Webmaster Forum / ASP / Database Access / November 2007

Ughh! Why would dynamic (concatenated) sql be the alternative to using a
constant? Why not this:

Dim strSQL
strSQL ="INSERT INTO [myTable] (myField) VALUES (?)"

I wasn't questioning the use of a parameter marker vs a dynamic sql
statement, I was just slightly curious about your decision to assign
your original string to a constant rather than a variable? If you had a
good reason for it, i could have learned something.

That's the problem with most of the examples found on the web: "Simple"
techniques lead to insecure coding habits that leave websites vulnerable
to hackers using sql injection. We both know you would not code it this
way; so why advise a beginner to do it this way?

Sorry to sound overcritical, but this is one of my pet peeves, which has
been directed at my own posts occasionally.

URL:http://www.devguru.com/Technologies/jetsql/quickref/parameters.html

No. I consider that to be relevant for saved parameter queries rather
than ad hoc statements. No, I'm talking about this simple technique:

dim cmd, arParms
arParms = Array(strTXT)
Dim strSQL
strSQL ="INSERT INTO [myTable] (myField) VALUES (?)"
set cmd=createobject("adodb.command")
cmd.commandtext=strSQL
set cmd.activeconnection = objADO
cmd.commandtype = 1 'adCmdText
cmd.execute ,arParms, 128 '128=adExecuteNoRecords

Using parameters instead of dynamic sql avoids sql injection, as well as
the necessity to process inputs to handle embedded delimiters. Sure,
it's a few extra lines of code, but that's a small price to pay for the
benefits gained.

If you have a chance to make the code more efficient, I would appreciate
seeing
what changes can be made.

Thanks!

OK. give this a try:

<%@ Language=VBScript %>
<% option explicit%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Sample Form</title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />

<%
 'The ASP form script needs to be in the head section BEFORE the style
 'element

 dim ix, field, inputvalue, message, required, requiredm
 dim firstname, lastname, address, address2, city, state
 dim zip, phone, email,i
 dim FormAction
 dim xmlData, root, node, reqChars,reqChar, forbidChars
 dim key, arReq
 set xmldata=createobject("msxml2.domdocument")
 set xmlData.documentElement=xmlData.createElement("root")
 set root=xmlData.documentElement
 set node=xmlData.createElement("firstname")
 node.setAttribute "required","true"
 node.text="Your first name"
 root.appendchild node
 set node=xmlData.createElement("lastname")
 node.setAttribute "required","true"
 node.text="Your last name"
 root.appendchild node
 set node=xmlData.createElement("address")
 node.setAttribute "required","true"
 node.text="Your address"
 root.appendchild node
 set node=xmlData.createElement("address2")
 node.setAttribute "required","false"
 node.text="Optional"
 root.appendchild node
 set node=xmlData.createElement("city")
 node.setAttribute "required","true"
 node.text="Your city"
 root.appendchild node
 set node=xmlData.createElement("state")
 node.setAttribute "required","true"
 node.text="Your state"
 root.appendchild node
 set node=xmlData.createElement("zip")
 node.setAttribute "required","true"
 node.text="Your zipcode"
 root.appendchild node
 set node=xmlData.createElement("phone")
 node.setAttribute "required","true"
 node.text="Your phone number"
 root.appendchild node
 set node=xmlData.createElement("email")
 node.setAttribute "required","true"
 node.setAttribute "requiredchars","@|."
 node.setAttribute "forbiddenchars","www"
 node.text="Your email address"
 root.appendchild node

 FormAction = ""

'first determine whether this is from a post
if ucase(request.servervariables("request_method")) = "POST" then

 'now get the form values
 for each node in root.childNodes
  key=node.nodeName
  InputValue=Trim(Request.Form(key))
  node.text = InputValue
  required=cbool(node.getAttribute("required"))
  if required then
   'see if the user entered a value
   if InputValue = "" or left(InputValue,4) = "Your" then
    'no value, so build the info message
    if len(requiredm) > 0 then
     requiredm=requiredm & "\n" & key & " is required"
    else
     requiredm=key & " is required"
    end if
    if FormAction="" then FormAction="#" & key
   else
    'check for required characters
    reqChars=node.getAttribute("requiredchars")
    if len(reqChars) > 0 then
     arReq=split(reqChars,"|")
     for i = 0 to ubound(arReq)
      reqChar=arReq(i)
      if instr(inputvalue,reqChar)=0 then
       if FormAction="" then FormAction="#" & key
       if len(requiredm) > 0 then
        requiredm=requiredm & "\n" & key & _
        " must contain the """ & reqChar & """ character"
       else
        requiredm=key & " must contain the """ & _
        reqChar & """ character"
       end if
      end if
     next
    end if

