|
| MYSQL, VBScript, and Data |
 |
Sun, 24 Feb 2008 20:21:24 +000 |
Its actualy quite ironic that for the past few weeks ive been building a forum
and now im posting in one!
My problem seems quite simply, i just theres a simple answer...
I my members table i have logged in amount, location, country, rating, times
rated and many more....
when i use SSH to requerst the following, it all seems to work fine,
mysql> SELECT Rating, Rates From Members WHERE Username = 'Admin' LIMIT 1;
+--------+-------+
| Rating | Rates |
+--------+-------+
| 5.00 | 0 |
+--------+-------+
1 row in set (0.00 sec)
But when i use the same in my webpage, i dont seem to get the same back,
Set getmember = my_conn.Execute("SELECT * From Members WHERE Username =
'"& getposts("PostingMember") &"' LIMIT 1")
<%Response.Write(getmember("Rating"))%>
why is this? does anyone have any suggestions at all?
|
| Post Reply
|
| Re: MYSQL, VBScript, and Data |
 |
Sun, 24 Feb 2008 20:48:33 +000 |
not sure what getposts() is returning, but the name of it suggests that it is
not returning a username such as 'Admin'. Make sure that
getposts("PostingMember") is returning a username.
Might I suggest that you switch to using parameterized queries before someone
registers with a name like "asdf' ; drop table Members --"
Hope this helps!
|
| Post Reply
|
| Re: MYSQL, VBScript, and Data |
 |
Sun, 24 Feb 2008 22:09:17 +000 |
oh no, dont worry, ive done all my homework for people joining the site, it uses
regular expressions to verify what goes into the database, so no worries
there...
getposts() is linked to SELECT * From Posts WHERE Forum_IDfk = '"&
forum &"' ORDER BY Dateposted DESC.
what i dont understand is that half my data returns fine to the page but the
rating which is: rating DECIMAL(4,2) DEFAULT '5',
why is it not returning this value correctly?
my table creation is:
CREATE TABLE Members (
Member_ID MEDIUMINT UNSIGNED PRIMARY KEY AUTO_INCREMENT NOT NULL UNIQUE,
Username VARCHAR(20) UNIQUE NOT NULL,
Password VARCHAR(40) NOT NULL,
Firstname VARCHAR(50) NOT NULL,
Lastname VARCHAR(50) NOT NULL,
Email VARCHAR(50) UNIQUE NOT NULL,
Gender VARCHAR(12) NOT NULL DEFAULT 'Undisclosed',
Dateofbirth DATE NOT NULL,
Orientation VARCHAR(12) NOT NULL DEFAULT 'Undisclosed',
Status VARCHAR(20) NOT NULL DEFAULT 'Undisclosed',
Signature VARCHAR(100),
Webpage VARCHAR(255) DEFAULT '';
Account VARCHAR(10) NOT NULL DEFAULT 'PENDING', # DELETED, SUSPENDED, ACTIVE,
PENDING
Accountverify SMALLINT UNSIGNED NOT NULL,
Accountvisits MEDIUMINT UNSIGNED NOT NULL DEFAULT 0,
Rating DECIMAL(4,2) DEFAULT '5',
Rates MEDIUMINT UNSIGNED DEFAULT 0,
Datejoined TIMESTAMP NOT NULL DEFAULT NOW(),
Lastloggedin TIMESTAMP NOT NULL DEFAULT 0,
Logincount MEDIUMINT UNSIGNED DEFAULT 0,
Country VARCHAR(255) NOT NULL,
Location VARCHAR(255),
Postcode VARCHAR(10),
Posts MEDIUMINT UNSIGNED NOT NULL DEFAULT 0,
Profileheader VARCHAR(100),
Profiletext TEXT,
Interests VARCHAR(255),
Profilepicture VARCHAR(255) NOT NULL DEFAULT 'nopic',
Avatar VARCHAR(255) NOT NULL DEFAULT 'noavatar'
);
|
| Post Reply
|
| Re: MYSQL, VBScript, and Data |
 |
Mon, 25 Feb 2008 02:07:30 +000 |
if getPosts() is "linked to" a "SELECT *" query, then that
query could be returning multiple rows. I don't see how you could be getting a
value by using "getPosts("PostingMember")" - I'm not saying
this isn't possible, but without the code I just don't know what logic is
there.
On the other issue, regardless of your regular expressions, you should never
construct queries this way because of the risk of sql injection
Matt
|
| Post Reply
|
| Re: MYSQL, VBScript, and Data |
 |
Mon, 25 Feb 2008 02:34:27 +000 |
how do i risk mysql injection?? can you provide a sample code?
im a tad confused on why my numbers arnt coming up for the rating which is a
decimal number....
the way it works is that you can basically doa piece of code...
<%
Set my_conn = Server.CreateObject("ADODB.Connection")
Set rs = Server.CreateObject("ADODB.Recordset")
my_conn.Open "DRIVER=; DATABASE=mydatabase; USER=myusername;
PASSWORD=pass; Server=localhost;" ' Data source name
set latesttopics = my_conn.Execute("SELECT Forum_ID, Forumsubject,
Datecreated From Forums Order BY Datecreated DESC;")
Do while not latesttopics.eof
response.write(latesttopics("Forumsubject") & "created on:
" & latesttopics("Datecreated"))
latesttopics.MoveNext
loop%>
thats basically how it works (alot of it was copy and past so should be correct)
thats how you communicate with MYSQL via VBscript
|
| Post Reply
|
|
|