Click here to Skip to main content
16,019,140 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
hi how can i insert into sql database table from my asp page using javascript code

i found code in select from table , what should i change

i try to insert lat and lng and name from textbox read from prompt google api

What I have tried:

google.maps.event.addListener(map, "rightclick", function(event) {
                var lat = event.latLng.lat();
                var lng = event.latLng.lng();
                //window.prompt("Lat=" + lat + "; Lng=" + lng,"defaultText");
                var text =  prompt("Lat=" + lat + "; Lng=" + lng, "");
                var objConnection = new ActiveXObject("adodb.connection");
                var strConn = "driver={sql server};server=.;database=MAPDB;uid=sa;password=123456";
                objConnection.Open(strConn);
                var rs = new ActiveXObject("ADODB.Recordset");
                var strQuery = "insert into tbl_hotarea (HeadTitle , lat , lng) values ('"+text+"' , '"+lat+"' , '"+lng+"')";
                rs.Open(strQuery, objConnection);
            });
Posted
Updated 22-Apr-19 21:06pm
Comments
Richard Deeming 24-Apr-19 17:31pm    
In addition to the fact that you're targeting SQL Server on the client computer, and the fact that your code will only run in Internet Explorer on Windows, and only if the user has enabled your site to initialize and script ActiveX controls which are not marked as safe for scripting...

... your code is also vulnerable to SQL Injection[^].

Now in this case, the user will only end up hacking their own local copy of your database - you did provide instructions on how to install SQL Server and get a copy of your database, didn't you? - but it's still going to cause problems. For example, what happens when the user enters Bob's Burgers into your prompt?

Add in the fact that you're connecting as sa - an unrestricted user with unlimited permissions, which can be used to destroy anything it touches - and this is definitely NOT looking like a site anyone would trust to use unsafe ActiveX controls!

1 solution

You need to learn how web paqes work. If this works at all, it will use ActiveX to insert into a database on the client machine that you assume exists.

I hope you're not using ASP. Even ASP.NET is outdated.

You need to make an AJAX call or a postback and insert to the database in the back end code
 
Share this answer
 
Comments
sam9787 23-Apr-19 4:34am    
my friend i think it will be easy more that , the select statement work fine , but insert dont work
Christian Graus 23-Apr-19 4:36am    
Your friend also does not understand the internet. It seems to work during development but it will only work in production if the people downloading the site have SQL Server installed, with the same username and password and the same database to work with.
sam9787 23-Apr-19 5:06am    
thank you

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900