CODEWITHSUNDEEP
asp.net
Gui
Gui

Reputation:

asp.net connection issues

This is my ASP.NET code: 

<html>
<body>

<%
Dim Conn
Conn = "Provider=xxxxxx; Server=xxxxxx; Database=xxxxxx; Trusted_Connection=xxx; "


sql="INSERT INTO xxxx"
sql=sql & " VALUES "
sql=sql & "('" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "')"

on error resume next
Conn.Execute sql,recaffected
if err<>0 then
  Response.Write("Update Failed")
else
  Response.Write("<h3>"Record Added</h3>")
end if

%>

</body>
</html>

I always get a result of "Update Failed"... Can you see from the code why this is?

Upvotes: 0

Views: 44

Answers (2)

cgcarter1
cgcarter1

Reputation: 327

You need to take out the command text and use procedures, otherwise you open yourself to security holes. NEVER put your SQL commands on your UI or code-behind. Best practices is stored procedures.

Upvotes: 0

p.campbell
p.campbell

Reputation: 100567

Suggest a major refactoring to eliminate your SQL injection vulnerability.

Dim  conn As New SqlConnection(SomeConnectionString)
Dim  cmd As SqlCommand = conn.CreateCommand()

conn.Open()
cmd.CommandText="INSERT INTO MyTable(Column1, Column2)  " & _
                     " VALUES (@Value1, @Value2)"
cmd.Parameters.AddWithValue("@Value1", Request.Form("xxxx"))
cmd.Parameters.AddWithValue("@Value2", Request.Form("xxxx"))
'add all your parameters as per above  '

cmd.ExecuteNonQuery()

Upvotes: 1

Related Questions