Quote:
|
Originally Posted by nettask
Thanks for your informed response. I agree with the hacker concern. I could move the SQL to the asp file and not receive it as a URL parameter. Any other suggests to make it more secure? I dont understand the overflow, null concerns.
|
Here's your issue there:
lcDSN = Request.QueryString("dsn")
lcField = Request.QueryString("field")
lcOption = Request.QueryString("option")
If those parameters are sent, and you don't check what they are, anyone can send anything. If they can figure out what the params are called (often, this is simply checking form names), they can start screwing around and sending random values.
You can see where that can lead.
Now, if no value is sent for "dsn", there is no value for the connection. Null value. Yet you don't check first before trying to open the data source. Whoops.
Quote:
|
Originally Posted by nettask
The problem I cant seem to get by is likely with the database interaction. It appears to be hanging on the attempt to connect.
|
Did you check what values were getting sent, especially for DSN?
Try taking out all the stuff except a little response.write of the param values to check what it sees.
Quote:
|
Originally Posted by nettask
Here is the call to it:
var url = '#StoTracURL#GetList.asp?field=cover_supplier_id&dsn=mydsn&option=(SELECT blah blah blah from ....)';
|
Those are querystring params. Yet you send via POST. That should be GET.
Quote:
|
Originally Posted by nettask
if (document.all)
{
var objData = new ActiveXObject('Microsoft.XMLHTTP');
objData.Open('Post', url, false);
objData.Send();
}
else
{
var objData = new XMLHttpRequest();
objData.open('Post', url, false);
objData.send(null);
}
oDestination.innerHTML = objData.responseText;
}
|
That's not a good way to check object support.
Jim, a big javascript guy over at Usenet, has a much better way. Check it out here.
http://jibbering.com/2002/4/httprequest.html
Before you post, read our: 
