?" I'm elearning developer so not that familiar with SQL etc... issues.


THANKS!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Dec 04, 2015 Dec 04, 2015

Copy link to clipboard

Copied

LATEST

My stack doesn't include ASP so I'll just explain the basic principal. As a developer you should always control all of the data you use in such a way that a user cannot do something you didn't intend. One example of that is letting their form data be placed directly into your SQL. Consider:

$sql = 'SELECT * FROM `' . $_POST['tablename'] . '`';

Imagine the trouble you could get into if the user simply changed the form element with the name 'tablename'. They could control what table you read from. Same thing goes overall, regardless if it's a filename you intend to read, a table column, etc. If they can change it, chances are they will.

If you google SQL injection you'll get a lot of tips on exactly how to best protect against it and plenty of examples of what it is, for ASP.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines