Update Record Parameter Variable SQL injection

Hello...Please advise how to correct code... The update
record field recordcurrent is a y/n checkbox field with radio
buttons for selecting response with default as N. Here is the code
that has an error:
MM_editCmd.Parameters.Append
MM_editCmd.CreateParameter("param11", 5, 1, -1,
MM_IIF(Request.Form("RecordCurrentCheck"),
Request.Form("RecordCurrentCheck"), null)) ' adDouble
The code for the recordset follows:
<input <%If
(CStr((eprofile.Fields.Item("RecordCurrent").Value)) = CStr("Y"))
Then Response.Write("checked=""checked""") :
Response.Write("")%> type="radio" name="RecordCurrentCheck"
value="Y">
Yes
<input <%If
(CStr((eprofile.Fields.Item("RecordCurrent").Value)) = CStr("N"))
Then Response.Write("checked=""checked""") :
Response.Write("")%> type="radio" name="RecordCurrentCheck"
value="N"checked>
Should there be a second createparameter based on there being
two buttons?
Thank you for your assistance,
Much confused one,
Lara

Try...
<input <%If
(CStr((eprofile.Fields.Item("RecordCurrent").Value)) = CStr("Y"))
Then Response.Write("checked='checked'")%> type="radio"
name="RecordCurrentCheck" value="Y"> Yes
<input <%If
(CStr((eprofile.Fields.Item("RecordCurrent").Value)) = CStr("N"))
Then Response.Write("checked='checked'")%> type="radio"
name="RecordCurrentCheck" value="N"> No

Similar Messages

  • Update records using Pl/Sql procedure

    Hi
    I have wriitten a stored procedure to update the Organisation_Name in a table based on the Full_Org_Nm of an another table.
    Though the procodure got executed sucessfully but it is not updating the records.
    I even tried executing the procedure by writing Execute <Procedure name>,the database got hanged.
    Please find my procedure below.
    Create or Replace
    PROCEDURE UPDT_ISSUE_USR_ROLE
    As
    Cursor cur_user_role Is
    Select a.org_id,a.user_id
    from prts_user a,issue_user_role b
    where a.user_id=b.user_id;
    v_rows_processed Number:=0;
    Begin
    For rec in cur_user_role Loop
    update Issue_user_role
    set User_org_nm=(Select full_org_nm from VW_Org where org_id=rec.org_id)
    Where Issue_User_Role.rowid in
    (select issue_user_role.rowid
    FROM issue_user_role,issue,issue_workflow,Issue_step_dtl_wrkflw
    Where Issue_User_Role.Issue_Id=Issue.Issue_id
    And Issue_User_Role.Issue_id=issue_workflow.issue_id
    And Issue_User_Role.Workflow_compnt_id=Issue_Workflow.CURR_STEP_WORKFLOW_COMPNT_ID
    And Issue_User_Role.Workflow_compnt_id=Issue_Step_Dtl_wrkflw.Workflow_compnt_id
    And Issue_User_Role.Issue_id=Issue_Step_Dtl_wrkflw.Issue_Id
    And Issue.Issue_id=Issue_workflow.Issue_Id
    And Issue.Issue_id=Issue_Step_Dtl_Wrkflw.Issue_id
    And Issue_workflow.Issue_id=Issue_Step_Dtl_Wrkflw.Issue_id
    And Issue_Workflow.CURR_STEP_WORKFLOW_COMPNT_ID=Issue_Step_Dtl_wrkflw.Workflow_compnt_id
    And issue_workflow.primry_workflow_flag='Y'
    And issue_user_role.user_id = rec.user_id
    And issue.issue_status_id in (1636,50738,275,50737,2090)
    And issue_step_dtl_wrkflw.Issue_step_status_id in (61248,61249,61250));
    v_rows_processed :=v_rows_processed + SQL%ROWCOUNT;
    End Loop;
    COMMIT;
    dbms_output.enable;
    dbms_output.put_line('There were '||v_rows_processed||' rows updated');
    End;
    Please let me know where i am wrong.
    Thanks in advance.
    Cheers

    Hi Blushadow
    Now if i want to update say only 10 records at a time what should i put into my Proc?
    Please go thru my Proc below..
    CREATE OR REPLACE PROCEDURE PRTS.UPDT_ISSUE_USR_ROLE
    As
    Cursor cur_user_role Is
    Select a.org_id,a.user_id
    from prts_user a,issue_user_role b
    where a.user_id=b.user_id;
    upd_rec cur_user_role%rowtype;
    v_rows_processed Number:=0;
    Begin
    Open cur_user_role;
    Loop
    Fetch cur_user_role into upd_rec;
    If cur_user_role%NOTFOUND
    Then
    Exit;
    Else
    update Issue_user_role
    set User_org_nm=(Select full_org_nm from VW_Org where org_id=upd_rec.org_id)
    Where Issue_User_Role.rowid in
    (select issue_user_role.rowid
    FROM issue_user_role,issue,issue_workflow,Issue_step_dtl_wrkflw
    Where Issue_User_Role.Issue_Id=Issue.Issue_id
    And Issue_User_Role.Issue_id=issue_workflow.issue_id
    And Issue_User_Role.Workflow_compnt_id=Issue_Workflow.CURR_STEP_WORKFLOW_COMPNT_ID
    And Issue_User_Role.Workflow_compnt_id=Issue_Step_Dtl_wrkflw.Workflow_compnt_id
    And Issue_User_Role.Issue_id=Issue_Step_Dtl_wrkflw.Issue_Id
    And Issue.Issue_id=Issue_workflow.Issue_Id
    And Issue.Issue_id=Issue_Step_Dtl_Wrkflw.Issue_id
    And Issue_workflow.Issue_id=Issue_Step_Dtl_Wrkflw.Issue_id
    And Issue_Workflow.CURR_STEP_WORKFLOW_COMPNT_ID=Issue_Step_Dtl_wrkflw.Workflow_compnt_id
    And issue_workflow.primry_workflow_flag='Y'
    And issue_user_role.user_id = upd_rec.user_id
    And issue.issue_status_id in (1636,50738,275,50737,2090)
    And issue_step_dtl_wrkflw.Issue_step_status_id in (61248,61249,61250));
    v_rows_processed :=v_rows_processed + SQL%ROWCOUNT;
    If Mod (v_rows_processed,v_rows_processed)=10
    then
    COMMIT;
    End if;END IF;
    End Loop;
    Commit;
    dbms_output.enable(1000000);
    dbms_output.put_line('There were '||v_rows_processed||' rows updated');
    Close cur_user_role;
    End;
    I would appreciate if you can let me know any other alternative way to meet this requirment.
    Cheers
    Vineet

  • Update Record probem

    Hi,
    I am having problem with UPDATE RECORD in DW/MX2004, I am
    using JSP/Oracle DB.
    I created a search page, result page and update page. When
    the condition found, the result page displayed the result with the
    link to the right record, which opened the record data; however,
    when I made changes and click "Update Record" button, nothing got
    updated in the database.
    Does anyone know what went wrong? Appreciate your help.
    Regards.
    Attached is the update file code.
    // *** Edit Operations: declare variables
    // set the form action variable
    String MM_editAction = request.getRequestURI();
    if (request.getQueryString() != null &&
    request.getQueryString().length() > 0) {
    String queryString = request.getQueryString();
    String tempStr = "";
    for (int i=0; i < queryString.length(); i++) {
    if (queryString.charAt(i) == '<') tempStr = tempStr +
    "&lt;";
    else if (queryString.charAt(i) == '>') tempStr = tempStr
    + "&gt;";
    else if (queryString.charAt(i) == '"') tempStr = tempStr +
    "&quot;";
    else tempStr = tempStr + queryString.charAt(i);
    MM_editAction += "?" + tempStr;
    // connection information
    String MM_editDriver = null, MM_editConnection = null,
    MM_editUserName = null, MM_editPassword = null;
    // redirect information
    String MM_editRedirectUrl = null;
    // query string to execute
    StringBuffer MM_editQuery = null;
    // boolean to abort record edit
    boolean MM_abortEdit = false;
    // table information
    String MM_editTable = null, MM_editColumn = null, MM_recordId
    = null;
    // form field information
    String[] MM_fields = null, MM_columns = null;
    %>
    <%
    // *** Update Record: set variables
    if (request.getParameter("MM_update") != null &&
    request.getParameter("MM_update").toString().equals("fr_update")
    request.getParameter("MM_recordId") != null) {
    MM_editDriver = MM_webtrain_db_DRIVER;
    MM_editConnection = MM_webtrain_db_STRING;
    MM_editUserName = MM_webtrain_db_USERNAME;
    MM_editPassword = MM_webtrain_db_PASSWORD;
    MM_editTable = "WEBTRAIN.COURSE_NAME";
    MM_editColumn = "C_NAME";
    MM_recordId = "'" + request.getParameter("MM_recordId") +
    MM_editRedirectUrl = "search_page.jsp";
    String MM_fieldsStr =
    "C_NAME|value|C_DESC|value|MODULE1|value|MOD1_LOC|value|QUIZ1_NAME|value|QUIZ1_LOC|value" ;
    String MM_columnsStr =
    "C_NAME|',none,''|C_DESC|',none,''|MODULE1|',none,''|MOD1_LOC|',none,''|QUIZ1_NAME|',none ,''|QUIZ1_LOC|',none,''";
    // create the MM_fields and MM_columns arrays
    java.util.StringTokenizer tokens = new
    java.util.StringTokenizer(MM_fieldsStr,"|");
    MM_fields = new String[tokens.countTokens()];
    for (int i=0; tokens.hasMoreTokens(); i++) MM_fields
    = tokens.nextToken();
    tokens = new java.util.StringTokenizer(MM_columnsStr,"|");
    MM_columns = new String[tokens.countTokens()];
    for (int i=0; tokens.hasMoreTokens(); i++) MM_columns =
    tokens.nextToken();
    // set the form values
    for (int i=0; i+1 < MM_fields.length; i+=2) {
    MM_fields[i+1] = ((request.getParameter(MM_fields
    )!=null)?(String)request.getParameter(MM_fields):"");
    // append the query string to the redirect URL
    if (MM_editRedirectUrl.length() != 0 &&
    request.getQueryString() != null) {
    MM_editRedirectUrl += ((MM_editRedirectUrl.indexOf('?') ==
    -1)?"?":"&") + request.getQueryString();
    %>
    <%
    // *** Update Record: construct a sql update statement and
    execute it
    if (request.getParameter("MM_update") != null &&
    request.getParameter("MM_recordId") != null) {
    // create the update sql statement
    MM_editQuery = new StringBuffer("update
    ").append(MM_editTable).append(" set ");
    for (int i=0; i+1 < MM_fields.length; i+=2) {
    String formVal = MM_fields[i+1];
    String elem;
    java.util.StringTokenizer tokens = new
    java.util.StringTokenizer(MM_columns[i+1],",");
    String delim = ((elem = (String)tokens.nextToken()) != null
    && elem.compareTo("none")!=0)?elem:"";
    String altVal = ((elem = (String)tokens.nextToken()) != null
    && elem.compareTo("none")!=0)?elem:"";
    String emptyVal = ((elem = (String)tokens.nextToken()) !=
    null && elem.compareTo("none")!=0)?elem:"";
    if (formVal.length() == 0) {
    formVal = emptyVal;
    } else {
    if (altVal.length() != 0) {
    formVal = altVal;
    } else if (delim.compareTo("'") == 0) { // escape quotes
    StringBuffer escQuotes = new StringBuffer(formVal);
    for (int j=0; j < escQuotes.length(); j++)
    if (escQuotes.charAt(j) == '\'') escQuotes.insert(j++,'\'');
    formVal = "'" + escQuotes + "'";
    } else {
    formVal = delim + formVal + delim;
    MM_editQuery.append((i!=0)?",":"").append(MM_columns
    ).append(" = ").append(formVal);
    MM_editQuery.append(" where
    ").append(MM_editColumn).append(" = ").append(MM_recordId);
    if (!MM_abortEdit) {
    // finish the sql and execute it
    Driver MM_driver =
    (Driver)Class.forName(MM_editDriver).newInstance();
    Connection MM_connection =
    DriverManager.getConnection(MM_editConnection,MM_editUserName,MM_editPassword);
    PreparedStatement MM_editStatement =
    MM_connection.prepareStatement(MM_editQuery.toString());
    MM_editStatement.executeUpdate();
    MM_connection.close();
    // redirect with URL parameters
    if (MM_editRedirectUrl.length() != 0) {
    response.sendRedirect(response.encodeRedirectURL(MM_editRedirectUrl));
    return;
    %>
    <%
    String rs_update__MMColParam = "1";
    if (request.getParameter("C_NAME") !=null)
    {rs_update__MMColParam = (String)request.getParameter("C_NAME");}
    %>
    <%
    Driver Driverrs_update =
    (Driver)Class.forName(MM_webtrain_db_DRIVER).newInstance();
    Connection Connrs_update =
    DriverManager.getConnection(MM_webtrain_db_STRING,MM_webtrain_db_USERNAME,MM_webtrain_db_ PASSWORD);
    PreparedStatement Statementrs_update =
    Connrs_update.prepareStatement("SELECT * FROM WEBTRAIN.COURSE_NAME
    WHERE C_NAME = '" + rs_update__MMColParam + "'");
    ResultSet rs_update = Statementrs_update.executeQuery();
    boolean rs_update_isEmpty = !rs_update.next();
    boolean rs_update_hasData = !rs_update_isEmpty;
    Object rs_update_data;
    int rs_update_numRows = 0;
    %>

