Programming Forums

Programming Forums (http://www.programmingforums.org/forumindex.php)
-   ASP.NET (http://www.programmingforums.org/forum35.html)
-   -   Need help sending information from an ASP.NET form to a database (http://www.programmingforums.org/showthread.php?t=15434)

ahlaj77 Mar 18th, 2008 10:09 AM
Need help sending information from an ASP.NET form to a database
 
Hello there,
I am in need of trying to figure out what is the best way to send data submitted from a form online to a database. I have a webform that will be submitting user requests, and when the information is submitted I would like it to be inserted into my Request Database. Right now the only things I have on my form are as follows:
User ID [ txtUserID ]
User Email [ txtUserEmailAddress ]
Request [ txtRequestSummary ]

Would this require me to use any type of stored procedures? This will be an on going website and I would like to set it up where it can be 'easy maintanence' if the database needed fixing/updating etc. I would appreciate your help! Thank you so much :cool:

Also the database name is called "Database"
Using MS Server 2003
Using C# as the language in Visual Studio

opa6x57 Apr 7th, 2008 9:03 AM
Re: Need help sending information from an ASP.NET form to a database
 
I thought I could help until I saw this...

Quote:
Originally Posted by ahlaj77 (Post 142640)
Using C# as the language in Visual Studio

I have a fairly extensive set of ASP programs which update a SQL database. The database is resident on the same server that provides the ASP pages.

Nevertheless, we established a DSN so that the connection would be smooth - which is okay in this application because the entire thing runs on a trusted network - no outside access. (You may not want to do it this way... I'm not sure.)

In the programs I have - first you define a string to contain your SQL command - using variables, this might look something like this:

:
  1. ' establish the conncetion:
  2.  
  3. Set conn = Server.CreateObject("ADODB.Connection")
  4. conn.Open "DSN=SQLAUTO"
  5.  
  6. 'begin building the SQL command string
  7. strSQL = "Update TABLE_NAME Set"
  8.  
  9. strSQL = strSQL & " COLUMN_1 = '" & (Request.Form("COLUMN1.Value")) & "'"
  10.  
  11. strSQL = strSQL & ", COLUMN_2 = '" & Cstr(Request.Form("COLUMN2.Value")) & "'"
  12.  
  13. strSQL = strSQL & ", COLUMN_3 = '" & (Request.Form("SOLUMN3.Value")) & "'"
  14.  
  15.  
  16. 'optionally add some columns to update 
  17. ' based on choices made during the first post of the page...
  18.  
  19. If Request.Form("RadioBtn_Value") = "Y" Then 
  20.         strSQL = strSQL & ", COLUMN_4 = 'Y'"
  21. Else
  22.         strSQL = strSQL & ", COLUMN_4 = 'N'"
  23. End If
  24.  
  25. If Request.Form("RadioBtn2_Value") = "Y" Then 
  26.         strSQL = strSQL & ", COLUMN_5 = 'Y'"
  27. Else
  28.         strSQL = strSQL & ", COLUMN_5 = 'N'"
  29. End If
  30.  
  31. 'Then - add the 'where' condition
  32.  
  33. strSQL = strSQL & " Where pk_KEY = '" & variable_Key_Value & "'"
  34.  
  35. Set objCmd = Server.CreateObject("ADODB.Command")
  36.  
  37. adCmdText = 1
  38.  
  39. Set objCmd.ActiveConnection = conn
  40. objCmd.CommandText = strSQL
  41. objCmd.CommandType = adCmdText
  42. ' everything to here is preparation ... this line actually executes the QUERY
  43. objCmd.Execute                
  44.  
  45. ' and don't forget to clean up after yourself.
  46. 'Close
  47. Set objCmd = Nothing
  48. conn.Close
  49. Set conn = Nothing

Maybe you can translate this VB to C# for your use - if this doesn't really answer the question .. let us know ... :D

mbd Apr 7th, 2008 10:09 AM
Re: Need help sending information from an ASP.NET form to a database
 
opa6x57: if i entered X'; into the form field column1.value, i would have just trashed your entire database. it is not smart to use anything other than constants in your sql commands. you should use parameters to take care of escaping form input and making the sql safe to execute.

ahlaj77: there is a book called programming asp.net from orielly which would cover this topic in detail. there are probably plenty of other tutorials for free on the web. if you find one and want to be sure it is good, post it here and i can glance at it and let you know. this is a pretty large topic, and i wont write an entire chapter in this post when it has already been written somewhere else.

opa6x57 Apr 7th, 2008 10:46 AM
Re: Need help sending information from an ASP.NET form to a database
 
Quote:
Originally Posted by mbd (Post 143601)
opa6x57: if i entered X'; into the form field column1.value, i would have just trashed your entire database. it is not smart to use anything other than constants in your sql commands. you should use parameters to take care of escaping form input and making the sql safe to execute.
I only posted the portion that actually updates the SQL database. The input validation is contained in the first part of the ASP page.

(Most of the inputs are radio buttons and check boxes - which force input to be a certain value. The ones that aren't have code to strip unwelcome characters and format the input to match the database template.)

I appreciate the feed back - since I inherited this site with the code as-is. (I'm a VB programmer from before .NET so some of this SQL stuff is quite new.)

I'd appreciate a little more detail on your comment, "use parameters to take care of escaping form input" ... can you give me an example?

mbd Apr 7th, 2008 11:43 AM
Re: Need help sending information from an ASP.NET form to a database
 
first, radio buttons and combo boxes do not force the input to be anything. if you connect to the http port with telnet you can type whatever you want as a value for that field.

i do not know what is available in asp. in asp.net (more specifically ado.net) this example might help: http://www.csharp-station.com/Tutori.../Lesson06.aspx

i just realized that this is c#, but you can probably find one that is in vb

opa6x57 Apr 7th, 2008 12:55 PM
Re: Need help sending information from an ASP.NET form to a database
 
Quote:
Originally Posted by mbd (Post 143607)
first, radio buttons and combo boxes do not force the input to be anything. if you connect to the http port with telnet you can type whatever you want as a value for that field.
I agree - 'force' is the wrong word, here. And I'm always looking to improve the stuff I support. I guess the correct wording would have been something like - "...uses radio buttons and check boxes so that the input is more likely to be free from human/user error." This application runs on a private server - with a small department of employees that access/use it. The server is only available on our network - and login security is also used to prevent access by other company (non-departmental) employees.

Regardless - a determined cracker could mess with this data - I agree.

Quote:
i do not know what is available in asp. in asp.net (more specifically ado.net) this example might help: http://www.csharp-station.com/Tutori.../Lesson06.aspx

i just realized that this is c#, but you can probably find one that is in vb
I can see where the use of parameters would be to my advantage. I do have a question, however ... the example I posted initially - has two 'optional' columns - these are updated based on whether a check-box is checked, or not.

How would one implement such an optional update using parameters?

Ooble Apr 7th, 2008 12:56 PM
Re: Need help sending information from an ASP.NET form to a database
 
I have an extension called Firefox called Web Developer. One of its features is the ability to turn drop-down boxes into text fields to test against this very vulnerability. However, turning check boxes and option buttons into text fields doesn't make sense, as you don't check the value, you check to find out whether the button ID was sent or not, and it's therefore hack-proof (assuming you get everything else right).


All times are GMT -5. The time now is 4:47 PM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC