I am working on some legacy code that is written in Classic ASP / VBSCript.
The code handles the data submitted via a HTML form, and breaks on the following line.
' Get all input questions
Set inputQuestions = getListOfInputQuestionsForPage("additional")
The function getListOfInputQuestionsForPage(pageName) is defined as follows:
Function getListOfInputQuestionsForPage(pageName)
' Instantiate Command
Set objCommand = Server.CreateObject("ADODB.Command")
' Inform Command what Connection to use.
Set objCommand.ActiveConnection = myConn
' SQL Query to run
objCommand.CommandText = "SELECT QUESTION_TABLE.PK_QUESTION AS ""QUESTION_ID"", QUESTION_TABLE.QUESTION AS ""QUESTION"", QUESTION_TABLE.INPUT_TYPE AS ""TYPE"", QUESTION_TABLE.IS_FOR_ALL_CUSTOMERS AS ""FOR_ALL_CUSTOMERS"" FROM QUESTION_TABLE WHERE QUESTION_TABLE.DISPLAY_PAGE = '" & pageName & "' ORDER BY PK_QUESTION ASC"
' Execute SQL and return result
Set getListOfInputQuestionsForPage = objCommand.Execute()
End Function
I find it strange that I am getting the following error:
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'getListOfInputQuestionsForPage'
/site/path_to_file/edit_additional.asp, line 110
All I am doing is trying to grab some data from the database. And I know the data exists and a RecordSet is returned.
The error threw me off. The reason why it wasn't working was because the function getListOfInputQuestionsForPage(pageName) did not exist on the same page, and I had to include the file that contained the function definition, which now is very obvious, but because the error is so weird for what I'm trying to do (type mismatch) ... I did not think of that reason at all.
So in short, make sure your classic asp file knows about that function, ie has a link to the file containing the function, or the function is defined in the same file.
Related
I am doing a project for my school and I am task to debug all of the issues found using the application call HPE Fortify. The report generated by the application only indicates the code below prone to SQL injection:
String sql = " select Distinct p1.desc1,p2.desc2 from parameter p1"
+" inner join parameter p2"
+" on p1.ParaCode1='CR_DERIVE' and p1.ParaCode2=p2.Desc2"
+" inner join parameter p3"
+ " on p2.ParaCode3=p3.ParaCode1 and p3.ParaCode3=p2.Desc2"
+" where p2.paracode1='ATTRIBUTE'"
+ " and p2.ParaCode2='" + ddl_attribute.SelectedValue + "'";
But not the codes below:
strSQL = "SELECT Paracode2 FROM Parameter WHERE Paracode1 = 'PROGMGR' AND Desc1 = '" + login + "' AND Status = 'A' ";
I would like to know the reason why as I am unclear regarding SQL injection and I am new to this. Thanks for the response
You're concatenating some application variables into your SQL query string, so the safety depends on how those variables' values were set. Did they come from some untrusted input? Or were they set from some safe application data?
If HPE Fortify has analyzed your code and knows how your login variable was assigned its value, it may be able to tell that it's safe to use in an SQL expression. Whereas it may not be able to make that conclusion about the SelectedValue variable, so it assumes it's unsafe and therefore could cause an SQL vulnerability.
The Perl language does something similar, without the use of a tool like HPE Fortify. Every Perl variable is either "tainted" or "untainted" depending on where it got its value. So you can tell whether a variable is safe to use in SQL, or in eval() or other possible code-injection situations. It's a pity more languages don't support something similar.
But I agree with other commenters that you should learn to use query parameters. It's easy and it's safe. And you can stop getting eyestrain figuring out if you've balanced your quotes-within-quotes correctly.
Your code sample looks like it might be Java. Here's an example in Java:
strSQL = "SELECT Paracode2 FROM Parameter"
+ " WHERE Paracode1 = 'PROGMGR' AND Desc1 = ? AND Status = 'A' ";
Notice the ? placeholder for the parameter has no single-quotes around it within the SQL string. You must not put SQL quotes around the placeholder.
PreparedStatement stmt = con.PreparedStatement(sql);
stmt.setString(1, login);
ResultSet rs = stmt.executeQuery();
For more information to help you understand SQL injection, you might like my presentation SQL Injection Myths and Fallacies, or the video of me delivering that talk: https://www.youtube.com/watch?v=VldxqTejybk
I am considering using RCP to run a generic datastage job, but the initial SQL changes each time it's called. Is there a process in which I can use a User Activity Variable to inject SQL from a text file or something so I can use the same datastage?
I know this Routine can read a file to look up parameters:
Routine = ‘ReadFile’
vFileName = Arg1
vArray = ”
vCounter = 0
OPENSEQ vFileName to vFileHandle
Else Call DSLogFatal(“Error opening file list: “:vFileName,Routine)
Loop
While READSEQ vLine FROM vFileHandle
vCounter = vCounter + 1
vArray = Fields(vLine,’,’,1)
vArray = Fields(vLine,’,’,2)
vArray = Fields(vLine,’,’,3)
Repeat
CLOSESEQ vFileHandle
Ans = vArray
Return Ans
But does that mean I just store the SQL in one Single line, even if it's long?