    $colname_rs = "-1";
    if (isset($_SESSION['username'])) {
    $colname_rs = $_SESSION['username'];
    $colname2_rs = "-1";
    if (isset($_SESSION['password'])) {
    $colname2_rs = $_SESSION['password'];
    mysql_select_db($database_connDB, $connDB);
    $query_rs = sprintf("SELECT * FROM company WHERE username =
    %s and password = %s LIMIT 1", GetSQLValueString($colname_rs,
    "text"),GetSQLValueString($colname2_rs, "text"));
    $rs = mysql_query($query_rs, $connDB) or die(mysql_error());
    $row_rs = mysql_fetch_assoc($rs);
    $totalRows_rs = mysql_num_rows($rs);
    if ($row_rs['cid'] != "") {
    $editFormAction = $_SERVER['PHP_SELF'];
    if (isset($_SERVER['QUERY_STRING'])) {
    $editFormAction .= "?" .
    htmlentities($_SERVER['QUERY_STRING']);
    $updateSQL = sprintf("UPDATE company SET loggedin=%s WHERE
    cid=%s",
    GetSQLValueString(0, "int"),
    GetSQLValueString($row_rs['cid'], "int"));
    mysql_select_db($database_connDB, $connDB);
    $Result1 = mysql_query($updateSQL, $connDB) or
    die(mysql_error());
    }

  • SQL Injection Discussion

    Hello, I have found a lot of discussion about the SQL Injection.
    Seems like it is very famous issue nowadays.
    I am currently doing some findings on the SQL injection and hopefully this thread may give some benefits to everyone.
    1. has SQLIA been resolved nowadays?
    2. where SQLIA can be launched? is it only from the front-end of the website (eg. login form) or can also attack directly the database? if can, how it can be done? How the type of attack can be determined whether i is launched form the application or anywhere else?
    3. Which is better? whether to prevent the SQLIA at the application layer or database layer?
    My focus is to prevent the SQLIA in the web application itself for example by using data validation.
    That's all for this post. Thank you so much.
    Regards, hus..

    SQL statements that use bind variables are not vulnerable to SQL injection attacks (well, not practically vulnerable). There is a small risk that if the database is unpatched someone might be able to exploit a buffer overflow in some Oracle-delivered function that your query is using but that's not a realistic threat scenario.
    There is plenty of documentation available online. For example a Google search on "bind variable" "sql injection" returns as the top result this PDF- An Introduction to SQL Injection Attacks in Oracle which discusses bind variables in some detail. In the top 5 results is this Oracle documentation on avoiding SQL injection in PL/SQL which discusses using bind variables.
    Justin

