The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
My web site was attacked with a nasty SQL injection. I took the site off-line for sanitizing in the mean time my research points toward using SQL stored procedures and Paramatization as best practice.
I wrote the following SP:
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go
ALTER PROCEDURE [dbo].[sp_add_user] @Param1 int, @Param2 varchar(25), @Param3 varchar(100), @Param4 ntext
AS
Begin
INSERT INTO MyTable (column1, column2, column3, column4)
VALUES (@param1, @param2, @param3, @param4)
End
And my ASP looks like the following:
Dim objConn
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open strPegaDBConnString
Set objCmd = Server.CreateObject("ADODB.Command")
'Set the database connection to use
Set objCmd.ActiveConnection = objConn
'Set the name of the procedure and that it is a store procedure
objCmd.CommandText = usp_add_applicant 'strProcedureName
objCmd.CommandType = adCmdStoredProc
parm1 = (Request.Form.Item("Field1"))
parm2 = (Request.Form.Item("Field2"))
parm3 = (Request.Form.Item("Field3"))
parm4 = (Request.Form.Item("Field4"))
Execute usp_add_user (parm1, parm2, parm3, parm4)
When I submit the form, I get the following error:
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'usp_add_user'
ThankYou.asp, line 59
Here is line 59:
Execute usp_add_user (parm1, parm2, parm3, parm4)
Where did I go wrong? Any help is appreciated. <
I wrote the following SP:
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go
ALTER PROCEDURE [dbo].[sp_add_user] @Param1 int, @Param2 varchar(25), @Param3 varchar(100), @Param4 ntext
AS
Begin
INSERT INTO MyTable (column1, column2, column3, column4)
VALUES (@param1, @param2, @param3, @param4)
End
And my ASP looks like the following:
Dim objConn
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open strPegaDBConnString
Set objCmd = Server.CreateObject("ADODB.Command")
'Set the database connection to use
Set objCmd.ActiveConnection = objConn
'Set the name of the procedure and that it is a store procedure
objCmd.CommandText = usp_add_applicant 'strProcedureName
objCmd.CommandType = adCmdStoredProc
parm1 = (Request.Form.Item("Field1"))
parm2 = (Request.Form.Item("Field2"))
parm3 = (Request.Form.Item("Field3"))
parm4 = (Request.Form.Item("Field4"))
Execute usp_add_user (parm1, parm2, parm3, parm4)
When I submit the form, I get the following error:
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'usp_add_user'
ThankYou.asp, line 59
Here is line 59:
Execute usp_add_user (parm1, parm2, parm3, parm4)
Where did I go wrong? Any help is appreciated. <
Posted
Originally posted by Podge
I don't think the difference will be all the great unless the is a HUGE amount of data involved. It certainly wouldn't be worth the time and effort to change a Snitz forums to use sprocs in order to gain a very small speed advantage. IMHO anyway (and I love speed). In this day and age is easier to buy (or rent) a more powerful server.
Just included a new server to pool just for that. Having to deal with 1000K pages / 100K visitors per day is definitely helps it easier to see speed differences.<