Thanks.
Why not just have the SQL within the routine itself and propagate parameters?
I have multiple queries within a single routine that does just that (one for source and one for AfterSQL statement)
This is an example and apologies I'm answering this on my mobile!
InputCol=Trim(pTableName)
If InputCol='Table1' then column='Day'
If InputCol='Table2' then column='Quarter, Day'
SQLCode = ' Select Year, Month, '
SQLCode := column:", Time, "
SQLCode := " to_date(current_timestamp, 'YYYY-MM-DD HH24:MI:SS'), "
SQLCode := \ "This is example text as output" \
SQLCode := "From DATE_TABLE"
crt SQLCode
I've used the multiple encapsulations in the example above, when passing out to a parameter make sure you check the ', " have either been escaped or are displaying correctly
Again, apologies for the quality but I hope it gives you some ideas!
You can give this a try
As you mentioned ,maintain the SQL in a file ( again , if the SQL keeps changing , you need to build a logic to automate populating the new SQL)
In the Datastage Sequencer , use a Execute Command Activity to open the SQL file
eg : cat /home/bk/query.sql
In the job activity which calls your generic job . you should map the command output of your EC activity to a job parameter
so if EC activity name is exec_query , then the job parameter will be
exec_query.$CommandOuput
When you run the sequence , your query will flow from
SQL file --> EC activity-->Parameter in Job activity-->DB stage( query parameterised)
Has you thinked to invoke a shellscript who connect to database and execute the SQL script from the sequential job? You could use sqlplus to connect in the shellscript and read the file with the SQL and use it. To execute the shellscript from the sequential job use a ExecCommand Stage (sh, ./, ...), it depends from the interpreter.
Other way to solve this, depends of the modification degree of your SQL; you could invoke a routine base who handle the parameters and invokes your parallel job.
The principal problem that I think you could have, is the limit of the long of the variable where you could store the parameter.
Tell me what option you choose and I could help you more.
this should be a simple thing but I've spent hours to no avail. Basically, I need to look up a salesrep # in a SQL database using the user's Window's user id. The format of the user id is
"Norstar\kjones" and I need the "kjones" portion of it.
using the split function, I am able to pull just the 'kjones' part out:
split(User!UserID,"\").GetValue(1)
I've created a parameter called SlsmnNum and created a dataset to be used to look up the salesrep # using the user id (the slsm_num field is a varchar, not an integer):
select slsm_num from Salesman_Msid where slsm_msid = ''' + split(User!UserID,"\").GetValue(1) + '''
However, I get no results. How can I get the select to work?
alternatively, I tried the following:
in parameter SlsmnNum, I set the default to an expression using:
split(User!UserID,"\").GetValue(1) and this returns 'kjones', as expected.
I created a SECOND parameter (which is positioned BELOW the SlsmnNum parameter), SlsmnNum2, that has a default (and an available) value using a query, which is a dataset containing the following select statement:
select slsm_num from Salesman_Msid where slsm_msid = (#SlsmnNum)
When I run the query on the Data tab, when I type in 'kjones' into the parameter box, it returns '1366', the salesrep # I'm expecting.
But, when I Preview the report, all I get in SlsmnNum2 box is Select a Value and nothing is there (it should return '1366').
Any help would be greatly appreciated!
Try your first approach with Query Text as
="select slsm_num from Salesman_Msid where slsm_msid = '" & split(User!UserID,"\").GetValue(1) & "'"
I know this has been asked earlier.
Most of the answers were not relevant.
Google, shows that the solution is to configure the expression in the "data flow task" and set the query.
However in the ADO .NET source, when I try to preview the output I keep getting "Must declare the variable '#'"
It does not show the full variable in this error - "#[User::GLOBAL_PARAMETER]"
I think that's because "[USER::" isn't the correct syntax inside a SQL; but then how does one set it ?!
From your description it seems like you are having an error due to using the variable name inside the query string as opposed to the processed variable value. In other words:
"SELECT * FROM #[User::TABLE]" in the expression builder would be WRONG
"SELECT * FROM " + #[User::TABLE] would be CORRECT
It would help if you shared the expression you are using as a query
My code is below:
var statement = "test_oracle.sql";
F = aqFile.OpenTextFile(statement, aqFile.faRead, aqFile.ctANSI);
F.Cursor = 0;
while(! F.IsEndOfFile()){
s = F.ReadLine();
oResult = Project.Variables.oConnection.Execute_(s);
The first line that "s" reads is: set serverout on size 10000
An error is returned as "ORA-00922: missing or invalid option"
Can anyone provide guidance?
It seems to me that your problem is not with jscript or ado.net, but your sql in that sql file is invalid.
If you look at this page for example:
http://webcache.googleusercontent.com/search?q=cache:N0n7PtpJH4gJ:www.daniweb.com/forums/thread197500.html+ORA-00922:+missing+or+invalid+option&cd=3&hl=en&ct=clnk&gl=us&client=firefox-a
you will see that everyone who got that oracle error got it because of bad syntax.
does that sql execute in a sql client?
It turned out that I was sending a SQL+ statement to a pure SQL environment. This caused it to error on the Set Serverout statement