  • Record type variables in the SQL database trace file

    Hi,
    I turned on the trace with binds and waits in a ebusiness form and captured the database SQL trace file. It lists the values for the generic datatypes for the call, but does not list the values of record type variables. Is there a way to identify the values of record type variables? The below section lists the procedure call and the values passed. Thanks in advance.
    RPC CALL:PROCEDURE APPS.HZ_PARTY_SEARCH.FIND_PARTY_DETAILS(P_INIT_MSG_LIST IN VARCHAR2, P_RULE_ID IN NUMBER, P_PARTY_SEARCH_REC IN PARTY_SEARCH_REC_TYPE, P_PARTY_SITE_LIST IN PARTY_SITE_LIST, P_CONTACT_LIST IN CONTACT_LIST, P_CONTACT_POINT_LIST IN CONTACT_POINT_LIST
    , P_RESTRICT_SQL IN VARCHAR2, P_MATCH_TYPE IN VARCHAR2, P_SEARCH_MERGED IN VARCHAR2, X_SEARCH_CTX_ID OUT NUMBER, X_NUM_MATCHES OUT NUMBER, X_RETURN_STATUS OUT VARCHAR2, X_MSG_COUNT OUT NUMBER, X_MSG_DATA OUT VARCHAR2);
    RPC BINDS:
    bind 0: dty=1 bfp=2ae5927c13c8 flg=08 avl=01 mxl=01 val="T"
    bind 1: dty=6 bfp=2ae5927c13f0 flg=00 avl=02 mxl=22 val=8
    bind 2: dty=118 bfp=2ae593432e48 flg=00 avl=00 mxl=00 val=00
    bind 3: dty=251 bfp=2ae5929ac0b8 flg=00 avl=1944 mxl=00 val=00
    bind 4: dty=251 bfp=2ae592d85548 flg=00 avl=5336 mxl=00 val=00
    bind 5: dty=251 bfp=2ae592d84d58 flg=00 avl=4984 mxl=00 val=00
    bind 6: dty=1 bfp=2ae5927c1550 flg=08 avl=125 mxl=2000 val="exists (select 'x' from hz_parties where party_id =stage.party_id and party_type = 'ORGANIZATION') and party_id <>1002277174"
    bind 7: dty=1 bfp=2ae5927c1d50 flg=0a avl=00 mxl=00 val=""
    bind 8: dty=1 bfp=2ae5927c1d80 flg=08 avl=01 mxl=01 val="I"
    bind 9: dty=6 bfp=2ae5927c1da8 flg=02 avl=00 mxl=22 val=00
    bind 10: dty=6 bfp=2ae5927c1de0 flg=02 avl=00 mxl=22 val=00
    bind 11: dty=1 bfp=2ae5927c1e28 flg=0a avl=00 mxl=01 val=""
    bind 12: dty=6 bfp=2ae5927c1e50 flg=02 avl=00 mxl=22 val=00
    bind 13: dty=1 bfp=2ae5927c1e98 flg=0a avl=00 mxl=2000 val=""

    Hello,
    From the sounds of it, when you are adding a child the application is not maintaining the Company's reference to it. For instance, in a 1:M and M:1 relationship, the application seems to be setting only the M:1 part (child to parent) which will cause the database to be updated, but both sides need to be set to keep the cache in synch with the database.
    Setting the cache type to be none is not a good idea - it prevents any caching, which will hurt performance and object identity. What instead is recommended is disabling the shared cache using the
    toplink.cache.shared.<ENTITY>=false property. This still might not help though if the Company's reference to the child hasn't been set as mentioned above if you are reading Company from the same context you are adding the child.
    The Cache is described for TopLink Essentials in the blog at:
    http://weblogs.java.net/blog/guruwons/archive/2006/09/understanding_t.html
    Best Regards,
    Chris

  • Update record server behavior preventing passage of form parameter in php

    I have a multi-page survey set up in php. I am trying to pass a form variable to the next page, but the 'update record' server behavior is preventing me from passing the variable to the next page. I have tried including the variable as a parameter in the url, but this is not working either. Please help.

