INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Session Variables Being Lost

Session Variables Being Lost

(OP)
Hello.

I have a booking form on my website (fake example below).

http://mywebsite.com/booking-page4.asp

When the booking form reaches page 4, the values are saved into a Session using the following:

CODE

Session("Variable1") = Request.Form ("Variable1")
Session.Timeout = 60 

The customer then clicks 'PAY' and is sent to Sage Pay within the same browser window to authorise their payment:

https://live.sagepay.com/process-payment-etc

They authorise their payment and Sage Pay then redirects them back to the payment success page (on my website):

http://mywebsite.com/payment-sucess.asp

step 1. mywebsite booking form
step 2. session created
step 3. redirected to sage pay website
step 4. payment authorised
step 5. redirected to mywebsite payment success

I am concerned that the Session Variables originally created on my website will be lost during the journey from my website to Sage Pay and back again.

Is there anything I can do to ensure they are not lost or is it simply to do with the customer's browser settings (like not accepting cookies for example).

It is IMPERATIVE that these values are not lost because I need them to be present in the payment success page.

RE: Session Variables Being Lost

Saving the values in a database along with the session ID as a reference ID that SagePay returns in the POST data along with the accepted/failed signals is safer.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Session Variables Being Lost

(OP)
Good idea.

I can't believe I'm struggling with this... haven't done this for about 5 years at least.

Please look here:

Test Add Record

The directory I'm writing to definitely has 'Write' permissions.

Any idea why I'm getting this error?

The database is definitely found correctly, the table and field names are correct. Not using any special characters either.

CODE

<html>
<body>

<%

PaxName = "antony"

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("x\db.mdb") & ";"
myconn.open (connection)

sql = "INSERT INTO table (PaxName) VALUES (" & PaxName & ")"

on error resume next
myconn.Execute sql,recaffected
if err<>0 then
  Response.Write("No update permissions!")
else
  Response.Write("<h3>" & recaffected & " record added</h3>")
end if
myconn.close

Response.write ("<br>")
Response.write (sql)
Response.write ("<br>")
Response.write (err)

%>

</body>
</html> 

RE: Session Variables Being Lost

It's been a few years for me as well, but as I recall, that error is due to using a "read only" cursor for the recordset rather than read only file/folder permissions.

CODE --> vBScript

myconn.CursorLocation = adUseClient
myconn.CursorType = adOpenDynamic 


Is the correct combination for a multi-user database for writing and reading the DB.

If you are only displaying records set the CursorType to adOpenStatic as it is a little quicker when reading data than adOpenDynamic is.


I've attached an include file with all the ADO constants defined just in case you need it.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Session Variables Being Lost

The directory I'm writing to definitely has 'Write' permissions
But who has write permissions to the folder? You will need to give the IUSR user write permissions.

Also, this may give you more to work with:

CODE

if err<>0 then
  Response.Write("Error#: " & Err.Number & ": " & Err.Description)
else
  Response.Write("<h3>" & recaffected & " record added</h3>")
end if 

RE: Session Variables Being Lost

(OP)
Error#: -2147217900: Syntax error in INSERT INTO statement.

This is my SQL statement:

CODE

sql = "INSERT INTO table (PaxName) VALUES (" & PaxName & ")" 

I have tried adding single quotes like so:

CODE

sql = "INSERT INTO table (PaxName) VALUES ('" & PaxName & "')" 

and I get the same error so obviously there's another problem... here is the code in full that produces the syntax error:

CODE

<html>
<body>

<%

PaxName = "antony"

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("x\db.mdb") & ";"
myconn.open (connection)



sql = "INSERT INTO table (PaxName) VALUES ('" & PaxName & "')"

on error resume next
myconn.Execute sql,recaffected


if err<>0 then
  Response.Write("Error#: " & Err.Number & ": " & Err.Description)
else
  Response.Write("<h3>" & recaffected & " record added</h3>")
end if 

myconn.close

Response.write ("<br>")
Response.write (sql)
Response.write ("<br>")
Response.write (err)

%>

</body>
</html> 

RE: Session Variables Being Lost

(OP)
it's working now.

used the single quote sql and change the name of my table from table to testtable.

how silly of me.

thanks again all.

RE: Session Variables Being Lost


I hope you understand risk of SQL injection when using inline insert statement
what if
PaxName = "antony; delete from PaxName;"

sql = "INSERT INTO table (PaxName) VALUES ('" & PaxName & "')"

In your case it will give you sql error, but code executes on database side, so it will delete all records in PaxName table
Make sure you validated value in PaxName.
I would recommend add record using recordset

RE: Session Variables Being Lost

I'd go with using a parameterized query.

Swi

RE: Session Variables Being Lost

(OP)
Ok, I know how to open a recordset and retrieve/display the details but I have never inputted a record using recordset.

SWI do you have an example if you think that's a better option?

RE: Session Variables Being Lost

(OP)
If I post my full code do you think you can "PARAMETERIZE" my query?

RE: Session Variables Being Lost

(OP)
This is my full working insert code (with fake item names):

CODE

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("myDATABASEpath") & ";"
myconn.open (connection)

sql = "INSERT INTO myTABLE (field1,field2,field3,field4,field5,"
sql = sql & "field6,field7,field8) VALUES ("
sql = sql & "'" & formITEM1 & "',"
sql = sql & "'" & formITEM2 & "',"
sql = sql & "'" & formITEM3 & "',"
sql = sql & "'" & formITEM4 & "',"
sql = sql & "'" & formITEM5 & "',"
sql = sql & "'" & formITEM6 & "',"
sql = sql & "'" & formITEM7 & "',"
sql = sql & "'" & formITEM8 & "')"


on error resume next
myconn.Execute sql,recaffected
myconn.close 

RE: Session Variables Being Lost

If SQL Injection is a consideration for the usage of the site I have a class method/function that I used for "sanitising" user input.

CODE --> VBscript

public function StripChars(ByVal p_sIn) 
dim l_asBlock 
dim i
  l_asBlock = array("select", "drop", ";", "--", "insert","delete", "xp_") 
  for i = lBound(l_asBlock) to uBound(l_asBlock) 
    p_sIn = replace(p_sIn, l_asBlock(i), "") 
  next 
StripChars = p_sIn 
end function 

You can easily extend the range of commands that will be stripped by adding them to the array l_asBlock

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Session Variables Being Lost

(OP)
Sorry Chris, my mind goes blank when I look at that...

I don't understand it.

RE: Session Variables Being Lost

use recordset example with your code will be

CODE --> asp

<html>
<body>

<%

PaxName = "antony"

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("x\db.mdb") & ";"
myconn.open (connection)

set rs = Server.CreateObject("ADODB.recordset")

sql = "select * from  PaxName where PaxName = ''"

rs.open sql, cn, 1, 3 '1 - adOpenKeyset , 3 - adLockOptimistic
rs.addNew
rs("PaxName") = PaxName 
rs.Update
rs.close

if err<>0 then
  Response.Write("Error#: " & Err.Number & ": " & Err.Description)
else
  Response.Write("<h3> 1 record added</h3>")
end if 

myconn.close

Response.write ("<br>")
Response.write ("<br>")
Response.write (err)

%>

</body>
</html> 

RE: Session Variables Being Lost

Quote (axLW)

Sorry Chris, my mind goes blank when I look at that...
[/quote]
Okay, basically it is a just a "replace" function that will "break" a malicious SQL query by replacing characters or words that can damage or destroy your database also known as "sanitising" the input. If you have a text input or textarea so that users can add data you put it through the StripChars() function before concatenating the data to your query.

Also if the page is going to be publicly accessible do not print the error description to the page in the production version, while you are testing is fine, but if you reduce the error feedback to the bare minimum, you do not help the crackers and script kiddies to figure out what the operating system and the database server is.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Session Variables Being Lost

(OP)
Getting the following error on the bold line below:

CODE

<html>
<body>

<%

PaxName = "antony"

set myconn = Server.CreateObject("ADODB.connection")
connection = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" &_
Server.MapPath("x\db.mdb") & ";"
myconn.open (connection)

set rs = Server.CreateObject("ADODB.recordset")

sql = "select * from  PaxName where PaxName = ''"

rs.open sql, cn, 1, 3 '1 - adOpenKeyset , 3 - adLockOptimistic
rs.addNew
rs("PaxName") = PaxName 
rs.Update
rs.close

if err<>0 then
  Response.Write("Error#: " & Err.Number & ": " & Err.Description)
else
  Response.Write("<h3> 1 record added</h3>")
end if 

myconn.close

Response.write ("<br>")
Response.write ("<br>")
Response.write (err)

%>

</body>
</html> 

ADODB.Recordset error '800a0bb9'

Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another.

RE: Session Variables Being Lost

Your connection is called myconn, not cn

RE: Session Variables Being Lost

(OP)
You know I did see that. I should have just changed it myself.

Sorry for being lazy. Thanks again for the solution.

If it makes the website a bit more secure it can only be a good thing.

:)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close