In sqlserver I have a function which generates a complex xml of all products with several tables joined: location, suppliers, orders etc.
No problem in that, it runs in 68 sec and produces around 450MB.
It should only be called occationally during migration to another server, so it doesn't matter it takes some time.
I want to make this available for download over webserver.
I've tried some variations of this in classic asp:
Response.Buffer = false
set rs=conn.execute("select cast(dbo.exportXML() as varchar(max)) as res")
response.write rs("res")
But I just get a standard
An error occurred on the server when processing the URL. Please contact the system administrator.
If you are the system administrator please click here to find out more about this error.
Not my usual custom 500-errorhandler, so I'm not sure how to find the error.
The problem is in response.write rs("res"), if i just do
temp = rs("res")
the script runs, but displays nothing of cause; if I then
response.write temp
I get the same failure.
So the problem is writing such a ling string.
Can I save the file from tsql directly; and run the job periodically from sql agent?
I found that there seems to be a limit on how much data can be written at once using Response.Write. The workaround I used was to break the data into chunks like this:
Dim Data, Done
Done = False
Do While Not Done
Data = RecordSet(0).GetChunk(8192)
If Not Len(Data) = 0 Then
Response.Write Data
Else
Done = True
End If
Loop
Try this:
Response.ContentType = "text/xml"
rs.CursorLocation = 3
rs.Open "select cast(dbo.exportXML() as varchar(max)) as res",conn
'Persist the Recordset in XML format to the ASP Response object.
'The constant value for adPersistXML is 1.
rs.Save Response, 1
Related
I have website as Classic ASP as Front end and SQL Server 2005 as Back end.
But I am facing a very strange SQL injection on my back end.
Some type of CSS with HTML with spamming site is appending their code to my website database with each table and with each varchar type columns.
For e.g.
</title><style>.am1y{position:absolute;clip:rect(405px,auto,auto,405px);}</style><div class=am1y>same day <a href=http://mazzpaydayloans.com >payday loans</a></div>
I Checked My IIS Log It shows me like this
2013-06-09 19:15:54 GET
/mypage.asp%3C/title%3E%3Cstyle%3E.axo5{position:absolute;clip:rect(404px,auto,auto,404px);}%3C/style%3E%3Cdiv%20class=axo5%3Eapproval%20%3Ca%20href=http:/mazzpaydayloans.com%20%3Epayday%20loans%3C/a%3E%3C/div%3E
- - 204.13.205.99 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
loginfailure=chance=0&bantime=;+ASPSESSIONIDSSDRRCQQ=EDPHPJGCGLMKOADICKHODKBM
- www.mysite.com 404 0 281 543 78
On my this selected ASP Page all SQL queries are parametrized.
But still this issue is persists.
MyPage.asp Code
new_prot = "http"
new_https = lcase(request.ServerVariables("HTTPS"))
if new_https <> "off" then new_prot = "https"
new_domainname = Request.ServerVariables("SERVER_NAME")
new_filename = Request.ServerVariables("SCRIPT_NAME")
set cm1 = Server.CreateObject("ADODB.Command")
cm1.ActiveConnection = conn
cm1.commandtype=1
cm1.CommandText ="select * from Table1 where Web=?"
cm1.prepared=true
dim weburl
set weburl=cm1.createparameter(Web_URL,200,,5000)
weburl.value= Server.HtmlEncode(ltrim(rtrim(new_filename)))
cm1.parameters.append weburl
set Mobile = cm1.execute(RecordsAffected,,adCmdText)
do until Mobile.EOF
response.redirect(Mobile.fields("mob"))
loop
First, your query may be parameterised, but you need to impliment a stored procedure, not a straight SQL command.
set cm1 = Server.CreateObject("ADODB.Command")
cm1.ActiveConnection = conn
cm1.commandtype=1
cm1.CommandText ="select * from Table1 where Web=?"
command text is a no no
you need to impliment a stored procedure:
CREATE ProcTable
#ParamWeb INT
as
SELECT * FROM Table WHERE PAgeID = #ParamWeb
Then Exec the proc. This prevents injection because the page can ONLY accept the numeric value of the proc, and that will only return the revelant dataset (empty or with rows)
Your command text can have
"; any injection script you want"
appended
any injection script can contain sqlcmdShell so once the injection has been made the bad guys can return a list of tables, their content, users, user data etc etc
one of the simplest Components in my website just stopped working from one day to the other without any changes in Code.
'Connection Declaration as connection
Set rs = Server.CreateObject ("ADODB.Recordset")
rs.Open "SELECT * FROM tablename ORDER BY id DESC", connection, 1, 3
while not rs.EOF
'writing some Table from the records in DB
'Simplified Code %>
<tr><td><%=rs("id")%></td><td><%=rs("description")&></td></tr>
<%
rs.MoveNext
Wend
in my Database i have verified the extraordinary number of 30 records :(
when above code is executed i see 2 of them
This tells me two things,
first: the tablename is Correct and the connection to the Database is established
second: the table-generation in itself is correct
I also have a smaller Testing-System. there the exact same code on a sample Database produces the expected Results.
Unfortunately i have no means of "instant-access" to my main page for "debugging purposes"
Is there any known Bugs for ADODB Recordsets losing records? Please keep in mind the Code is exactly the same and working "error-free".
A few suggestions.
Use Option Explicit if not already - (I didn't see it in your code) this will display SQL errors, so that may help.
Check that you haven't destroyed RS.
Also, "connection, 1, 3" means 'active connection', 'cursortype', 'locktype'
Your cursortype is 'adOpenKeySet' - 3 or 'adOpenStatic' is better, unless you specifically want a KeySet? try calling the Open this way to force the defaults (which oddly enough are 3 and 1 respectively !) :
RS.Open "SELECT * FROM tablename ORDER BY id DESC",connection
I also usually write RS output loops like this :
If Not RS.BOF Then
' write table tag HTML
Do While Not RS.EOF
' write table row + row data
RS.MoveNext
Loop
' write end table tag HTML
Else
' write "RS is empty!"
End If
This will make it easier to tell if recordset is empty or not.
I'm trying to run the following UPDATE query from a python script (note I've removed the database info):
print 'Connecting to db for update query...'
db = pyodbc.connect('DRIVER={FreeTDS};SERVER=<removed>;DATABASE=<removed>;UID=<removed>;PWD=<removed>')
cursor = db.cursor()
print ' Executing SQL queries...'
for i in range(len(data)):
sql = '''
UPDATE product.sanction
SET action_summary = '{action_summary}'
WHERE sanction_id = {sanction_id};
'''.format(sanction_id=data[i][0], action_summary=data[i][1])
cursor.execute(sql)
cursor.close()
db.commit()
db.close()
However, it hangs indefinitely, no error.
I'm new to pyodbc, but it should be setup correctly considering I'm having no problems performing SELECT queries. I did have to call CAST for SELECT queries (I've cast sanction_id AS INT [int identity on the database] and action_summary AS TEXT [nvarchar on the database]) to properly populate data, so perhaps the problem lies somewhere there, but I don't know where to start debugging. Converting the text to NVARCHAR didn't do anything either.
Here's an example of one of the rows in data:
(2861357, 'Exclusion Program: NonProcurement; Excluding Agency: HHS; CT Code: Z; Exclusion Type: Prohibition/Restriction; SAM Number: S4MR3Q9FL;')
I was unable to find my issue, but I ended up using QuerySets rather than running an UPDATE query.
We are in the process to migrate our SQL 2000 box to SQL 2008. But we ran into an issue; when a result set (rows or not) is returned by using a query that has a UNION. Later in the code we try to add a new row and assign field to it but because a UNION was used, when we try to assign a value to the field it gives us a Multiple-step operation generated errors. Check each status value. error. We tried the following code on a Windows XP & Windows 7 and got the same result. But when we change our connection string to point back to our SQL 2000 box we don't get that error any more.
The following example show the problem we are having.
var c = new ADODB.Connection();
var cmd = new ADODB.Command();
var rs = new ADODB.Recordset();
object recordsAffected;
c.Open("Provider=SQLOLEDB;Server=*****;Database=*****;User Id=*****;Password=*****;");
cmd.ActiveConnection = c;
cmd.CommandType = ADODB.CommandTypeEnum.adCmdText;
cmd.CommandText = "create table testing2008 (id int)";
cmd.Execute(out recordsAffected);
try {
cmd.CommandText = "select * from testing2008 union select * from testing2008";
rs.CursorLocation = ADODB.CursorLocationEnum.adUseClient;
rs.Open(cmd, Type.Missing, ADODB.CursorTypeEnum.adOpenDynamic, ADODB.LockTypeEnum.adLockBatchOptimistic, -1);
rs.AddNew();
rs.Fields["id"].Value = 0; //throws exception
rs.Save();
}
catch (Exception ex) {
MessageBox.Show(ex.ToString());
}
finally {
cmd.CommandText = "drop table testing2008";
cmd.Execute(out recordsAffected);
c.Close();
}
The link below is an article that gives a great breakdown of the 6 scenarios this error message can occur:
Scenario 1 - Error occurs when trying to insert data into a database
Scenario 2 - Error occurs when trying to open an ADO connection
Scenario 3 - Error occurs inserting data into Access, where a fieldname has a space
Scenario 4 - Error occurs inserting data into Access, when using adLockBatchOptimistic
Scenario 5 - Error occurs inserting data into Access, when using Jet.OLEDB.3.51 or ODBC driver (not Jet.OLEDB.4.0)
Scenario 6 - Error occurs when using a Command object and Parameters
http://www.adopenstatic.com/faq/80040e21.asp
Hope it may help others that may be facing the same issue.
It is type mismatch, try
rs.Fields["id"].Value = "0";
or make sure you assign a Variant to the value.
Since I posted this problem, we figured out that the problem was when you do a union the attributes on the fields are not bound (i.e. the attributes: basecatalog, basetable & basecolumn are empty) to remedy our problem we had to force the values of those attributes, by saving the recordset to xml (adPersistXML), change the xml and reopen the recordset from the xml. This rebound the fields and we were able to continue. We know this may not be the most efficient solution, but it was for an older app and we didn't want to rewrite the sql statements. It looks like the main error Multiple-step operation generated errors. Check each status value. is related to when an error occurs when a value is assigned to a field.
Two things I can think of... Make sure your "ID" column will accept a zero (0). Also - I've stopped this issue on one occasion by not using the adUseClient cursor (try server).
Many times this is a type mismatch, trying to stuff a NULL into a non-null column, or attempting to write more characters into a column than it's designed to take.
Hope this helps. - Freddo
Same issue occurred to me the problem was that i violated an object property , in my case it was size the error came out as
"IntegrationException: Problem (Multiple-step operation generated errors. Check each status value.)"
Imports ADODB
Dim _RecordSet As Recordset
_rs.Fields.Append("Field_Name", DataTypeEnum.adVarChar, 50)
_Recordset("Field_Name").Value = _RecordDetails.Field_NameValue
_RecordDetails.Field_NameValue length was more than 50 chars , so this property was violated , hence the error occurred .
I found another scenario:
When I was trying to set the value of a adLongVarChar field in a new record for a memory-only adodb.recordset. In my case, the error was triggered because the string I was passing had a buried unicode character.
I found this error when our legacy application was trying to parse 1/1/0001 12AM date and time. Looks like VB6 recordsets doesn't like that value.
To get rid of the errors, I had to set all the offending dates to null.
I was getting this error when trying to insert/update the field with a value that did not match the table>field type.
For example, the database table > field was
char(1)
however, I was trying to insert/update
"apple"
into the record.
Once I change the inputted value to "a" and it worked.
I am using ASP classic with ADO, connecting to SQL Server 2008.
I inherited this code and it is so mangled that I will try to recreate the relevant parts. If you need more detail or I left something out, please let me know.
I create a command and add parameters
oCmd.CommandType = adCmdStoredProc
...
oCmd.Parameters.Append oCmd.CreateParameter("#MyOutputParam", adInteger, adParamOutput, 4, NULL)
Later, I open a reader from that command:
oRS.Open oCmd, , adOpenForwardOnly, adLockReadOnly
After that, while oRS is open but before I've read any records or values, I try to get the output parameter's value using one of the lines below:
val1 = oCmd("#MyOutputParam")
val2 = oCmd("#MyOutputParam").Value
val3 = oCmd.Parameters("#MyOutputParam").Value
All three (val1, val2, val3) variables are DB NULL.
I have confirmed that running the SP in query analyzer returns a value to the #MyOutputParam parameter:
declare #p33 int
exec usp_GetResultAndOutput 1, 2, 3, #p33 output
select #p33
That returns a recordset of my expected records and a second recordset showing a number in a single row.
I've even tried calling rs.NextRecordset before attempting to get the output parameter and that didn't work.
Is there some other way that I need to be handling Output parameters?
Is it okay that I am returning a recordset and output parameters?
Output parameters cannot be retrieved until all the recordsets are enumerated until the end. Just think, how could the client possibly retrieve the output value of a parameter before the execution finishes? The Execute() call is simply starting the execution, the batch continues to execute on the server until all results are returned. While a client is iterating over a resultset produced by a SELECT the batch is executing that SELECT. The value of the output parameter is known only at the end of the batch. Therefore is not possible to know the output parameter value until the batch finished, which implies that all statements have executed, which in turn requires that all resultsets were consumed (iterated) by the client.
This is the canonical form of parsing a set of results:
do
{
while (rs.MoveNext)
{
// do something with the row
}
} while (Not rs.NextRecordset Is Nothing)
// now is safe to read the out param
response.write oCmd("#MyOutput")
As far as I can test the only thing that matters this is the CursorLocation. As long as the CursorLocation is set to adUseClient (3), the output parameters can be accessed anytime after the Execute. Any of the following do that
oConn.CursorLocation = adUseClient
or
oRs.CursorLocation = adUseClient
This is tested on SQL 2008 R2, IIS/ASP on Windows 7 and with SQLOLEDB provider.