    Can you not pass it onto the next page using a SESSION?
    As an example say you want to pass the information from a form field with the name 'company' to another page.
    At the top of the page that the form is submitted to you start a SESSION - <?php session_start(); ?> - then you collect the information from the form as normal BUT using a SESSION variable - $_SESSION['company']
    The resulting php code might look like below:
    <?php
    session_start();
    $_SESSION['company'] = $POST['company'];
    ?>
    Then you can pass the SESSION variable on to as many page as you like:
    So for instance the next page in the chain needs <?php session_start(); ?> at the top again to initiate a SESSION.
    Then the resulting code may look like below. The information from the form field 'company' is being passed from page to page.
    <?php session_start(); ?>
    <?php
    if(isset($_SESSION['company'])) {
    echo $_SESSION['company'];
    else {
    echo "Company name is not set";
    ?>

  • SQL Injection and variable substitutions

    Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
    with the variable substitutions in order to protect from sql injections.
    I'm using apex 3.0.0.00.20
    The trickiest component seems to be a Report of type "pl/sql returning sql", since
    multiple dynamic sql interpretations are done there.
    consider the following innocent looking disaster:
    DECLARE
    l_out VARCHAR2(2000);
    BEGIN
    l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
    RETURN l_out;
    END;
    if NAME is a single quote the report will return:
    failed to parse SQL query: ORA-00911: invalid character
    which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
    as in: '||lower('S')||'
    I also tried to put there a function that runs in a autonomous transaction to log its calls, and
    I see that it's called five times for each request.
    consider now the similar solution (notice the two single quotes):
    DECLARE
    l_out VARCHAR2(2000);
    BEGIN
    l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
    RETURN l_out;
    END;
    with this second example nothing of the above is possible.
    So my theory (please confirm it or refute it) is that there is a first variable substitution done
    at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
    Then the dynamic sql is executed and it returns the following string:
    select * from test_injection t where t.name like '%' || :NAME || '%'
    now another substitution is done (at an "APEX" level) and then query is finally executed to return
    the rows to the report.
    The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
    with the single quote), while the second substitution does.
    Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
    the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
    Thanks

    Giovanni,
    You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
    Scott

  • Sql injection update signature

    hi,
    we are currently comparing cisco ips to tippingpoint, i have a cisco ips in front and tippingpoint in the back, so we are checking if cisco ips is missing on a lot of stuff , and currently it is missing on SQL injection attacks and cross scripting, which seems to be the weak point in cisco ips, its missing a lot on sql injection signatures, i mean why a simple update/set command does not have a signature ?

    Thank you for your reply, do you know how to get in contact with the ips signature engineers at Cisco , i would like to share my comparaison with them as well as an attack that is passing all sql injection signature containing update but with u%pdate and the sql database is interpreting it as a normal update.

  • I need to update specific records(of variable lengths) in a file. I can get the correct record but when I update it(add info), it overwrites part of the record following it. I am using labview 6.0

    I need to update specific records(of variable lengths) in a file. I can get the correct record but when I update it(add or change info), it overwrites part of the record following it. I am using labview 6.0. I need to be able to insert information into the middle of a file without disturbing the data before and after

    It's hard to give more specifics without more detail, but in general you're going to need to read in the entire file, split it into three pieces (everything before the record of interest, the record itself, and everything after the record of interest), modify the record, reassemble the three pieces in proper order, and write the whole thing back to the file.Of course if the file is very large you might not want to actually implement it this way, but conceptually at least, this is what you are looking at.If this file some sort of proprietary format?Mike...PS: this type of issue is why I really like databases...
    Certified Professional Instructor
    Certified LabVIEW Architect
    LabVIEW Champion
    "... after all, He's not a tame lion..."
    Be thinking ahead and mark your dance card for NI Week 2015 now: TS 6139 - Object Oriented First Steps

  • Update record using SQL statement

    I have VB6.0 and Oracle 10G Express Edition in Windows 2000 Server. My procedure in VB 6.0 can't update record in the table using SQL statement, and the Error Message is " Missing SET keyword ".
    The SQL statement in VB6.0 look like this :
    General Declaration
    Dim conn as New ADODB.Connection
    Dim rs as New ADODB.Recordset
    Private Sub Command1_Click()
    dim sql as string
    sql = " UPDATE my_table " & _
    " SET Name = ' " & Text3.Text & " ' " & _
    " AND Unit = ' " & Text2.Text & " ' " & _
    " WHERE ID = ' " & Text1.Text & " ' "
    conn.Execute (sql)
    Private Sub Form Load()
    Set conn = New ADODB.Connection
    conn.Open "Provider=MSDASQL;" & "Data Source=my_table;"& "User ID =marketing;" & "Password=pass123;"
    I'm sorry about my language.
    What's wrong in my SQL statement, I need help ........ asap
    Best Regards,
    /Harso Adjie

    The syntax should be
    UPDATE TABLE XX
    SET FLD_1 = 'xxxx',
    FLD_2 = 'YYYY'
    WHERE ...
    'AND' is improperly placed in the SET.

  • CFInsert/Update: protection against SQL injection?

    Hello,
    I'm trying to find out if the use of CFInsert or CFUpdate
    offers any protection against a SQL Injection attack. We are on a
    project that uses many CFInserts and Updates, and lack the time to
    rewrite new queries using CFQueryParam. Will a CFInsert or Update
    handle the situation?

    Validate every field before you get to the cfinsert/cfupdate
    tag, something you should have been doing anyway.

  • Deleting/Updating records from an object table in PL/SQL

    Hello All,
    VER:
    Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
    PL/SQL Release 11.2.0.3.0 - Production
    CORE     11.2.0.3.0     Production
    TNS for Linux: Version 11.2.0.3.0 - Production
    NLSRTL Version 11.2.0.3.0 - Production
    I have created an object and inserted records in it. Is there any way we can delete/update records from it. I do not want to delete based on iteration like delete.collection but I would like to know if we can delete directly from obj like delete from table...
    CREATE OR REPLACE TYPE test_type AS OBJECT
    col1 number,
    col2 varchar2(100)
    CREATE OR REPLACE TYPE tab_type is table of test_type;
    DECLARE
    test_tab tab_type;
    l_cnt NUMBER;
    BEGIN
    select test_type(col1,col2) bulk collect
    into test_tab from (select 1 as col1,'test1' as col2 from dual
                        union all
                        select 2,'test2' from dual);
    IF test_tab.count>0
    THEN
    DELETE FROM TABLE(CAST(test_tab as tab_type)) a
    where a.col1=1;
    END IF;
    l_cnt := test_tab.count;
    END;Thx
    Shank.

    SB,
    I have a scenario wherein I insert few records into a collection table. I'm gonna filter few records from collection table based on the filter.
    I want to delete the records that didn't match the filter. Right now, I'm inserting the records into a physical table and deleting from there. I do no want to use a physical table. Trying to avoid it.
    Would like to delete from collection itself.
    DELETE FROM TABLE(CAST(lv_attr_filter_tab as EDMS_CSPP_DISC_REQ_TAB_TYPE))
                                 WHERE NOT EXISTS (SELECT 1
                                       FROM edms_disc_lines_stg edls
                                       WHERE edls.req_id = edrg.request_id
                                          AND edls.disc_line_id = edrg.discount_id
                                          AND UPPER(edls.disc_status) IN ('ACTIVE');

  • How do I pass URL parameter after Update record?

    I have an update record page that successfully updates a record, but when it is redirected to the page it came from it loses any parameters to filter record sets to obtain the correct records.
    When I try to use the Parameters dialog box from the Update Records "select a redirect" dialog box, it results in an error indicator in front of the Update Records line in the Server Behavior, and the web page ceases to update the records.
    How do I pass a parameter to the next page?
    Thanks

    I have found a work around for this issue. By selecting the Insert or Update button and adding a hyperlink with parameter settings. The Hyperlink has the same destination as the Insert records Behavior. When the button is clicked it performs the Insert, and passes the parameters to the destination page..

  • SQL to check date and send email and Update Record

    Hii,
    USING ASP AND ACCESS
    I am implementing a classified section for my website and I
    am displaying
    everything successfully.
    When the user posts the classified he selects how many days
    he wants his
    POST like 10 days, 20 days or 30 days and i can successfully
    show the posts
    So if the user posts on says 1st of July 2006 and selects 10
    days for his
    post to be showed on my website
    THEN
    8th July 2006 an email shud go to him saying if he wants to
    keep his POST
    for another 10 days, 20 days or 30 days with 3 links
    and IF YES the 1st july 2006 date must be changed to
    Date of Post + Number of days selected initially + Number of
    days selected.
    I am using two columsn in the DB for this date thing one is
    the strPostDate
    and strAddDate
    So basically the number of days selected for the post to be
    shown on the
    website keeps adding up each time the user clicks on the link
    for 10 days,
    20 days or 30 days with 3 links
    please help need it badly :-)

    Hi,<br />How is the date format in the toolbox control panel?<br /><[email protected]> wrote in message <br />news:[email protected]..<br />> OK, my bad. It is doing it as a yyyy-mm-dd format. Which is what I want. <br />> However, if I do go to update the page the good news is the correct date <br />> is in there in the correct format. However, if I click on the date picker, <br />> it starts out as April, 2192 and the scroll bar is over part of the <br />> Thursday dates in the calendar. This is on Firefox/Mac.<br />><br />> Also if I click on the Update Record/Submit button at the bottom of the <br />> page, I get an error saying 'The date format is: mm/dd/yy' which is the <br />> real bug. Sorry for the mixup.

  • SQL Injection concerns

    I have been studying sql injection attacks and the
    mysql_real_escape function.
    I read the adobe technote about sql injection and it noted
    that Dreamweaver 8.0 incorporates anti-sql injection code to
    prevent attacks and it specifically refers to Add, Delete, and
    Update; Filtered Recordsets, and Login User server behaviors. Can
    anyone please confirm this to put my mind at ease?
    The Search form and results page uses a filtered recordset,
    so can I presume that it is guarded from attack?
    Can you tell me of any areas that I need to add anti-sql
    injection code myself?
    Thank you so much for your help!

    EviePhillips wrote:
    > The code on this second page (the one where the form
    posts to) ECHOs the form
    > variables. Do I need to enter the
    mysql_real_escape_string around each of the
    > ECHOed posted form variables?
    No, mysql_real_escape_string() is used only when inserting
    user input
    values into a database. You cannot use it without a database
    connection.
    However, you should pass the values to htmlentitities()
    before
    displaying them in your page. You can do this by accessing
    the Format
    menu in the Dynamic Text dialog box. After using the Bindings
    panel to
    insert the value, switch to the Server Behaviors panel, and
    double-click
    the Dynamic Text entry to open the dialog box.
    > I am then going to use the ADD Record server behavior to
    add the data to my
    > database from this page, which based on your counsel is
    fully protected from
    > sql injection.
    >
    > You are very kind for sharing your knowledge!
    > EP
    >
    David Powers, Adobe Community Expert
    Author, "The Essential Guide to Dreamweaver CS4",
    "PHP Solutions" & "PHP Object-Oriented Solutions"
    http://foundationphp.com/

Maybe you are looking for

  • CC pauses while audio still plays on

    I'm seeing this behavior in CP6: 1)      In 5.5 if you have a slide with narration, and CC and a pause object (button, clickbox), the playbar would pause at the set pause point, but the slide audio and CC would continue to play and display in a sync'

  • Cancel and keep workitem in ready state in user decision step

    Hi, In a user decision step,there is a default option 'Cancel and keep the work item'. Now clicking on this option, the workitem goes into "Inprogress state" whereas i want to keep the workitem in "ready state"  after i click on the option 'Cancel an

  • For update & where current of in cursor

    Hi, Please explain any For Update with WHERE CURRENT OF clause in cursor. Diwakar

  • Underlining characters in a string

    Is there an easy way of making an underline mark appear beneath a character in a string? I'm thinking along the lines of some escape character that causes the next character to be underlined. e.g. new String("\uContents"); would cause the 'C' to be u

  • Rating: saveURL not works?

    here: http://www.sanremowebtv.it/rating.cfm why my rating widget not fireoff the xhr call after voting ? var rate = new Spry.Widget.Rating("spryrating1", { saveURL:'video/vota-bc.cfm?id=spryrating1&val=@@rw_Rating@@' thanks Rob