| Author |
Topic |
|
erico
Starting Member
34 Posts |
 Posted - 2007-04-19 : 13:03:09
|
The following post is long but needed so you can understand what I'm trying to do. Your patients is appreciated.I have this project that is (for me) rather challenging. I have an asp page with some sql code that reads data from tables in a database. It is suppose to display show title, date, content of show and just below that guest name, guest description and URL. The problem is I'm not sure exactly how to get the code to work so that I have my page displayed correctly when I test in my browser. Here is an example of what the output should look like in the "center" section of the asp page. There is nav elements on both left and right but they are not the issue.Show Name1/9/2007 Report from GeekWorld / Bagels / John SmithEach year, the GeekWorld expo features...Guests:John Doe technology reporterDon Smith owner, A Better BagelHarry Smith renaissance manRelated Links:'link text here' (as text link: blue with an underline)I have three tables.Table One: T_ProgramsTable Two: T_ProgramGuestsTable Two: T_ProgramLinksWhat is happening when I test it that the only thing being displayed is one guest name and one guest link but no content above it. Here is another very important point to this. I want to display show by date and regardless of the time of day show me the most current show complete with guests, descriptions of guests and links. Maybe this will help also. We've been relying on Includes pages for some time now but want to move off of them. I'm trying to get this to work directly from SQL and bypass dependence on Includes pages.The includes page builds the asp page which displays the content and so forth. I'm trying to create a CMS solution for one of our departments. Yes I know there are many out there but I've been tasked to create this using Access as the front-end for the users to enter the data (process already in place) and get the backend to work "without" includes so we can display whatever they edit.For example: what if a person from that department makes an update to a guest name, description and link. After they click the transfer button on the Access form it updates the tables in SQL then the asp page would get built from that. Meaning that they could then do a refresh of their browser and see their changes. This way the webteam no longer has to manually update it for them.It needs to account for unlimited number of guests and links. Most likely they would never show more then maybe 10 to 15. We currently have links on the side of the main or default.asp page that takes you to a show page but it uses an includes. The URL typically looks like this when you mouseover the link:http://www.company.org/programs/weekday.aspWe're wanting to see something like:http://www.company.org/programs/defaultweekday.aspI was recently given and idea from an intern to try and use a -1 or dash one in the asp code to account for the most current days show regardless of time of day. I dont fully understand it's meaning. Something like this: set a variable to -1 then SQL Select would change at the end to not look for an id but instead look for date. Add an If statement to cover the -1 variable set to -1 and it checks for the date or date variable. It would then query the database and look for the default entry for Weekday for that day. Here is the only other note I have...Intitially get date from T_Programs and to get the guests & links maybe add a date column, extract the idea of the story when you get the date query. Then use the id to query the other tables.I hope this isn't too confusing. I'm trying to provide this forum with as much information as I can so hopefully someone can help me figure this out.Here is the code from one of the two asp test pages where I'm trying to somehow combine the sql selects to get all this to work. I will seperate the code in two code block sections below.First code block from defaultprogramtest.asp page:<!-- BEGINNING OF THE GUESTS AND LINKS SECTION --><% set con = Server.CreateObject("ADODB.Connection") con.Open "File Name=E:\folder\Company\Company.UDL" set rs = Server.CreateObject("ADODB.Recordset")id=request.querystring("id") 'If this line is commented out the page will be blank. 'However you can still append a record number to the end of the URL and display that one.IF id <> "" then id=id else id="9726" end if 'This line shows the default record of 9726. If this line is commented out the page will ONLY show the default record but will NOT allow you'to append a different numberstrSQL = "SELECT *, T_Programs.ID AS Expr1, T_ProgramGuests.ProgramID AS Expr2, T_ProgramGuests.GuestName AS Expr3, T_ProgramGuests.GuestDescription AS Expr4, T_ProgramLinks.URL AS Expr5, T_ProgramLinks.Description AS Expr6 FROM T_ProgramGuests CROSS JOIN T_Programs CROSS JOIN T_ProgramLinks WHERE (T_ProgramGuests.ProgramID = '" & id & "')"rs.Open strSQL,con 'open a connection to the database%><br /><strong><% Response.Write RS ("GuestName") %> </strong> <% Response.Write RS("GuestDescription") %><br /><br />Related Links:<br /><li class='basic'><A HREF="<%= RS("URL") %>"><%= RS("Description") %></A></li><!-- END OF THE GUESTS AND LINKS SECTION --><%recProgram.Closecon.Closeset recProgram = nothingset con = nothing'response.write err.Description<%Second code block from defaultweekdaytest.asp. All the code above this section is the same as the page above. I just didn't want to repeat it. What is different is the sql select section:<!-- BEGINNING OF THE GUESTS AND LINKS SECTION --><% set con = Server.CreateObject("ADODB.Connection") con.Open "File Name=E:\webservice\Company\Company.UDL" set rs = Server.CreateObject("ADODB.Recordset")id=request.querystring("id") 'If this line is commented out the page will be blank. 'However you can still append a record number to the end of the URL and display that one.IF id <> "" then id=id else id="9726" end if 'This line shows the default record of 9726. If this line is commented out the page will ONLY show the default record but will NOT allow you'to append a different numberstrSQL = "SELECT *, Air_Date AS Expr1, Unit AS Expr2 FROM TestTable WHERE (Air_Date = CONVERT(varchar(10), GETDATE(), 101)) AND (Unit = 'TB')"rs.Open strSQL,con 'open a connection to the database%><br /><strong><% Response.Write RS ("GuestName") %> </strong> <% Response.Write RS("GuestDescription") %><br /><br />Related Links:<br /><li class='basic'><A HREF="<%= RS("URL") %>"><%= RS("Description") %></A></li><!-- END OF THE GUESTS AND LINKS SECTION -->Let me know if you need more information or if I have confused you too much for you to help me. I've never done anything like this before. This type of project is over my head until I learn this stuff better. So any code assistance is greatly appreciated. |
|
|
Vinnie881
Master Smack Fu Yak Hacker
1231 Posts |
Posted - 2007-04-19 : 13:43:50
|
| Honestly I only read through the first pararagraph, so my sugestion may be way off (Your post is very long).It appears that a Program is also known as a show, is this correct?If so and the only issue is that you are trying to retrieve the data in the way you mentioned, you would need to do the following.There are a few differant methods to achieving what you illustrated. I normally Like to return the individual tables or ceate a dataset to contain each table.So I would run 3 queries (NOT 1 like you have).This will allow you to properly create your page (Note you can do it with 1, but the way you are attempting to is incorrect)tbl1 = Select * from T_Programs awhere a.ID = @IDtb2 = Select * from T_ProgramGuestswhere a.ID = @IDtb3 = Select * from T_ProgramLinkswhere A.id = @IDOnce you have that information then just use it to create your tabledim dr as datarowfor each dr in tb1.rows'This is where you would add your code to add the show'You would get the field info by using dr("fieldname")nextfor each dr in tb2.rows'This is where you would add your code to add the Guests 'You would get the field info by using dr("fieldname")nextfor each dr in tb3.rows'This is where you would add your code to add the Links'You would get the field info by using dr("fieldname")nextI am not sure if this is what you are asking. Also this question is not really a t-sql question and should've been in another forum. Please keep your questions short and to the point. This wil help us resolve your issue quicker.thanks |
 |
|
|
erico
Starting Member
34 Posts |
Posted - 2007-04-19 : 13:56:46
|
| Yes a program is also a show |
|
|
|
erico
Starting Member
34 Posts |
Posted - 2007-04-19 : 13:59:35
|
| The reason it's long is because "based on my personal experience with forums" is that if you make it short someone will say there wasn't enough information. Ok then which forum should it posted in? |
|
|
|
erico
Starting Member
34 Posts |
Posted - 2007-04-19 : 14:08:26
|
| Still working on your suggestion but I did an initial test and this is what I got:Microsoft VBScript compilation error '800a03ea'Syntax error/test/defaultweekday6.asp, line 210tbl1 = Select * from T_Programs a-------^ |
|
|
|
Vinnie881
Master Smack Fu Yak Hacker
1231 Posts |
Posted - 2007-04-19 : 14:18:36
|
| The code I posted wasn't a literal translation, it was just to illustrate the methodology.Also there is a forum specificly for ASP.net on here.Unfortantly all my programming has been done with either c# or vb.net using a seperate code page, so the syntex is slightly differant. Hope this helps. |
|
|
|
erico
Starting Member
34 Posts |
Posted - 2007-04-19 : 14:22:31
|
| Oh I see asp.net. Sorry didn't mean to post in the wrong forum. Yeah I didn't think it should be taken literally. But thanks for getting started. So will I get in trouble if I post this on this website but in the asp.net forum? |
|
|
|
Vinnie881
Master Smack Fu Yak Hacker
1231 Posts |
Posted - 2007-04-19 : 14:53:23
|
| I would keep it in here, a admin can move it if they choose to.More people seem to read this forum anyway. |
|
|
|
erico
Starting Member
34 Posts |
Posted - 2007-04-19 : 17:55:35
|
Ok I've been trying to find definitions for errors and to understand how to fix this code to make it show the correct information. However I'm still trying to find answers online. Based on my code below could you suggest some web addresses that could help me figure out what I'm missing in my code?<!-- BEGINNING OF THE GUESTS AND LINKS SECTION --><% set con = Server.CreateObject("ADODB.Connection") con.Open "File Name=E:\webservice\company\company.UDL" set rs = Server.CreateObject("ADODB.Recordset")id=request.querystring("id") 'If this line is commented out the page will be blank. 'However you can still append a record number to the end of the URL and display that one.IF id <> "" then id=id else id="9726" end if 'This line shows the default record of 9726. If this line is commented out the page will ONLY show the default record but will NOT allow you'to append a different numbertbl1 = Select * from T_Programs where a.ID = @ID CASE IDtb2 = Select * from T_ProgramGuests where a.ID = @IDtb3 = Select * from T_ProgramLinks where A.id = @ID'strSQL = "SELECT *, Air_Date AS Expr1, Unit AS Expr2 FROM TestTable WHERE (Air_Date = CONVERT(varchar(10), GETDATE(), 101)) AND (Unit = 'TB')"rs.Open strSQL,con 'open a connection to the database%><%dim dr as datarowfor each dr in tb1.rowsdr("ID")'This is where you would add your code to add the show'You would get the field info by using dr("fieldname")nextfor each dr in tbl2.rowsdr("GuestName")'This is where you would add your code to add the Guests'You would get the field info by using dr("fieldname")nextfor each dr in tbl3.rowsdr("URL")'This is where you would add your code to add the Links'You would get the field info by using dr("fieldname")next<br /><strong><% Response.Write RS ("GuestName") %> </strong> <% Response.Write RS("GuestDescription") %><br /><br />Related Links:<br /><li class='basic'><A HREF="<%= RS("URL") %>"><%= RS("Description") %></A></li><!-- END OF THE GUESTS AND LINKS SECTION -->I'm trying to find answers for this message:Syntax error/test/defaultweekday6.asp, line 210tb1 = Select * from T_Programs a------^I'm sure there isn't much more I need to add or modify to get this code working. Any suggestions? |
|
|
|
LoztInSpace
Aged Yak Warrior
940 Posts |
Posted - 2007-04-19 : 23:01:06
|
| You've got a nice SQL injection potential there. You must use parameters on your query not :blah blah ....ProgramGuests.ProgramID = '" & id & "')"Doesn't help your problem but you should be aware of it before someone trashes your database. |
|
|
|
erico
Starting Member
34 Posts |
Posted - 2007-04-20 : 11:28:10
|
| Thanks Lotz but that doesn't tell me anything. I need parameters. Great which type? SQL injections are over my head until I understand how to code better and can grasp what injections are all about.Can you suggest some websites that would explain this in simple terms? I am very familure with W3C but there stuff is too general and not specific enough to fit what I'm trying to do. |
|
|
|
erico
Starting Member
34 Posts |
Posted - 2007-04-20 : 11:54:17
|
| Ok I found a website that explains injections pretty well. I'm beginning to grasp how real the changes are. However I still have to get this asp page to work. The ID thing is not just bad coding on my part. It's a requirement from my manager. I'm not asking you to write out the solution for me but if you could provide me some hints or a website that has examples that at least closely relate to what I'm doing, that would be very helpful.Thanks again for helping me realize the security risk. |
|
|
|
erico
Starting Member
34 Posts |
Posted - 2007-04-20 : 11:55:52
|
| I forgot to put this URL in my last quick reply. This is where I found information about injections.http://www.securiteam.com/securityreviews/5DP0N1P76E.html |
|
|
|
|
result set by id and date