Unanswered: Vbscript/SQL5 create rs in client side validation subroutine
I need to create a recordset (rs) inside or pass it to a Subroutine for client side validation. I’m exhausted trying, any direction is appreciated especially if someone knows it cannot be done in vbscript with SQL back.
Before the subroutine the db connection is opened and multiple recordsets created.
Staying on the page the data entries are only available with frmCheckOutOne.something.value in subroutine after the onclick event.
98% of code is in vbscript with that being said here is <form onsubmit in jscript, I’m including this because I tried passing the rs through the Form calling Validate():
<form id="ValidForm" action="../html/check_out_twoDirect.asp" method="post" NAME="frmCheckOutOne" onsubmit="Validate(); return false;" language="jscript">
The subroutine is basic, inside <head tags and works perfectly until creating/passing rs is attempted then Sub ends abruptly and next page is called – there is no error msg:
'sub validate goes here
Set frmCheckOutOne = Document.forms("ValidForm")
If Len(frmCheckOutOne.firstName.Value) = 0 Then
MsgBox "Please enter First Name as it appears on credit card ",64,"First Name request is blank"
Etc. ending IF statement with following:
ElseIf Len(strPhone) <> 10 Then
MsgBox "Please enter Area Code and Phone Number " & chr(13) & "in numbers and dashes (-) " & chr(13) & "use format ###-###-####",64,"Phone Number error"
Then Sub continues with more input validation conditional statements and ends with attempt to create rs, I'm not sure but I think application("mydb") set in global.asa can be seen in subroutine function or I would get an error, I know variable created in sub are local - just the same I closed Conn and release Conn,sq vaiables before button, this is a sample of trying to create a rs:
if ucase(TypeName(Conn)) <> "CONNECTION" then
Dim Conn, sq , rs
Set Conn = Server.CreateObject("ADODB.Connection")
Set rs.ActiveConnection = Conn
rs.Source = sq
rs.CursorType = 3
rs.CursorLocation = 3
rs.LockType = 1
If rs.RecordCount < 1 Then
msgbox "The City, State and Zip Code entry do not verify " + chr("13") + "Please check and re-enter ",64,"Shipping destination error"
As a precaution the next page pretty much validates the same input on the server side and redirects if there is a problem. Part of the code uses the web to check shipping carrier if City, State and Zip are part of a real address making the program time dependent on internet traffic. Best to first capture and verify client side.
Thank you in advance, Marty
Last edited by MartyOcean; 05-19-12 at 20:17.
Reason: left out " ) " - still don't work
Where are you consuming this from? Are the users able to see the SQL server at all?
One standard approach would be to setup a web service and make your call with AJAX, perhaps returning JSON. You can't make a straight ADODB call unless your users can see the server. Even then, I wouldn't be too crazy about letting users hit the DB directly or even know what table(s) they're hitting.
I’m not familiar with .net or ajax coding, I write mostly in conventional vbscript and transact-SQL. The users (I believe you mean customers filling out the <form>) are never allowed to see or touch the server/dbf/tables. After entering data and submitting the programming checks input against table data. Before submitting is done an ADODB connection is made but the input data is not available to query a table.
The validation is done with a vbscript procedure. How do you open an ADODB connection and create a record set with a vbscript subroutine procedure or function procedure?
I’m not familiar with .net or ajax coding, I write mostly in conventional vbscript and transact-SQL. The users (I believe you mean customers filling out the <form>) are never allowed to see or touch the server/dbf/tables.
If you don't even know what framework you're using, STOP RIGHT NOW and go through some basic tutorials about either ASP Classic or ASP.NET to understand the massive fundamental differences between what you're used to and what you're trying to do now. There are even massive fundamental differences between ASP classic and ASP.NET, so much so that the only things they have in common is some syntax and three letters in the product name. As far as web applications vs what you're used to... in order to enable users to hit a database from the web browser, you need to send them everything they need to make the call... including credentials. It is trivial for a moderately savvy user to inspect anything you send them. It doesn't have to be printed in the browser for them to see it with very little effort.
If you make a clientside db call from a browser on a public facing website using ADODB, you just sent your database credentials to the whole world and exposed your client to security vulnerabilities which if exploited could result in all kinds of interesting legal trouble. This isn't a design decision to be taken lightly. Don't put yourself in a position where you have to answer the question of why your client is facing prosecution due to your choices with, "I don't know anything about web applications so I used vbscript instead". You KNOW you have no clue how the platform you're using works. You just said as much. Fix that before continuing on.
My platform is ASP Classic VBscript – don’t know why I said VBscript conventional.
"you need to send them everything they need to make the call... including credentials. It is trivial for a moderately savvy user to inspect anything you send them. It doesn't have to be printed in the browser for them to see it with very little effort."
I would much appreciate you, or any one else, taking a few min to look at the site and ream out the check_out_oneDirect.asp page where clientside validation takes place. The site is Best Prices on the web for 14 Karat Gold Discount Jewelry. – it’s a plain Jane in vbscript, you must use an IE browser. Make a mock purchase by putting something in the shopping cart, click Credit Card Check Out, input and submit. If you see ERROR on Shipping Destination in red you are into the server side validation (not complete).
You will blow me away if you come back with my credentials, I do attempt a clientside ADODB.Connection and call which does not work. Also, if you can see the credit card number aside from num I provide for test. I do an extensive credit card check clientside and like you say, this could be legal suicide.
It doesn't work as written because you're trying to access an Application variable. Those only exist, and are only readable by the server. Your choices for making this call are to either pass credentials down to the browser so it can make the call, or make the call server-side and expose the results some other way that can be consumed by the browser, such as a webservice. That's what AJAX exists to do. It's an asynchronous call to ask the server for some information so you can display or otherwise work with it in the browser without doing a full postback.
Why are you using classic instead of .NET? .NET has both client and server validation controls out of the box. It's also HIGHLY questionable to write IE-only pages these days. IE doesn't own 99% of the market anymore. You're going to piss off a lot of potential clients.
Anywho, I'll try to find some time for rudimentary pen-testing later this evening. I'll let you know what I see.
Much thanks for taking the time to check out the site and responding.
I’m resolved to making the dbf call server side with a call back on error.
Learned Classic VBscript because it was it was true to form – easy to learn/write programming. You’re right about going to .NET – I think about it and others like PHP but it will never happen. The lions share of the day goes to running a small jewelry shop and working eBay. I’m near completion of sit2buy.com and if it earns $$ I’ll likely have a pro rewrite in a cross platform code (work w/all browsers). As you say I limit myself to @50% of prospective buyers w/IE and an additional limitation of US sales only. I bought in too far to change now.
The site is in production test mode w/ point of sale made in the PayPal Sandbox environment. If you’re not familiar w/Sandbox it does everything like a real sale but it is not live, it’s a mock sale with no $$/merchandise exchanged. To make this site real for sales I just go "live" with PayPal
I’m focused on 2 areas where attacks may break the bank. Hacking the price and quantity of order is under control by integrating checks with PayPal. I’ll also be reviewing each order before shipping. The other is you have me worried about vulnerabilities you mentioned in particular if exposing the buyer’s credit card number is one of them. I will have the client side credit card verification including the Luhn Algorithm finished by 1st week of June. I would much appreciate you scrutinizing the code on page http://www.sit2buy.com/html/check_out_oneDirect.asp. Are credit card numbers and security code able to be exploited and reveled ???
Thanks again, Marty
Last edited by MartyOcean; 05-30-12 at 15:01.
Reason: edit explanation of production site
I'm going to be slammed pretty good for at least a couple days here but I'll look when I can. I'll just send you a pm with the stuff I found with a compulsory look. I'm not super crazy about detailing exactly how to test for basic vulnerabilities in a public thread. I know there are tons of tutorials out there but... still makes me a touch squeamish.
Anywho, a few general items:
I have some experience working with PayPal. Is there any reason you're not letting them handle the whole transaction? There is a whole slew of good reasons to do that ranging from liability to technical requirements. Branding isn't a big deal now days either now that PayPal is so ubiquitous. Transferring around between PayPal and your target site is hardly worth batting an eyelash anymore.
Regarding the platform... From what I gather you have a straight-forward eCommerce site. Have you looked at the off-the-shelf products available for this type of thing?
On the .NET front you have things like nopCommerce or DNN which have perfectly serviceable free versions. There are a ton of popular, free options out there for mysql/php too such as ZenCart. For the most part these packaged solutions don't require you to know how to write code (thought it certainly helps). They're designed to be installed and managed by end users as well as being extensible by developers if you need something novel... which I don't think you do.
I strongly urge you to take a look at a couple of those options before going live. I know what it's like to slave over a project for months and have someone tell you to consider another approach, but sometimes that's the most rational choice. You'd be able to reuse more of your layout/graphics than you may think and the rest of it is a weekend, a bottle of scotch and a bunch of data entry. The long term benefits in terms of effort required to keep the thing going/updated will be worth it.
Also, pick up the ASP.NET For Dummies book. It doesn't take long to go through and it did a pretty good job taking me from classic asp/vbscript to .NET in a weekend. Well worth the time. You might surprise yourself.