Microsoft-SQL-Server

Classic ASP might seem like a language that is dead and gone, but it is still alive…somehow. With a language that has become outdated, it can be difficult to fight against modern security risks. Knowing how to prevent SQL injection with classic ASP is a valuable bit of code to have at your disposal. With bots capable of hacking sites, you don’t to make things easy for them. Thankfully, there is a way to setup prepared statements using Classic ASP.

If you are familiar with prepared statements, this shouldn’t be too much trouble. I will admint, this is a pretty ugly implementation, but ASP isn’t exactly bleeding edge, so this is the best we have. The first and most awkward thing about prepared statements with classic ASP, is that you need to declare the data type. For example, if a field in a DB is of type int, you need to declare this when creating the statement. It seems odd, but this is how it goes. the following code will show you a quick and easy way to pull a row from a database by using an ID that is passed in the querystring.

The only thing that needs to change are the parameters that you pass into the CreateParameter function. As I mentioned previously, you need to declare the data type when adding a command parameter. A full list of all of the data type codes can be found here http://www.w3schools.com/asp/met_comm_createparameter.asp

This is a pretty solid way to prevent sql injection with classic ASP. Nothing is ever bulletproof, so always be on the lookout for ways to further improve the security by validating data even further to prevent any bad data making its way into a query string.

 

Google Logo

The lastmod  field in sitemaps is subject to a lot of trouble for most people who are trying to build their own dynamic sitemaps. The main issue is that google only accepts a single type of timestamp and if it is now 100% correct it will throw a load of errors telling you the date is incorrect. I had a lot of difficulty finding the correct format to use for the timestamp. Quite often the solution would result in a date set to 1970, which of course was very incorrect. The solution below is how i was able to correctly use a MySQL timestamp in a Google sitemap for the lastmod field.

This will generate the correct output provided the input was first a valid SQL timestamp. One thing to be aware of and it is something that caused me to waste quite a lot of time. Even though you have updated the sitemap and the date is parsing correctly, Googles webmaster tools might still show the same error and will continue to show the error for a few minutes (even as far as an hour). As long as you are confident that the format is what it should be, wait a while and the webmaster tools page will eventually update correctly.

Most standard PDO tutorials from around the web are going to demonstrate using a MySQL database with apache as a web host. The PDO connection string for this setup is not going to work if you want to connect to a SQL Server database using Microsofts IIS server.

The first step is to make sure PHP is setup to connect to SQL Server. PHP is going to use the sqlsrv driver on IIS in order to connect to SQL Server. This will probably be installed already, but to make sure you will have to go to your php.ini file. If you are unsure where this file is located you can use phpInfo() to find out the file path of the php.ini file.

You need to open the file and check for the following line. If its commented out, uncomment it. If its missing then add it. If it’s not present then there is a chance that the driver is not installed at all, if so then you will need to install it.

If you don’t have the driver installed, you can get it here.

Once you are all setup with the driver and php is good to go, restart IIS to make sure that the changes with the php.ini are picked up by IIS.

 

When making a query the code stays the same, but the PDO connection string is going to be different. Use the following format and add the connection details for your server into the string.

This should be all you need to connect to an SQL Server database using PHP with IIS web host.

So you have chosen an awesome cryptic password that not even you can remember! It happens to us all, but fear not, it’s quite a simple job to reset this. Not sure if we should be worried over how easy it is to reset the root password for your mysql server, but we wont complaint for the moment.

So first thing you need to do to be able to do this is have root shell access to your server. The following commands are specific to Red Hat/Centos, but the same process can be used for any linux distro if you update the command accordingly.

Once you are connected to your server you must disable mysql.

Now that it is stopped you can enter the following command

You should now have access to update the internal tables for SQL. Now you can log into mysql and reset the password. The semi colon at the end of the line is important! Otherwise the command will keep going with an arrow. I.e ‘->’

 

Now you should be able to start the server back up.

PHP Logo

Often it can be quite hard to debug SQL errors when using PHP since PHP will often throw a generic error that doesn’t really help you diagnose the situation. Other times you may not want to allow PHP errors to be shown. A quick way to debug PDO SQL errors is to use the or die function. “or die” works by executing the SQL query and if it fails to execute it will “die” and output the contents of the function. This is quite similar to a try catch block.

In order to output the PDO error you will need to get the error info from the statement object. To implement this function simply add the the or die code to the end of the $stmt->execute code.