Click here to Skip to main content
15,867,915 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I am looking into old vb 6 code as there is support work i have
i didnt understand below lines
Public Function BadgeVerificationSucceed(sBadgeID As String) As Boolean
   
    
   On Error GoTo ErrHandler

    If Len(sBadgeID) = 0 Then Exit Function
    
    Set rstADO = New ADODB.Recordset
    With rstADO
        sqlQuery = "Select *  FROM  tblUsers  Where [Employee ID] = '" & sBadgeID & "'" ' And [ClusterID]=" & MyClusterID & " And [EnableCompartment] <> 0  Order By [CabinetCode],[CompartmentCode]"
        
        ''debug..print sqlQuery
        .Open sqlQuery, cnsecurecabinetdb, adOpenKeyset, adLockOptimistic, adCmdText
        If Not .EOF Then
            ![RFID] = myRFID
            myFullName = ![First Name] & " " & ![Last Name]
            myUserID = ![UserID]
            .Update
            BadgeVerificationSucceed = True
        End If
        .Close
    End With
    Set rstADO = Nothing
    
    Exit Function


What I have tried:

Tried converting code vb 6 code to vb.net its gave error.
Posted
Updated 7-Jun-17 2:43am
Comments
ZurdoDev 7-Jun-17 8:35am    
It's looking up a badge in a table and if it finds it, it's pulling out some values.
Member 11042699 7-Jun-17 8:54am    
what exactly this will do ![RFID] = myRFID?
ZurdoDev 7-Jun-17 9:07am    
As I recall, that will set the value in the database.
F-ES Sitecore 7-Jun-17 9:22am    
It's inside a "with rstADO" so it's

rstADO![RFID]

VB6 as the concept of default fields so if none is supplied the default is used, and also of early and late binding so the fully expanded line is effectively

rstADO.Fields("RFID") = myRFID

so it is setting the value of the RFID field in that record to myRFID. Later on the .Update persists that change to the database.

1 solution

It talks to a database in a dangerous manner - it's wide open to SQL Injection which can damage or destroy your database - and returns retrieves rows from it. It then grabs the values from the first returned row and ignores all the rest.

If that's the standard of the code you are converting, I'd bin it and start again from scratch: SQL Injection is a schoolboy mistake, and that implies the rest of the code is equally poor.
 
Share this answer
 
Comments
F-ES Sitecore 7-Jun-17 9:24am    
To be pedantic you don't know if it's vulnerable to SQL injection because you don't know where sBadgeID has come from.
OriginalGriff 7-Jun-17 9:54am    
Any time you get strings passed in, it has to be assumed to be vulnerable - because if it isn't now, it will be next week! :laugh:

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900