Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Jun 2005
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    call to ASP module hangs browser

    I am calling an ASP module (from JS) to dynamically rebuild a listbox. I am passing the field (ID), DSN, and the SQL. When I do, my browser freezes. I am new to ASP and would greatly appreciate any help. The mechanics outside of the ASP appear to be working. Thanks in advance. The following is the code:

    <% Option Explicit %>
    <%
    Response.Buffer = "True"
    Dim rsX
    Dim lcOption
    Dim lcField
    Dim lcDSN
    Dim lcOutput

    lcDSN = Request.QueryString("dsn")
    lcField = Request.QueryString("field")
    lcOption = Request.QueryString("option")

    Dim objConn
    Set objConn = Server.CreateObject("ADODB.Connection")
    objConn.ConnectionString = "DSN=" & lcDSN
    objConn.Open

    Set rsX = Server.CreateObject("ADODB.Recordset")
    sQuery = lcOption
    rsX.Open sQuery, objConn, adOpenForwardOnly, _
    adLockReadOnly, adCmdText

    Response.Write "<SELECT class='details' name='" & lcField & "'><option value='0'></option>"

    If rsX.EOF Then
    Else
    Do Until rsX.EOF
    Response.Write "<OPTION VALUE='" & rsX.Fields(1).Value & _
    "'>" & rsX.Fields(2).Value & "</OPTION>"
    rsX.MoveNext
    Loop
    End If
    Response.Write "</SELECT>"
    rsX.Close
    Set rsX = Nothing
    objConn.Close
    Set objConn = Nothing
    Response.End
    %>

  • #2
    Senior Coder nikkiH's Avatar
    Join Date
    Jun 2005
    Location
    Near Chicago, IL, USA
    Posts
    1,973
    Thanks
    1
    Thanked 32 Times in 31 Posts
    How are you calling this?
    You're not checking parameter values or anything. That's a hacker's wet dream for many apps, and often the cause of buffer overflows and just plain nasty errors.
    A simple null value as one of the params might be mucking this up.

    If this post contains any code, I may or may not have tested it. It's probably just example code, so no getting knickers in a bunch over a typo, OK? If it doesn't have basic error checking in it, such as object detection or checking if objects are null before using them, put that in there. I'm giving examples, not typing up your whole app for you. You run code at your own risk.
    Bored? Visit
    http://www.kaelisspace.com/

  • #3
    New to the CF scene
    Join Date
    Jun 2005
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for your informed response. I agree with the hacker concern. I could move the SQL to the asp file and not receive it as a URL parameter. Any other suggests to make it more secure? I dont understand the overflow, null concerns. The problem I cant seem to get by is likely with the database interaction. It appears to be hanging on the attempt to connect. Here is the call to it:

    var url = '#StoTracURL#GetList.asp?field=cover_supplier_id&dsn=mydsn&option=(SELECT blah blah blah from ....)';
    alert(url);
    if (document.all)
    {
    var objData = new ActiveXObject('Microsoft.XMLHTTP');
    objData.Open('Post', url, false);
    objData.Send();
    }
    else
    {
    var objData = new XMLHttpRequest();
    objData.open('Post', url, false);
    objData.send(null);
    }
    oDestination.innerHTML = objData.responseText;
    }

  • #4
    Senior Coder nikkiH's Avatar
    Join Date
    Jun 2005
    Location
    Near Chicago, IL, USA
    Posts
    1,973
    Thanks
    1
    Thanked 32 Times in 31 Posts
    Quote Originally Posted by nettask
    Thanks for your informed response. I agree with the hacker concern. I could move the SQL to the asp file and not receive it as a URL parameter. Any other suggests to make it more secure? I dont understand the overflow, null concerns.
    Here's your issue there:
    lcDSN = Request.QueryString("dsn")
    lcField = Request.QueryString("field")
    lcOption = Request.QueryString("option")

    If those parameters are sent, and you don't check what they are, anyone can send anything. If they can figure out what the params are called (often, this is simply checking form names), they can start screwing around and sending random values.
    You can see where that can lead.
    Now, if no value is sent for "dsn", there is no value for the connection. Null value. Yet you don't check first before trying to open the data source. Whoops.

    Quote Originally Posted by nettask
    The problem I cant seem to get by is likely with the database interaction. It appears to be hanging on the attempt to connect.
    Did you check what values were getting sent, especially for DSN?
    Try taking out all the stuff except a little response.write of the param values to check what it sees.

    Quote Originally Posted by nettask
    Here is the call to it:
    var url = '#StoTracURL#GetList.asp?field=cover_supplier_id&dsn=mydsn&option=(SELECT blah blah blah from ....)';
    Those are querystring params. Yet you send via POST. That should be GET.

    Quote Originally Posted by nettask
    if (document.all)
    {
    var objData = new ActiveXObject('Microsoft.XMLHTTP');
    objData.Open('Post', url, false);
    objData.Send();
    }
    else
    {
    var objData = new XMLHttpRequest();
    objData.open('Post', url, false);
    objData.send(null);
    }
    oDestination.innerHTML = objData.responseText;
    }
    That's not a good way to check object support.
    Jim, a big javascript guy over at Usenet, has a much better way. Check it out here.
    http://jibbering.com/2002/4/httprequest.html

    If this post contains any code, I may or may not have tested it. It's probably just example code, so no getting knickers in a bunch over a typo, OK? If it doesn't have basic error checking in it, such as object detection or checking if objects are null before using them, put that in there. I'm giving examples, not typing up your whole app for you. You run code at your own risk.
    Bored? Visit
    http://www.kaelisspace.com/


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •