I have found a code in net, and there is a code line there, which I don't undersand it meaning and what does it do. Moreover the line doesn't work. Can anyone help?
the code-
var connection = new ActiveXObject("ADODB.Connection"); /*the line*/
var connectionstring = "Data Source=srvp7rnd-herm;Initial Catalog=hermes;User ID=hermes;Password=hermes;Provider=SQLOLEDB";
connection.Open(connectionstring);
/* JavaScript obect to access a SQL query's results */
var rs = new ActiveXObject("ADODB.Recordset");
/* Getting the current MAX(id) from the database */
rs.Open("SELECT MAX(id) FROM Screen_Template", connection);
rs.MoveFirst;
var maxID = rs.Fields.Item(0);
maxID = maxID + 1;
/* TODO: Get the last UID */
var sql = "INSERT INTO Screen_Template(template_name, OpCo, env, template_xml, language, id, title, role, UID) VALUES (" + templateName + "," + opco + "," + env + "," + "<hello>hello</hello>" + ",eng," + maxID + ",Hermes SMS message poser," + "manag, 10)";
alert(sql);
rs.Open(sql, connection);
/* Closing the connections */
rs.close;
connection.close;
I have found a code in net, and there is a code line there, which I don't undersand it meaning and what does it do. Moreover the line doesn't work. Can anyone help?
the code-
var connection = new ActiveXObject("ADODB.Connection"); /*the line*/
var connectionstring = "Data Source=srvp7rnd-herm;Initial Catalog=hermes;User ID=hermes;Password=hermes;Provider=SQLOLEDB";
connection.Open(connectionstring);
/* JavaScript obect to access a SQL query's results */
var rs = new ActiveXObject("ADODB.Recordset");
/* Getting the current MAX(id) from the database */
rs.Open("SELECT MAX(id) FROM Screen_Template", connection);
rs.MoveFirst;
var maxID = rs.Fields.Item(0);
maxID = maxID + 1;
/* TODO: Get the last UID */
var sql = "INSERT INTO Screen_Template(template_name, OpCo, env, template_xml, language, id, title, role, UID) VALUES (" + templateName + "," + opco + "," + env + "," + "<hello>hello</hello>" + ",eng," + maxID + ",Hermes SMS message poser," + "manag, 10)";
alert(sql);
rs.Open(sql, connection);
/* Closing the connections */
rs.close;
connection.close;
- 1 Why would you want to update SQL in the client...yikes. – epascarello Commented Apr 2, 2014 at 16:22
- So what should I do? I need to use sql in javascript function... do you know how? – user3475785 Commented Apr 2, 2014 at 16:24
- Think about it, if you use SQL in the browser, you are giving anyone free reign to change your database! Drop Tables! SQL should be done on the SERVER, not client. – epascarello Commented Apr 2, 2014 at 16:28
- this is a work for scholl!!! – user3475785 Commented Apr 2, 2014 at 18:09
1 Answer
Reset to default 4The code you are looking at is either javascript, or Microsoft-flavoured jscript. The code can be either server side in ASP-Classic (Jscript was an option here, albeit unusual - most coded server side in VB Script), however, given that there is an alert half way through the page, it is likely that intended for client side, on a browser.
The lines
var connection = new ActiveXObject("ADODB.Connection");
and
var rs = new ActiveXObject("ADODB.Recordset");
attempt to create an Active X ponent (aka Component Object Model, or COM) of ADODB.Connection and ADODB.Recordset, respectively, and then use these to insert data into the database. You can get reference to these here, although not that most of the reference is in VB :(
So here is a list of some of the possible issues:
- The code will only ever run in IE browsers
- You may need to download and install the COM ponents - ADO is installed via
MDAC- Download here - You may need to run IE as an Administrator
- You may need to open all sorts of security loopholes in IE (ActiveX controls, safe for scripting etc)
If you enable script debugging on the browser you'll get more info on the actual issue.
I guess I need to point a couple of other major issues:
- The concatenated sql string is prone to sql injection attacks (although obviously anyone viewing the page source can do whatever they like to the database anyway) - parameterization is the solution here.
SELECT Max(ID), incrementing, and inserting isn't concurrent safe - the solution here is to use anIDENTITYorGUID
However, all that said, this is obsolete technology, a security nightmare, and architecturally just plain wrong IMO - possibly you can convince your school to redesign the code using a more modern technology stack? (Sorry to be the bearer of bad news)