I am calling an ASP module (from JS) to dynamically rebuild a listbox. I am passing the field (ID), DSN, and the SQL. When I do, my browser freezes. I am new to ASP and would greatly appreciate any help. The mechanics outside of the ASP appear to be working. Thanks in advance. The following is the code:

<% Option Explicit %>
<%
Response.Buffer = "True"
Dim rsX
Dim lcOption
Dim lcField
Dim lcDSN
Dim lcOutput

lcDSN = Request.QueryString("dsn")
lcField = Request.QueryString("field")
lcOption = Request.QueryString("option")

Dim objConn
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.ConnectionString = "DSN=" & lcDSN
objConn.Open

Set rsX = Server.CreateObject("ADODB.Recordset")
sQuery = lcOption
rsX.Open sQuery, objConn, adOpenForwardOnly, _
adLockReadOnly, adCmdText

Response.Write "<SELECT class='details' name='" & lcField & "'><option value='0'></option>"

If rsX.EOF Then
Else
Do Until rsX.EOF
Response.Write "<OPTION VALUE='" & rsX.Fields(1).Value & _
"'>" & rsX.Fields(2).Value & "</OPTION>"
rsX.MoveNext
Loop
End If
Response.Write "</SELECT>"
rsX.Close
Set rsX = Nothing
objConn.Close
Set objConn = Nothing
Response.End
%>

How are you calling this?
You're not checking parameter values or anything. That's a hacker's wet dream for many apps, and often the cause of buffer overflows and just plain nasty errors.
A simple null value as one of the params might be mucking this up.

Thanks for your informed response. I agree with the hacker concern. I could move the SQL to the asp file and not receive it as a URL parameter. Any other suggests to make it more secure? I dont understand the overflow, null concerns. The problem I cant seem to get by is likely with the database interaction. It appears to be hanging on the attempt to connect. Here is the call to it:

var url = '#StoTracURL#GetList.asp?field=cover_supplier_id&dsn=mydsn&option=(SELECT blah blah blah from ....)';
alert(url);
if (document.all)
{
var objData = new ActiveXObject('Microsoft.XMLHTTP');
objData.Open('Post', url, false);
objData.Send();
}
else
{
var objData = new XMLHttpRequest();
objData.open('Post', url, false);
objData.send(null);
}
oDestination.innerHTML = objData.responseText;
}

Thanks for your informed response. I agree with the hacker concern. I could move the SQL to the asp file and not receive it as a URL parameter. Any other suggests to make it more secure? I dont understand the overflow, null concerns.



Here's your issue there:
lcDSN = Request.QueryString("dsn")
lcField = Request.QueryString("field")
lcOption = Request.QueryString("option")

If those parameters are sent, and you don't check what they are, anyone can send anything. If they can figure out what the params are called (often, this is simply checking form names), they can start screwing around and sending random values.
You can see where that can lead.
Now, if no value is sent for "dsn", there is no value for the connection. Null value. Yet you don't check first before trying to open the data source. Whoops.


The problem I cant seem to get by is likely with the database interaction. It appears to be hanging on the attempt to connect.


Did you check what values were getting sent, especially for DSN?
Try taking out all the stuff except a little response.write of the param values to check what it sees.


Here is the call to it:
var url = '#StoTracURL#GetList.asp?field=cover_supplier_id&dsn=mydsn&option=(SELECT blah blah blah from ....)';


Those are querystring params. Yet you send via POST. That should be GET.


if (document.all)
{
var objData = new ActiveXObject('Microsoft.XMLHTTP');
objData.Open('Post', url, false);
objData.Send();
}
else
{
var objData = new XMLHttpRequest();
objData.open('Post', url, false);
objData.send(null);
}
oDestination.innerHTML = objData.responseText;
}

That's not a good way to check object support.
Jim, a big javascript guy over at Usenet, has a much better way. Check it out here.
http://jibbering.com/2002/4/httprequest.html