Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > XML > Asp+ XML

Reply
Thread Tools

Asp+ XML

 
 
Charissa
Guest
Posts: n/a
 
      08-07-2003
I have a asp code, which use to extract code in xml form, but seem
like the data cannot be extract from the database. Could anyone tell
me the problem with these code?


<%@ Language=VBScript %>
<% Response.Buffer = True %>

<%
username=Request.Cookies("SecondHand")("username")
password=Request.Cookies("SecondHand")("password")
%>
<%
Response.ContentType = "text/xml"

Dim cnnNorthWind, rsReturn
Dim sSQLStatement

sSQLStatement = "SELECT * FROM members where password =
'"&Request.Cookies("SecondHand")("password")&"' "

On Error Resume Next
Set cnnNorthWind = Server.CreateObject("ADODB.Connection")
cnnNorthWind.ConnectionString = "DSN=db1"
cnnNorthWind.CursorLocation = 3
cnnNorthWind.Open
Set rsReturn = cnnNorthWind.Execute(sSQLStatement)
Set cnnNorthWind = Nothing

If Err.number <> 0 Then
Response.Write "<Error>" & vbNewLine
Response.Write vbTab & "<Description>" & Err.Description & _
"</Description>" & vbNewLine
Response.Write "</Error>" & vbNewLine
Response.End
End If

Response.Write ("<?xml version='1.0'
encoding='ISO-8859-1'?><?xml-stylesheet type='text/xsl'
href='member.xsl' version='1.0' encoding='ISO-8859-1'?> ") & vbNewLine
Response.Write "<members>" & vbNewLine

While Not rsReturn.EOF


Response.Write vbTab & vbTab & "<member_name>" &
rsReturn("member_name") & _
"</member_name>" & vbNewLine
Response.Write vbTab & vbTab & "<username>" & rsReturn("username") &
_
"</username>" & vbNewLine
Response.Write vbTab & vbTab & "<password>" & rsReturn("password") &
_
"</password>" & vbNewLine
Response.Write vbTab & vbTab & "<email>" & rsReturn("email") & _
"</email>" & vbNewLine
Response.Write vbTab & vbTab & "<contact_no>" &
rsReturn("contact_no") _
& "</contact_no>" & vbNewLine
Response.Write vbTab & vbTab & "<usertype>" & rsReturn("usertype") &
_
"</usertype>" & vbNewLine



Response.Flush

rsReturn.MoveNext
Wend

Response.Write "</members>"
Set rsReturn = Nothing
%>
 
Reply With Quote
 
 
 
 
Steven Dilley
Guest
Posts: n/a
 
      08-07-2003
"Charissa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I have a asp code, which use to extract code in xml form, but seem
> like the data cannot be extract from the database. Could anyone tell
> me the problem with these code?
>
> sSQLStatement = "SELECT * FROM members where password =
> '"&Request.Cookies("SecondHand")("password")&"' "
>


Have you tried "Select * from members for XML auto"?

--
Steve

 
Reply With Quote
 
 
 
 
Andy Dingley
Guest
Posts: n/a
 
      08-07-2003
On 7 Aug 2003 07:38:53 -0700, http://www.velocityreviews.com/forums/(E-Mail Removed) (Charissa)
wrote:

>I have a asp code, which use to extract code in xml form, but seem
>like the data cannot be extract from the database.


So what does it do ? Throw an error ? Return an empty recordset ?

>Could anyone tell me the problem with these code?


><%@ Language=VBScript %>


VBScript sucks. Switch to JScript (M$oft's JavaScript) You'll be
grateful in the long run. Much better error handling, same language
you'll be coding on the clients, and regexes are better integrated
with the language.

><%
>username=Request.Cookies("SecondHand")("username" )
>password=Request.Cookies("SecondHand")("password" )
>%>


Chucking passwords around in cookies isn;t the best code in the world,
but it ought to do something for the minute.


>Response.ContentType = "text/xml"


Don't set .ContentType too early. You might want to return a text
error message.


>sSQLStatement = "SELECT * FROM members where password =
>'"&Request.Cookies("SecondHand")("password")&"' "


This is nasty. What happens if two users have the same password ?

Secondly, the password is "tainted". You've just pulled it from the
cookies collection, so it could have almost anything in it. What
happens when 3V1L H4XX0R D00D embeds some SQL in there and uses it to
read chunks of your database ?

Keep the "user filter parameter" (i.e. username) in a string
variable. Load it from the cookie (or whatever) early on, then
untaint it. Check the length, check the allowed character set, force
it to uppercase (or whatever). Then use this string variable to
build your SQL.

NEVER build dynamic SQL directly from user-supplied and unchecked
random stuff. Go search comp.risks for "buffer overflow attacks" if
you want the horror stories.

And don't build dynamic SQL anyway, especially not for user
validation. Use a stored query with a parameter.



>cnnNorthWind.ConnectionString = "DSN=db1"


Don't know about this - Do you really have such a DSN set up, and is
it working ?


>cnnNorthWind.CursorLocation = 3


I've no idea what this means (it's years since I wrote ASP code).
You don't need it for trivial examples, because the default should
work fine.

If you use the enum constants instead, I'd know what it meant
http://msdn.microsoft.com/library/de...aenumac_13.asp


>Set rsReturn = cnnNorthWind.Execute(sSQLStatement)


>Set cnnNorthWind = Nothing


Why ?

>If Err.number <> 0 Then
> Response.Write "<Error>" & vbNewLine
> Response.Write vbTab & "<Description>" & Err.Description & _
> "</Description>" & vbNewLine
> Response.Write "</Error>" & vbNewLine


What's with the "<Error>" ? This isn't XML- you haven't written the
prolog yet.

If it dies at this level, just write its obituary as text.

> Response.End


Using Response.End in the middle of a page makes for unsupportable
code. Think "structured programming" - the concept is only 30-odd
years old.



>Response.Write ("<?xml version='1.0'
>encoding='ISO-8859-1'?><?xml-stylesheet type='text/xsl'
>href='member.xsl' version='1.0' encoding='ISO-8859-1'?> ") & vbNewLine


This is just _WRONG_

Use a fecking DOM, don't write XML explicitly. NEVER !!!!

ASP is pretty sucky in places, but ADO and MSXML are the best things
about it - use them.


> "</member_name>" & vbNewLine
> Response.Write vbTab & vbTab & "<username>" & rsReturn("username") &


Don't return SQL text fields directly to a HTTP Response. Look at
Server.HTMLEncode()


> "</username>" & vbNewLine
> Response.Write vbTab & vbTab & "<password>" & rsReturn("password") &
>_
> "</password>" & vbNewLine


returning plaintexts passwords isn't good practice.

>
> Response.Flush


..Flush() is evil. Don't do it unless you have to.

>
> rsReturn.MoveNext
>Wend
>
>Response.Write "</members>"
>Set rsReturn = Nothing
>%>



I can't see anything obviously wrong with this, and you mis-posted it
to an XML group.

I suggest you change the SQL and see what happens.
Try "SELECT * FROM members" and see if you can get it to return you
the whole lot. Then fix the querying problem, or see if you really
have anything in the cookie that you're expecting.


I suspect the cookie is empty. You should test for this and squawk
about it if it is.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Different results parsing a XML file with XML::Simple (XML::Sax vs. XML::Parser) Erik Wasser Perl Misc 5 03-05-2006 10:09 PM
Print XML parsing to JspWriter (out) Class org.xml.sax.helpers.NewInstance can not access a member of class javax.xml.parsers.SAXParser with modifiers "protected" Per Magnus L?vold Java 0 11-15-2004 02:27 PM
embedding xml in xml as non-xml :) Mark Van Orman XML 5 09-15-2004 05:57 AM
What XML technologies to learn first for "XML Processing" and "XML Mapping"? Bomb Diggy Java 0 07-28-2004 07:26 AM
Help on including one XML document within another XML document using XML Schemas Tony Prichard XML 0 12-12-2003 03:18 PM



Advertisments