Results 1 to 9 of 9
  1. #1
    Join Date
    May 2012
    Posts
    4

    Unanswered: Vbscript/SQL5 create rs in client side validation subroutine

    I need to create a recordset (rs) inside or pass it to a Subroutine for client side validation. I’m exhausted trying, any direction is appreciated especially if someone knows it cannot be done in vbscript with SQL back.

    Before the subroutine the db connection is opened and multiple recordsets created.
    Staying on the page the data entries are only available with frmCheckOutOne.something.value in subroutine after the onclick event.

    98% of code is in vbscript with that being said here is <form onsubmit in jscript, I’m including this because I tried passing the rs through the Form calling Validate():
    <form id="ValidForm" action="../html/check_out_twoDirect.asp" method="post" NAME="frmCheckOutOne" onsubmit="Validate(); return false;" language="jscript">

    The subroutine is basic, inside <head tags and works perfectly until creating/passing rs is attempted then Sub ends abruptly and next page is called – there is no error msg:
    <script language="VBScript">
    <!--
    Sub Validate()
    'sub validate goes here
    Dim frmCheckOutOne,S,T,hVar
    Set frmCheckOutOne = Document.forms("ValidForm")
    If Len(frmCheckOutOne.firstName.Value) = 0 Then
    MsgBox "Please enter First Name as it appears on credit card ",64,"First Name request is blank"
    Exit Sub

    Etc. ending IF statement with following:

    ElseIf Len(strPhone) <> 10 Then
    MsgBox "Please enter Area Code and Phone Number " & chr(13) & "in numbers and dashes (-) " & chr(13) & "use format ###-###-####",64,"Phone Number error"
    Exit Sub
    End If

    Then Sub continues with more input validation conditional statements and ends with attempt to create rs, I'm not sure but I think application("mydb") set in global.asa can be seen in subroutine function or I would get an error, I know variable created in sub are local - just the same I closed Conn and release Conn,sq vaiables before button, this is a sample of trying to create a rs:

    if ucase(TypeName(Conn)) <> "CONNECTION" then
    Dim Conn, sq , rs
    Set Conn = Server.CreateObject("ADODB.Connection")
    Conn.Open application("mydb")

    sq = ("SELECT ASPZipCode.ZipCode, " _
    & "ASPZipCode.City, ASPZipCode.State " _
    & "FROM ASPZipCode " _
    & "WHERE ASPZipCode.City = " & frmCheckOutOne.SHIPTOCITY.Value _
    & "And ASPZipCode.State = " & frmCheckOutOne.D2.Value _
    & "And ASPZipCode.ZipCode = " & frmCheckOutOne.SHIPTOZIP.Value)

    Set rs=server.createobject("ADODB.Recordset")
    Set rs.ActiveConnection = Conn
    rs.Source = sq
    rs.CursorType = 3
    rs.CursorLocation = 3
    rs.LockType = 1
    rs.Open()
    If rs.RecordCount < 1 Then
    msgbox "The City, State and Zip Code entry do not verify " + chr("13") + "Please check and re-enter ",64,"Shipping destination error"
    exit sub
    End If
    End If
    frmCheckOutOne.Submit
    Exit Sub
    End If
    End Sub
    -->
    </script>

    As a precaution the next page pretty much validates the same input on the server side and redirects if there is a problem. Part of the code uses the web to check shipping carrier if City, State and Zip are part of a real address making the program time dependent on internet traffic. Best to first capture and verify client side.
    Thank you in advance, Marty
    Last edited by MartyOcean; 05-19-12 at 20:17. Reason: left out " ) " - still don't work

  2. #2
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    You mentioned "page"...

    Where are you consuming this from? Are the users able to see the SQL server at all?

    One standard approach would be to setup a web service and make your call with AJAX, perhaps returning JSON. You can't make a straight ADODB call unless your users can see the server. Even then, I wouldn't be too crazy about letting users hit the DB directly or even know what table(s) they're hitting.
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

  3. #3
    Join Date
    May 2012
    Posts
    4
    Im not familiar with .net or ajax coding, I write mostly in conventional vbscript and transact-SQL. The users (I believe you mean customers filling out the <form>) are never allowed to see or touch the server/dbf/tables. After entering data and submitting the programming checks input against table data. Before submitting is done an ADODB connection is made but the input data is not available to query a table.

    The validation is done with a vbscript procedure. How do you open an ADODB connection and create a record set with a vbscript subroutine procedure or function procedure?

  4. #4
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    Quote Originally Posted by MartyOcean View Post
    I’m not familiar with .net or ajax coding, I write mostly in conventional vbscript and transact-SQL. The users (I believe you mean customers filling out the <form>) are never allowed to see or touch the server/dbf/tables.
    Oh boy...

    If you don't even know what framework you're using, STOP RIGHT NOW and go through some basic tutorials about either ASP Classic or ASP.NET to understand the massive fundamental differences between what you're used to and what you're trying to do now. There are even massive fundamental differences between ASP classic and ASP.NET, so much so that the only things they have in common is some syntax and three letters in the product name. As far as web applications vs what you're used to... in order to enable users to hit a database from the web browser, you need to send them everything they need to make the call... including credentials. It is trivial for a moderately savvy user to inspect anything you send them. It doesn't have to be printed in the browser for them to see it with very little effort.

    If you make a clientside db call from a browser on a public facing website using ADODB, you just sent your database credentials to the whole world and exposed your client to security vulnerabilities which if exploited could result in all kinds of interesting legal trouble. This isn't a design decision to be taken lightly. Don't put yourself in a position where you have to answer the question of why your client is facing prosecution due to your choices with, "I don't know anything about web applications so I used vbscript instead". You KNOW you have no clue how the platform you're using works. You just said as much. Fix that before continuing on.
    Last edited by Teddy; 05-23-12 at 11:13.
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

  5. #5
    Join Date
    May 2012
    Posts
    4
    My platform is ASP Classic VBscript – don’t know why I said VBscript conventional.
    Code:
    "you need to send them everything they need to make the call... including credentials. It is trivial for a moderately savvy user to inspect anything you send them. It doesn't have to be printed in the browser for them to see it with very little effort."
    I would much appreciate you, or any one else, taking a few min to look at the site and ream out the check_out_oneDirect.asp page where clientside validation takes place. The site is Best Prices on the web for 14 Karat Gold Discount Jewelry. – it’s a plain Jane in vbscript, you must use an IE browser. Make a mock purchase by putting something in the shopping cart, click Credit Card Check Out, input and submit. If you see ERROR on Shipping Destination in red you are into the server side validation (not complete).

    You will blow me away if you come back with my credentials, I do attempt a clientside ADODB.Connection and call which does not work. Also, if you can see the credit card number aside from num I provide for test. I do an extensive credit card check clientside and like you say, this could be legal suicide.

    Thanks, Marty

  6. #6
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    It doesn't work as written because you're trying to access an Application variable. Those only exist, and are only readable by the server. Your choices for making this call are to either pass credentials down to the browser so it can make the call, or make the call server-side and expose the results some other way that can be consumed by the browser, such as a webservice. That's what AJAX exists to do. It's an asynchronous call to ask the server for some information so you can display or otherwise work with it in the browser without doing a full postback.

    Why are you using classic instead of .NET? .NET has both client and server validation controls out of the box. It's also HIGHLY questionable to write IE-only pages these days. IE doesn't own 99% of the market anymore. You're going to piss off a lot of potential clients.


    Anywho, I'll try to find some time for rudimentary pen-testing later this evening. I'll let you know what I see.
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

  7. #7
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    Did a quicky look, I can tell you right now that you are going to have some vulnerabilities. How bad I can exploit them remains to be seen.

    This is just a dev site right? THis isn't an actual production site running for real?
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

  8. #8
    Join Date
    May 2012
    Posts
    4
    Much thanks for taking the time to check out the site and responding.
    I’m resolved to making the dbf call server side with a call back on error.

    Learned Classic VBscript because it was it was true to form – easy to learn/write programming. You’re right about going to .NET – I think about it and others like PHP but it will never happen. The lions share of the day goes to running a small jewelry shop and working eBay. I’m near completion of sit2buy.com and if it earns $$ I’ll likely have a pro rewrite in a cross platform code (work w/all browsers). As you say I limit myself to @50% of prospective buyers w/IE and an additional limitation of US sales only. I bought in too far to change now.

    The site is in production test mode w/ point of sale made in the PayPal Sandbox environment. If you’re not familiar w/Sandbox it does everything like a real sale but it is not live, it’s a mock sale with no $$/merchandise exchanged. To make this site real for sales I just go "live" with PayPal

    I’m focused on 2 areas where attacks may break the bank. Hacking the price and quantity of order is under control by integrating checks with PayPal. I’ll also be reviewing each order before shipping. The other is you have me worried about vulnerabilities you mentioned in particular if exposing the buyer’s credit card number is one of them. I will have the client side credit card verification including the Luhn Algorithm finished by 1st week of June. I would much appreciate you scrutinizing the code on page http://www.sit2buy.com/html/check_out_oneDirect.asp. Are credit card numbers and security code able to be exploited and reveled ???

    Thanks again, Marty
    Last edited by MartyOcean; 05-30-12 at 15:01. Reason: edit explanation of production site

  9. #9
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    I'm going to be slammed pretty good for at least a couple days here but I'll look when I can. I'll just send you a pm with the stuff I found with a compulsory look. I'm not super crazy about detailing exactly how to test for basic vulnerabilities in a public thread. I know there are tons of tutorials out there but... still makes me a touch squeamish.

    Anywho, a few general items:

    I have some experience working with PayPal. Is there any reason you're not letting them handle the whole transaction? There is a whole slew of good reasons to do that ranging from liability to technical requirements. Branding isn't a big deal now days either now that PayPal is so ubiquitous. Transferring around between PayPal and your target site is hardly worth batting an eyelash anymore.

    Regarding the platform... From what I gather you have a straight-forward eCommerce site. Have you looked at the off-the-shelf products available for this type of thing?

    On the .NET front you have things like nopCommerce or DNN which have perfectly serviceable free versions. There are a ton of popular, free options out there for mysql/php too such as ZenCart. For the most part these packaged solutions don't require you to know how to write code (thought it certainly helps). They're designed to be installed and managed by end users as well as being extensible by developers if you need something novel... which I don't think you do.

    I strongly urge you to take a look at a couple of those options before going live. I know what it's like to slave over a project for months and have someone tell you to consider another approach, but sometimes that's the most rational choice. You'd be able to reuse more of your layout/graphics than you may think and the rest of it is a weekend, a bottle of scotch and a bunch of data entry. The long term benefits in terms of effort required to keep the thing going/updated will be worth it.

    Also, pick up the ASP.NET For Dummies book. It doesn't take long to go through and it did a pretty good job taking me from classic asp/vbscript to .NET in a weekend. Well worth the time. You might surprise yourself.
    Last edited by Teddy; 06-01-12 at 02:05.
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •