0

Using IIS 7.5 with SQL Server 2008. Have some screens exposed to clients after login. Was originally tasked with finding out why some fields did not show. Fixed that. But also found that some pages include SQL strings that include stored procedure and adding parameters that are not usually provided by users, but could be potentially exploited. So as secondary task, have attempted to parameterize the query. What I am finding is that as soon as I attempt to assign values to any properties of the command object, it causes the server to return a 500 error. I don't see anything in the logs, but I think that's because I haven't found the right logs.

Here is the test code I'm trying:

<% 
Dim strCnxn 
strCnxn = "DSN=myDSN"
Dim objConnection
Set objConnection = Server.CreateObject("ADODB.Connection")  
objConnection.Mode = acModeRead
objConnection.Open strCnxn

Dim cmd
cmd = Server.CreateObject("ADODB.Command")
Dim rsPmts 
Set rsPmts = CreateObject("ADODB.Recordset")
'cmd.ActiveConnection = objConnection
'cmd.CommandType = adCmdStoredProc
'cmd.CommandType = 4
'cmd.CommandText = "spNewPayments"
'cmd.Parameters.Refresh
'cmd.Parameters.Append .CreateParameter("@claim_id", adInteger, adParamInput, , 162611)

'rsPmts.Open cmd, , adOpenForwardOnly, adLockReadOnly
'rsPmts.Close 
 Set rsPmts = Nothing
 Set objConnection = Nothing
 Set cmd = Nothing
%>

The commented code is where problems start to occur. Originally I had this set up as With cmd structure, but tried changing that to see exactly where the problem occurs. It fails any time I attempt to assign anything to cmd.propertyname. So, above, if I try to comment out one of those lines, it immediately gives 500 error. At first, I thought it was because I wasn't properly using the .CreateParameter except it doesn't seem to be just that line, but when I set any of the properties on the cmd object.

I've never done this in VBScript, and a similar structure in VBA for Access runs fine (although I'm also currently trying to debug why it thinks that I'm not providing the correct number of parameters to the stored procedure, but I think I have two confounding errors going on here.)

CarloTex
  • 315
  • 2
  • 7
  • 2
    Set the server to display errors to the client. See https://stackoverflow.com/questions/2640526/detailed-500-error-message-asp-iis-7-5 (make sure not to use this setting in production, only for development) – Tomalak Sep 17 '18 at 14:37
  • @Tomalak It now gives me a link to the Microsoft page "Classic ASP Not Installed by Default on IIS 7.0 and above," so even though the old ASP classic pages are currently working as-is correctly, as I try to update them, they are failing because Classic ASP really isn't turned on. Does this make sense? Will be checking and installing ASP. – CarloTex Sep 17 '18 at 15:06
  • 1
    No, that doesn't make sense. When the server is configured to handle *.asp files, then it will pass them to the ASP ISAPI module for processing. When this is disabled, then the "old" ASP files on the same server should not work, either. – Tomalak Sep 17 '18 at 15:12
  • I checked with the server admin and ASP is installed, so the error message screen is not helping or is giving incorrect info to us. – CarloTex Sep 17 '18 at 15:17
  • It may be installed. But is it *enabled*? Check the "ISAPI and CGI Restrictions" configuration, as well as the Handler Mappings. – Tomalak Sep 17 '18 at 15:18
  • I'll check on that. Would the old ASP files be working if that weren't the case? – CarloTex Sep 17 '18 at 16:07
  • @CarloTex In relation to the HTTP 500 errors, you may also need to have [Send Errors to the Browser](https://stackoverflow.com/a/29962918/692942) set to `True` before you see a meaningful error. – user692942 Sep 17 '18 at 17:16
  • [StackOverflow is prompting me to move this discussion to chat, but then it won't let me do that. I'm not really sure about the best way to respond given the expectations of this site. I want to comply, but I just don't understand the requirement or expecation.] – CarloTex Sep 17 '18 at 20:41
  • Even though I changed all the settings to show the error I could find, I was never able to successfully do so. I am able to see it on the server. The Microsoft VBSCript runtime error Object doesn't support this property or method: ActiveConnection – CarloTex Sep 17 '18 at 20:46
  • 2
    That's because `objConnection` will be a `ADODB.Connection` "object", so you need to use `Set` as in `Set cmd.ActiveConnection = objConnection`. If you had passed it a string containing a connection string, it would have worked with `cmd.ActiveConnection = strCnxn` *(but you would have to have set `Mode` via `cmd.ActiveConnection.Mode = acModeRead` instead)*. – user692942 Sep 17 '18 at 21:30
  • @Lankymart Yes, I just figured that out that the `Set` was missing and was coming back here to reply. You should put that as the answer. – CarloTex Sep 17 '18 at 21:34
  • It's been answered numerous times before, it's a very common problem. – user692942 Sep 17 '18 at 21:37

0 Answers0