cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
0
Upvote

sql injection attack - need help changing ASP code

jennday
New Here ,
Jul 24, 2007 Jul 24, 2007

Copy link to clipboard

Copied

Our web server was attacked yesterday by SQL injection. So I quickly learned about the holes in the code that was generated by Dreamweaver MX 2004.
I found the help article on the Adobe website to fix the ASP code; however I need more information for my particular case. I don't know how to get my cursor type and location settings into the new code.

MY ORIGINAL CODE

<%
Dim Recordset1
Dim Recordset1_numRows

Set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Oncology_STRING
Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
Recordset1.CursorType = 0
Recordset1.CursorLocation = 3
Recordset1.LockType = 1
Recordset1.Open()

Recordset1_numRows = 0
%>

THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE AND LOCATION ABOVE.
<%
Dim Recordset1
Dim Recordset1_cmd
Dim Recordset1_numRows
Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir WHERE Oncology_ID = ?"
Recordset1_cmd.Prepared = true
Recordset1_cmd.Parameters.Append Recordset1_cmd.CreateParameter("param1", 5, 1, -1, Recordset1__MMColParam) ' adDouble
Set Recordset1 = Recordset1_cmd.Execute
Recordset1_numRows = 0
%>

What exactly is the 5,1,-1 in the code above?

Any help would be very much appreciated as my ASP page (although secured from SQL injection) is not working properly.

Thanks,
--Jen

--Jen

TOPICS
Server side applications

Views

260
Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 1 Reply 1
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Jul 24, 2007 Jul 24, 2007

Copy link to clipboard

Copied

LATEST
The new snippet is not vulnerable to SQL injection. It uses a command
object and actual defined parameters, so you're safe. You cannot change the
cursor type or location on that object.


"jennday" <webforumsuser@macromedia.com> wrote in message
news:f85omh$ngg$1@forums.macromedia.com...
> Our web server was attacked yesterday by SQL injection. So I quickly
> learned
> about the holes in the code that was generated by Dreamweaver MX 2004.
> I found the help article on the Adobe website to fix the ASP code; however
> I
> need more information for my particular case. I don't know how to get my
> cursor type and location settings into the new code.


Votes

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices