-
Query MS Access database
Hello,
I'm trying to query am MS Access database from .vbs file
This file will run by an sms gateway when a message is received.
The following is a sample that is provided by the sms software:
===sample.vbs==================
'This sample SMSReceive script simply returns the message to the sender
set Args = Wscript.Arguments
'Get details of received message
PhoneNumber = Args(0)
MessageText = Args(1)
Handset = Args(2)
'Create ActiveSMS COM Object
Set ActiveSMS = WScript.CreateObject("Intellisoftware.ActiveSMS")
'TODO : Add your code here for Info-on-demained service (e.g. Query database etc)
'Send message back to sender
ActiveSMS.ActiveHandset = Handset
ActiveSMS.SendMessage PhoneNumber, MessageText, 0
=======================================
Now add my code as shown below:
========test.vbs=======================
set Args = Wscript.Arguments
'Get details of received message
PhoneNumber = Args(0)
MessageText = Args(1)
Handset = Args(2)
'Create ActiveSMS COM Object
Set ActiveSMS = WScript.CreateObject("Intellisoftware.ActiveSMS")
set conn=Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open "C:/Inetpub/wwwroot/SMS-Project/DATABASE/Project.mdb"
set rs=Server.CreateObject("ADODB.recordset")
SQL = "SELECT * FROM Login WHERE Username = '" + Request("MessageText") + "'"
rs.Open sql, conn
MessageText = rs("Password")
rs.close
conn.close
'Send message back to sender
ActiveSMS.ActiveHandset = Handset
ActiveSMS.SendMessage PhoneNumber, MessageText, 0
=====================================
Using the above code i'm getting the following error:
VBScript rutime error
Object Required: 'Server'
Line: 12
What i'm trying to do is to query the database using the MessageText value that will retrieve the password of this user and send it back by sms.
My concern if my connection and SQL statement are correct.
Thanks alot for your help
-
I'd guess that you did copy and paste your db code from an ASP page?
If you want to make this running under WSH try as follows (only the changed lines):
...set conn=WScript.CreateObject("ADODB.Connection")
...
set rs=WScript.CreateObject("ADODB.recordset")
SQL = "SELECT * FROM Login WHERE Username = '" + MessageText "'"
...
On top of that:
You should check if the record set is not empty before you try to access it.
Looking at the query I have noticed another thing: Everybody can request anybody's password just by passing a valid login in the message text. You should also check if the user's phone number belongs to the login supplied in message text.
Or even worse: Try calling your vbs with the following arguments and add
MsgBox (SQL)
in your code:
test.vbs "123" "' OR '1'='1" ""
Last edited by andi_g69; 03-08-2003 at 04:03 AM.
-
>>I'd guess that you did copy and paste your db code from an ASP page?
Yes i'm familiar with ASP but never try vbs
>>Looking at the query I have noticed another thing: Everybody can request anybody's password just by passing a valid login in the message text.
Yea this just a test, I will sent the password to user's mobile number that will be already stored in the database.
Thanks alot andi_g69
I will try it and let you know.
-
My final code is as follows:
=============test.vbs=================
set Args = Wscript.Arguments
'Get details of received message
PhoneNumber = Args(0)
MessageText = Args(1)
Handset = Args(2)
'Create ActiveSMS COM Object
Set ActiveSMS = WScript.CreateObject("Intellisoftware.ActiveSMS")
set conn= WScript.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open "C:/Inetpub/wwwroot/SMS-Project/DATABASE/Project.mdb"
set rs= WScript.CreateObject("ADODB.recordset")
SQL = "SELECT * FROM Login WHERE Username = '" + MessageText "'"
rs.Open sql, conn
MessageText = rs("Password")
rs.close
conn.close
'Send message back to sender
ActiveSMS.ActiveHandset = Handset
ActiveSMS.SendMessage PhoneNumber, MessageText, 0
=====================================
When i run the script i'm getting the following error:
Line: 15
Char: 62
Error: Expected end of statement
Code: 800A0401
Source: Microsoft VBScript compliation error
Can you help me on that?
Thanks alot for your time.
Last edited by andreas; 03-10-2003 at 05:31 AM.
-
Finally i solve the problem,
the "+" was needed at the end of the sql statement as the example below:
SQL = "SELECT * FROM Login WHERE Username = '" + MessageText + "'"
Thanks alot
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|