retrieve data from SQL

Report · Dec 02, 2015

I need to display data based on the column name. The name is captured from the URL parameter and passed to Flash with Javascript.

Flash retrieve it with:

var varMedia = ExternalInterface.call("getParameter1");

Then I use the following function to retrieve and display data:

function displayRatingOnSQL():void

{

var myTextLoader:URLLoader = new URLLoader();

myTextLoader.dataFormat = URLLoaderDataFormat.VARIABLES;

myTextLoader.addEventListener(Event.COMPLETE, onLoaded);

function onLoaded(e:Event):void

{

var tAverage = (e.target.data.Average);

var tTotalVotes = (e.target.data.TotalVotes);

var tTotalRate1 = (e.target.data.star1);

var tTotalRate2 = (e.target.data.star2);

var tTotalRate3 = (e.target.data.star3);

var tTotalRate4 = (e.target.data.star4);

var tTotalRate5 = (e.target.data.star5);

var temp = tTotalRate5 + "\n" + tTotalRate4 + "\n" + tTotalRate3 + "\n" + tTotalRate2 + "\n" + tTotalRate1;

totalForEachStar.text = temp;

tAve.text = tAverage;

totalVotes.text = "(" + tTotalVotes + ")";

}

var extraString = Math.random();

myTextLoader.load(new URLRequest("http://dntin1web01/tpas/SQL/GniePageRatePageRead.asp?qs="+ extraString));

}

In ASP page, I have the following to pick up name for the column to extract data:

Dim tPageMedia

tPageMedia = Request.Form("varMedia")

Then I try to use the following to retrieve:

SQL = SQL & "WHERE ( [PageName] = " & "'" & tPageMedia & "') "

I got nothing. It works if I put a hard coded name replacing the dynamic one.

How can I pass the varMedia to ASP page? The variable in Javascript is var1.

Report · Dec 03, 2015

Is it possible to pass a value to myTextLoader.load(new URLRequest..) before it loads the data? It seems I can pass value from Javascript to ASP either.

Thanks for the help,

Report · Dec 03, 2015

I was probably too tired, but I fixed the problem by adding the variable value to the parameter of the URL to call ASP. It's working now. THANKS!

Report · Dec 03, 2015

You didn't mention if you were but I would just be very careful when sending any information regarding a database schema over any GET/POST request. Any time I see someone say "pass a column/table/etc name over a request" I want to say you shouldn't do something like that. I just hope you have some validation on your ASP end so you don't end up getting injected.

Glad you resolved your issue. Sorry it's slow, I'm still sleeping late from turkey leftovers!

Report · Dec 03, 2015

Thank you for the warning. Although we're using this in our intranet, any more info on "getting injected?" I'm elearning developer so not that familiar with SQL etc... issues.

THANKS!

Report · Dec 04, 2015

My stack doesn't include ASP so I'll just explain the basic principal. As a developer you should always control all of the data you use in such a way that a user cannot do something you didn't intend. One example of that is letting their form data be placed directly into your SQL. Consider:

$sql = 'SELECT * FROM `' . $_POST['tablename'] . '`';

Imagine the trouble you could get into if the user simply changed the form element with the name 'tablename'. They could control what table you read from. Same thing goes overall, regardless if it's a filename you intend to read, a table column, etc. If they can change it, chances are they will.

If you google SQL injection you'll get a lot of tips on exactly how to best protect against it and plenty of examples of what it is, for ASP.

Adobe Community

retrieve data from SQL

1 Correct answer