Click here to Skip to main content
14,386,289 members
Rate this:
Please Sign up or sign in to vote.
hi how can i insert into sql database table from my asp page using javascript code

i found code in select from table , what should i change

i try to insert lat and lng and name from textbox read from prompt google api

What I have tried:

google.maps.event.addListener(map, "rightclick", function(event) {
                var lat = event.latLng.lat();
                var lng = event.latLng.lng();
                //window.prompt("Lat=" + lat + "; Lng=" + lng,"defaultText");
                var text =  prompt("Lat=" + lat + "; Lng=" + lng, "");
                var objConnection = new ActiveXObject("adodb.connection");
                var strConn = "driver={sql server};server=.;database=MAPDB;uid=sa;password=123456";
                objConnection.Open(strConn);
                var rs = new ActiveXObject("ADODB.Recordset");
                var strQuery = "insert into tbl_hotarea (HeadTitle , lat , lng) values ('"+text+"' , '"+lat+"' , '"+lng+"')";
                rs.Open(strQuery, objConnection);
            });
Posted
Updated 22-Apr-19 22:06pm
Comments
Richard Deeming 24-Apr-19 17:31pm
   
In addition to the fact that you're targeting SQL Server on the client computer, and the fact that your code will only run in Internet Explorer on Windows, and only if the user has enabled your site to initialize and script ActiveX controls which are not marked as safe for scripting...

... your code is also vulnerable to SQL Injection[^].

Now in this case, the user will only end up hacking their own local copy of your database - you did provide instructions on how to install SQL Server and get a copy of your database, didn't you? - but it's still going to cause problems. For example, what happens when the user enters Bob's Burgers into your prompt?

Add in the fact that you're connecting as sa - an unrestricted user with unlimited permissions, which can be used to destroy anything it touches - and this is definitely NOT looking like a site anyone would trust to use unsafe ActiveX controls!

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

You need to learn how web paqes work. If this works at all, it will use ActiveX to insert into a database on the client machine that you assume exists.

I hope you're not using ASP. Even ASP.NET is outdated.

You need to make an AJAX call or a postback and insert to the database in the back end code
   
Comments
sameralkhalili 23-Apr-19 4:34am
   
my friend i think it will be easy more that , the select statement work fine , but insert dont work
Christian Graus 23-Apr-19 4:36am
   
Your friend also does not understand the internet. It seems to work during development but it will only work in production if the people downloading the site have SQL Server installed, with the same username and password and the same database to work with.
sameralkhalili 23-Apr-19 5:06am
   
thank you

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100