Programming Forums > Web Development and Design > ASP.NET

ahlaj77 · Mar 18th, 2008, 10:09 AM

Hello there,
I am in need of trying to figure out what is the best way to send data submitted from a form online to a database. I have a webform that will be submitting user requests, and when the information is submitted I would like it to be inserted into my Request Database. Right now the only things I have on my form are as follows:
User ID [ txtUserID ]
User Email [ txtUserEmailAddress ]
Request [ txtRequestSummary ]

Would this require me to use any type of stored procedures? This will be an on going website and I would like to set it up where it can be 'easy maintanence' if the database needed fixing/updating etc. I would appreciate your help! Thank you so much

Also the database name is called "Database"
Using MS Server 2003
Using C# as the language in Visual Studio

opa6x57 · Apr 7th, 2008, 9:03 AM

I thought I could help until I saw this...

Quote:

Originally Posted by ahlaj77

Using C# as the language in Visual Studio

I have a fairly extensive set of ASP programs which update a SQL database. The database is resident on the same server that provides the ASP pages.

Nevertheless, we established a DSN so that the connection would be smooth - which is okay in this application because the entire thing runs on a trusted network - no outside access. (You may not want to do it this way... I'm not sure.)

In the programs I have - first you define a string to contain your SQL command - using variables, this might look something like this:

 vb Syntax (Toggle Plain Text) 
' establish the conncetion:
 
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open "DSN=SQLAUTO"
 
'begin building the SQL command string
strSQL = "Update TABLE_NAME Set"
 
strSQL = strSQL & " COLUMN_1 = '" & (Request.Form("COLUMN1.Value")) & "'"
 
strSQL = strSQL & ", COLUMN_2 = '" & Cstr(Request.Form("COLUMN2.Value")) & "'"
 
strSQL = strSQL & ", COLUMN_3 = '" & (Request.Form("SOLUMN3.Value")) & "'"
 
 
'optionally add some columns to update 
' based on choices made during the first post of the page...
 
If Request.Form("RadioBtn_Value") = "Y" Then 
	strSQL = strSQL & ", COLUMN_4 = 'Y'"
Else
	strSQL = strSQL & ", COLUMN_4 = 'N'"
End If
 
If Request.Form("RadioBtn2_Value") = "Y" Then 
	strSQL = strSQL & ", COLUMN_5 = 'Y'"
Else
	strSQL = strSQL & ", COLUMN_5 = 'N'"
End If
 
'Then - add the 'where' condition
 
strSQL = strSQL & " Where pk_KEY = '" & variable_Key_Value & "'"
 
Set objCmd = Server.CreateObject("ADODB.Command")
 
adCmdText = 1
 
Set objCmd.ActiveConnection = conn
objCmd.CommandText = strSQL
objCmd.CommandType = adCmdText
' everything to here is preparation ... this line actually executes the QUERY
objCmd.Execute		
 
' and don't forget to clean up after yourself.
'Close
Set objCmd = Nothing
conn.Close
Set conn = Nothing
' establish the conncetion:

Set conn = Server.CreateObject("ADODB.Connection")
conn.Open "DSN=SQLAUTO"

'begin building the SQL command string
strSQL = "Update TABLE_NAME Set"

strSQL = strSQL & " COLUMN_1 = '" & (Request.Form("COLUMN1.Value")) & "'"

strSQL = strSQL & ", COLUMN_2 = '" & Cstr(Request.Form("COLUMN2.Value")) & "'"

strSQL = strSQL & ", COLUMN_3 = '" & (Request.Form("SOLUMN3.Value")) & "'"


'optionally add some columns to update 
' based on choices made during the first post of the page...

If Request.Form("RadioBtn_Value") = "Y" Then 
	strSQL = strSQL & ", COLUMN_4 = 'Y'"
Else
	strSQL = strSQL & ", COLUMN_4 = 'N'"
End If

If Request.Form("RadioBtn2_Value") = "Y" Then 
	strSQL = strSQL & ", COLUMN_5 = 'Y'"
Else
	strSQL = strSQL & ", COLUMN_5 = 'N'"
End If

'Then - add the 'where' condition

strSQL = strSQL & " Where pk_KEY = '" & variable_Key_Value & "'"

Set objCmd = Server.CreateObject("ADODB.Command")

adCmdText = 1

Set objCmd.ActiveConnection = conn
objCmd.CommandText = strSQL
objCmd.CommandType = adCmdText
' everything to here is preparation ... this line actually executes the QUERY
objCmd.Execute		

' and don't forget to clean up after yourself.
'Close
Set objCmd = Nothing
conn.Close
Set conn = Nothing

Maybe you can translate this VB to C# for your use - if this doesn't really answer the question .. let us know ...

mbd · Apr 7th, 2008, 10:09 AM

opa6x57: if i entered X'; into the form field column1.value, i would have just trashed your entire database. it is not smart to use anything other than constants in your sql commands. you should use parameters to take care of escaping form input and making the sql safe to execute.

ahlaj77: there is a book called programming asp.net from orielly which would cover this topic in detail. there are probably plenty of other tutorials for free on the web. if you find one and want to be sure it is good, post it here and i can glance at it and let you know. this is a pretty large topic, and i wont write an entire chapter in this post when it has already been written somewhere else.

opa6x57 · Apr 7th, 2008, 10:46 AM

Quote:

Originally Posted by mbd

opa6x57: if i entered X'; into the form field column1.value, i would have just trashed your entire database. it is not smart to use anything other than constants in your sql commands. you should use parameters to take care of escaping form input and making the sql safe to execute.

I only posted the portion that actually updates the SQL database. The input validation is contained in the first part of the ASP page.

(Most of the inputs are radio buttons and check boxes - which force input to be a certain value. The ones that aren't have code to strip unwelcome characters and format the input to match the database template.)

I appreciate the feed back - since I inherited this site with the code as-is. (I'm a VB programmer from before .NET so some of this SQL stuff is quite new.)

I'd appreciate a little more detail on your comment, "use parameters to take care of escaping form input" ... can you give me an example?

mbd · Apr 7th, 2008, 11:43 AM

first, radio buttons and combo boxes do not force the input to be anything. if you connect to the http port with telnet you can type whatever you want as a value for that field.

i do not know what is available in asp. in asp.net (more specifically ado.net) this example might help: http://www.csharp-station.com/Tutori.../Lesson06.aspx

i just realized that this is c#, but you can probably find one that is in vb

opa6x57 · Apr 7th, 2008, 12:55 PM

Quote:

Originally Posted by mbd

first, radio buttons and combo boxes do not force the input to be anything. if you connect to the http port with telnet you can type whatever you want as a value for that field.

I agree - 'force' is the wrong word, here. And I'm always looking to improve the stuff I support. I guess the correct wording would have been something like - "...uses radio buttons and check boxes so that the input is more likely to be free from human/user error." This application runs on a private server - with a small department of employees that access/use it. The server is only available on our network - and login security is also used to prevent access by other company (non-departmental) employees.

Regardless - a determined cracker could mess with this data - I agree.

Quote:

i do not know what is available in asp. in asp.net (more specifically ado.net) this example might help: http://www.csharp-station.com/Tutori.../Lesson06.aspx

i just realized that this is c#, but you can probably find one that is in vb

I can see where the use of parameters would be to my advantage. I do have a question, however ... the example I posted initially - has two 'optional' columns - these are updated based on whether a check-box is checked, or not.

How would one implement such an optional update using parameters?

Ooble · Apr 7th, 2008, 12:56 PM

I have an extension called Firefox called Web Developer. One of its features is the ability to turn drop-down boxes into text fields to test against this very vulnerability. However, turning check boxes and option buttons into text fields doesn't make sense, as you don't check the value, you check to find out whether the button ID was sent or not, and it's therefore hack-proof (assuming you get everything else right).

Mar 18th, 2008, 10:09 AM	#1
ahlaj77 ~Ashley Star~ Join Date: Mar 2008 Posts: 1 Rep Power: 0	Need help sending information from an ASP.NET form to a database Hello there, I am in need of trying to figure out what is the best way to send data submitted from a form online to a database. I have a webform that will be submitting user requests, and when the information is submitted I would like it to be inserted into my Request Database. Right now the only things I have on my form are as follows: User ID [ txtUserID ] User Email [ txtUserEmailAddress ] Request [ txtRequestSummary ] Would this require me to use any type of stored procedures? This will be an on going website and I would like to set it up where it can be 'easy maintanence' if the database needed fixing/updating etc. I would appreciate your help! Thank you so much Also the database name is called "Database" Using MS Server 2003 Using C# as the language in Visual Studio Last edited by ahlaj77; Mar 18th, 2008 at 10:31 AM.

Apr 7th, 2008, 10:09 AM	#3
mbd Programmer Join Date: Nov 2007 Posts: 86 Rep Power: 1	Re: Need help sending information from an ASP.NET form to a database opa6x57: if i entered X'; into the form field column1.value, i would have just trashed your entire database. it is not smart to use anything other than constants in your sql commands. you should use parameters to take care of escaping form input and making the sql safe to execute. ahlaj77: there is a book called programming asp.net from orielly which would cover this topic in detail. there are probably plenty of other tutorials for free on the web. if you find one and want to be sure it is good, post it here and i can glance at it and let you know. this is a pretty large topic, and i wont write an entire chapter in this post when it has already been written somewhere else.

Apr 7th, 2008, 11:43 AM	#5
mbd Programmer Join Date: Nov 2007 Posts: 86 Rep Power: 1	Re: Need help sending information from an ASP.NET form to a database first, radio buttons and combo boxes do not force the input to be anything. if you connect to the http port with telnet you can type whatever you want as a value for that field. i do not know what is available in asp. in asp.net (more specifically ado.net) this example might help: http://www.csharp-station.com/Tutori.../Lesson06.aspx i just realized that this is c#, but you can probably find one that is in vb

Apr 7th, 2008, 12:56 PM	#7
Ooble I eat cake for breakfast. Join Date: Jul 2004 Location: In my box. Posts: 4,434 Rep Power: 8	Re: Need help sending information from an ASP.NET form to a database I have an extension called Firefox called Web Developer. One of its features is the ability to turn drop-down boxes into text fields to test against this very vulnerability. However, turning check boxes and option buttons into text fields doesn't make sense, as you don't check the value, you check to find out whether the button ID was sent or not, and it's therefore hack-proof (assuming you get everything else right). __________________ Me :: You :: Them

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How do you cache information taken from a form?	Haseloff	JavaScript and Client-Side Browser Scripting	2	Feb 17th, 2007 6:18 AM
Obtaining information from an Access Database in VB	Argosax	Visual Basic .NET	1	Jan 14th, 2006 12:16 PM
Hiw to verify form information	bulio	PHP	3	Jul 12th, 2005 9:21 AM
Sending a web form as parameter	see07	C#	4	Mar 24th, 2005 9:25 PM

Programming Forums > Web Development and Design > ASP.NET

Need help sending information from an ASP.NET form to a database