    'check for forbidden characters
    forbidChars=node.getAttribute("forbiddenchars")
    if len(forbidChars) > 0 then
     if instr(inputvalue,forbidChars)>0 then
      if FormAction="" then FormAction="#" & key
      if len(requiredm) > 0 then
       requiredm=requiredm & "\n" & key & _
       " must not contain  """ & reqChar & """"
      else
       requiredm=key & " must not contain  """ & _
       reqChar & """"
      end if
     end if
    end if
   end if
  end if
 next
 if len(requiredm) = 0 then
  'process the data
  message = "Data submission successful"
 else
  message=requiredm
 end if

 if len(message) > 0 then
  %>
  <script type="text/javascript">
   function init() {
   alert('<%=message%>');
   if ('<%=formaction%>'!= '')
   {document.getElementById('<%=mid(FormAction,2)%>').focus();}
   }
  </script>
  <%
  message = "<div class=" & chr(034) & "message" & chr(034) & _
  "><strong>" & replace(message,"\n","<br>") & "</strong></div>"
 end if

end if
firstname = root.selectSingleNode("firstname").text
lastname = root.selectSingleNode("lastname").text
address = root.selectSingleNode("address").text
address2 = root.selectSingleNode("address2").text
city = root.selectSingleNode("city").text
state = root.selectSingleNode("state").text
phone = root.selectSingleNode("phone").text
email = root.selectSingleNode("email").text
zip = root.selectSingleNode("zip").text
%>
<style type="text/css">
<!--
body {
  font-family:arial;
  background-color: #fff;
  color:#000;
  }
/* This creates the structured "look" of the form - without tables! */
label {
width: 15%;
text-align: right;
float: left;
margin-right:.25em;
display:block;
}
input {
margin-bottom:.25em;
}
p.submit {
text-align: center;
}
fieldset {
border:1px solid #8c9f14;
}
legend {
text-transform: capitalize;
font-style: italic;
font-weight: bold;
}
form br {
clear: left;
}
/* The following will be replaced with the name of the required
field. Change the colors to suit. */
<% if required <> "" then
%>
#<%=required%>1 {
       font-weight:bold;
       background-color: yellow;
       color:red
       }
#<%=required%> {
       background-color: pink;
       color: black
       }
<% end if %>
/* These classes effect various elements in the form */
.message {
    font-weight:bold;
    color:red;
    background-color: #fff;
    text-align:center
    }
.submit {
   text-align:center
   }
.required {
    font-weight:bold;
    color: red
    }
-->
</style>
</head>
<body onload="<%if len(message)>0 then Response.Write "init()" %>">
<h1>Sample Form</h1>
<!-- This bit is here to alert non js users that they will have to
manually remove the contents of the fields -->
<script type="text/javascript">
<!--
s="<p style='display:none'>You have Javascript
enabled and the values of the fields will be
removed on focus.</p>";
document.write (s);
//-->
</script>
<noscript>
<p>Since you do not have Javascript enabled, you will have to
manually remove the contents of the fields.  The values are
there to provide examples only.</p>
</noscript>
<form method="post" id="testform"
action="<%=request.servervariables("script_name")%>">
<fieldset><legend>Indicates <span
class="required">required *</span> field</legend>
<%=message%>
<label for="firstname" id="firstname1">Firstname
<span class="required">*</span>: </label>
<input type="text" name="firstname" id="firstname"
value="<%=firstname%>" title="Enter first name"
onfocus="if(this.value == 'Your first name') this.value = '';" />
<br />

<label for="lastname" id="lastname1">Lastname
<span class="required">*</span>: </label>
<input type="text" name="lastname" id="lastname"
value="<%=lastname%>"
title="Enter last name"
onfocus="if(this.value == 'Your last name') this.value = '';" />
<br />

<label for="address" id="address1">Address
<span class="required">*</span>: </label>
<input type="text" name="address" id="address"
value="<%=address%>" title="Enter address"
onfocus="if(this.value == 'Your address') this.value = '';" />
<br />

<label for="address2" id="address21">Address2: </label>
<input type="text" name="address2" id="address2"
value="<%=address2%>" title="Enter second line of address"
onfocus="if(this.value == 'Optional') this.value = '';" /><br />

<label for="city" id="city1">City
<span class="required">*</span>: </label>
<input type="text" name="city" id="city" value="<%=city%>"
title="Enter city"
onfocus="if(this.value == 'Your city') this.value = '';" /><br />

<label for="state" id="state1">State
<span class="required">*</span>: </label>
<input type="text" name="state" id="state" value="<%=state%>"
title="Enter state"
onfocus="if(this.value == 'Your state') this.value = '';" /><br />

<label for="zip" id="zip1">Zip
<span class="required">*</span>: </label>
<input type="text" name="zip" id="zip" value="<%=zip%>"
title="Enter zip"
onfocus="if(this.value == 'Your zipcode') this.value = '';" /><br />

<label for="phone" id="phone1">Phone
<span class="required">*</span>: </label>
<input type="text" name="phone" id="phone" value="<%=phone%>"
title="Enter phone"
onfocus="if(this.value == 'Your phone number') this.value = '';" />
<br />

<label for="email" id="email1">Email
<span class="required">*</span>: </label>
<input type="text" name="email" id="email" value="<%=email%>"
title="Enter email"
onfocus="if(this.value == 'Your email address') this.value = '';" />
<br />
<p class="submit"><input type="submit" value="Submit" /></p>
<% if required <> "" then %>
<%=message%>
<%end if%>
</fieldset>
</form>
</body>
</html>