Insert into SQL database table using javascript ?

Question

1.00/5 (1 vote)

See more:

hi how can i insert into sql database table from my asp page using javascript code

i found code in select from table , what should i change

i try to insert lat and lng and name from textbox read from prompt google api

What I have tried:

google.maps.event.addListener(map, "rightclick", function(event) {
                var lat = event.latLng.lat();
                var lng = event.latLng.lng();
                //window.prompt("Lat=" + lat + "; Lng=" + lng,"defaultText");
                var text =  prompt("Lat=" + lat + "; Lng=" + lng, "");
                var objConnection = new ActiveXObject("adodb.connection");
                var strConn = "driver={sql server};server=.;database=MAPDB;uid=sa;password=123456";
                objConnection.Open(strConn);
                var rs = new ActiveXObject("ADODB.Recordset");
                var strQuery = "insert into tbl_hotarea (HeadTitle , lat , lng) values ('"+text+"' , '"+lat+"' , '"+lng+"')";
                rs.Open(strQuery, objConnection);
            });

Posted 22-Apr-19 20:39pm

sam9787

Updated 22-Apr-19 21:06pm

Add a Solution

Comments

Richard Deeming 24-Apr-19 17:31pm

In addition to the fact that you're targeting SQL Server on the client computer, and the fact that your code will only run in Internet Explorer on Windows, and only if the user has enabled your site to initialize and script ActiveX controls which are not marked as safe for scripting...

... your code is also vulnerable to SQL Injection[^].

Now in this case, the user will only end up hacking their own local copy of your database - you did provide instructions on how to install SQL Server and get a copy of your database, didn't you? - but it's still going to cause problems. For example, what happens when the user enters Bob's Burgers into your prompt?

Add in the fact that you're connecting as sa - an unrestricted user with unlimited permissions, which can be used to destroy anything it touches - and this is definitely NOT looking like a site anyone would trust to use unsafe ActiveX controls!

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Christian Graus · Answer 1 · 2019-04-22T21:06:00

Solution 1

You need to learn how web paqes work. If this works at all, it will use ActiveX to insert into a database on the client machine that you assume exists.

I hope you're not using ASP. Even ASP.NET is outdated.

You need to make an AJAX call or a postback and insert to the database in the back end code

Posted 22-Apr-19 21:06pm

Christian Graus

Comments

sam9787 23-Apr-19 4:34am

my friend i think it will be easy more that , the select statement work fine , but insert dont work

Christian Graus 23-Apr-19 4:36am

Your friend also does not understand the internet. It seems to work during development but it will only work in production if the people downloading the site have SQL Server installed, with the same username and password and the same database to work with.

sam9787 23-Apr-19 5:06am

thank you