Advanced SQL builder not working

Report · Aug 04, 2008

Hi all, I'm a Network administrator put in charge of web development at our small company, and i am working on what should be a fairly simple application for management of a MSSQL database using ASP/Jscript.

Using Dreamweaver CS3, i am for some reason unable to successfully build a search function for the database using the built in tools.

I have a page with 2 form entries, a list box with Column names (SearchBy), and a text field for the search terms(SearchFor). I've tired several different incarnations using my limited knowledge of asp, and none will work right.

I know the connection is solid and working. If i use static terms in the sql it brings everything up fine.

Here is a copy of the Dreamweaver generated code that was built using the Advanced Recordset builder tool. Can anyone help point out what's going wrong?

Report · Aug 04, 2008

Roflmeow wrote:
> Hi all, I'm a Network administrator put in charge of web development at our
> small company, and i am working on what should be a fairly simple application
> for management of a MSSQL database using ASP/Jscript.
>
> Using Dreamweaver CS3, i am for some reason unable to successfully build a
> search function for the database using the built in tools.
>
> I have a page with 2 form entries, a list box with Column names (SearchBy),
> and a text field for the search terms(SearchFor). I've tired several different
> incarnations using my limited knowledge of asp, and none will work right.
>
> I know the connection is solid and working. If i use static terms in the sql
> it brings everything up fine.
>
> Here is a copy of the Dreamweaver generated code that was built using the
> Advanced Recordset builder tool. Can anyone help point out what's going wrong?

Are you passing the name of the column to be searched into the query? I
am sorry to say, this feature was removed due to security issues with
this method.

Steve

Report · Aug 04, 2008

It's fully updated, and this code is said to be safe from sql injection, due to the using of Parameters instead of using the calls directly from the form, this is dreamweaver CS3.

I am passing a Column name, and search term from a form to the recordset for filtering.

In either case, the form is pasword protected and used by employees only.

Report · Aug 05, 2008

Roflmeow wrote:
> It's fully updated, and this code is said to be safe from sql injection, due to
> the using of Parameters instead of using the calls directly from the form, this
> is dreamweaver CS3.
>
> I am passing a Column name, and search term from a form to the recordset for
> filtering.
>
> In either case, the form is pasword protected and used by employees only.

As I said, the ability to pass the column name into the query was
removed as its a security issue. You can not do this. Its called dynamic
sql and is not allowed in Dreamweaver recordsets. You can hand code it
if you want this ability.

Steve

Report · Aug 05, 2008

I'll assume i need to work around this issue then.

Should be easy enough to jscript the list box to dynamically change the action of the form, which will submit it to differing results pages with the column name hard-coded in each.

I'd hope that this does not also remove the ability to use the text box to dynamically update the search term in the sql from the form as well. Otherwise what point does it serve at all in the program.

Report · Aug 05, 2008

Roflmeow wrote:
> I'll assume i need to work around this issue then.
>
> Should be easy enough to jscript the list box to dynamically change the action
> of the form, which will submit it to differing results pages with the column
> name hard-coded in each.

Sounds like a plan to me.

Steve