List all user tables in the pubs database, we’re not interested in views

SELECT *
FROM information_schema.tables
WHERE table_type = 'base table'

List only the table names

SELECT table_name
FROM information_schema.tables
WHERE table_type = 'base table'

List all columns in the authors table

SELECT *
FROM information_schema.columns
WHERE table_name = 'authors'

List only the column names

SELECT column_name
FROM information_schema.columns
WHERE table_name = 'authors'

If you have a form on your site that interacts with a database (e.g. a username/password login form), you should secure the form by adding an additional stage between submission and the database look-up. One way to do this is to check for valid content.

As usenames and passwords are usually strings of alphanumeric characters, you can strip out ‘bad’ characters from the input string.
The easiest way to do this is to collect the form’s input and check each character against a regular expression, removing any that are invalid.

The code below removes all non-alphanumeric characters from the input string:

<%
'gets the text submitted via a form
Dim strUsername, strPassword
strUsername = Request.Form("username")
strPassword = Request.Form("password")

'call the function to use
strUsername = stripString(strUsername)
strPassword = stripString(strPassword)

'function to strip all non-alphnumric characters
function stripString(strInput)
 Dim objRE
 Set objRE = New RegExp
 With objRE
  .Pattern = "[^A-Za-z0-9]"
  .Global = True
 End With
 stripChars = objRE.Replace(strInput, "")
 Set objRE = nothing
End Function
%>

Connection

To access a database we first need to open a connection to it, which involves creating an ADO Connection object.

We then specify the connection string and call the Connection object’s Open method.

I tend to create a seperate file called OpenDataConnection.asp and include this file with every page that needs a database connection.

Dim SQLConnection
Set SQLConnection = Server.CreateObject("ADODB.Connection")
SQLConnection.ConnectionString = "Provider=SQLOLEDB; Data Source=localhost; Initial Catalog=Northwind; UID=BlogIT; PWD=BlotIT"
SQLConnection.Open

Disconnection

Disconnecting from the database is very important as it releases any resources tied to it, Use the objects Close method at the end of your code, or alternativly create a file called CloseDataConnection.asp and include it as a footer at the end of each file that has OpenDataConnection.asp included.

SQLConnection.Close
set SQLConnection=nothing

Retrieve Data

One of the most common tasks in ASP web application is the retrieval of data from a database. This is achieved via the ADO RecordSet object. Using this objects Open method we can pass in any SQL string that our database driver supports.

Here we will retrieve the contents of the Customer table from the Northwind database, and place them in an array.

<%
Dim rsCustomer, strSQL, intCustomerCount, arrCustomerDataSet rsCustomer = Server.CreateObject("ADODB.RecordSet")
rsCustomer.CursorLocation = 3
strSQL = "SELECT * FROM Customers "
rsCustomer.Open strSQL, SQLConnection
if not (rsCustomer.BOF or rsCustomer.EOF) then
 intCustomerCount = rsCustomer.RecordCount
 arrCustomerData = rsCustomer.GetRows()
else
 intCustomerCount = 0
end if
rsCustomer.Close
set rsCustomer = nothing
%>

Now that we have the data in our array arrCustomerData, we can simply loop through this dataset and display on screen

<%
Dim intCustomerLoop
intCustomerLoop = 0
if intCustomerCount <> 0 then
 do until intCustomerLoop = intCustomerCount
  response.write(arrCustomerData(0, intCustomerLoop))
  response.write(arrCustomerData(1, intCustomerLoop))
  response.write(arrCustomerData(2, intCustomerLoop))
  response.write(arrCustomerData(3, intCustomerLoop))
  intCustomerLoop = intCustomerLoop +1
 loop
end if
%>

Manipulate Data

In order to use “INSERT INTO”, “UPDATE” or “DELETE” SQL statements, we need to amend the above RecordSet object to allow updates. This is achieved by using two properties of the RecordSet object, CursorType and LockType

Insert

<%
 Dim rsCustomer, strSQLSet rsCustomer = Server.CreateObject("ADODB.RecordSet")
strSQL = "INSERT INTO Customers(CompanyName, ContactName, ContactTitle) VALUES('BlogIT','CodeMonkey','Administrator')"
rsCustomer.CursorType = 2
rsCustomer.LockType =3
rsCustomer.Open strSQL, SQLConnection
set rsCustomer = nothing
%>

Update

<%
Dim rsCustomer, strSQLSet rsCustomer = Server.CreateObject("ADODB.RecordSet")
strSQL = "UPDATE Customers SET ContactName='CodeMonkey' WHERE CustomerID='ALFKI'"
rsCustomer.CursorType = 2
rsCustomer.LockType =3
rsCustomer.Open strSQL, SQLConnection
set rsCustomer = nothing
%>

Delete

<%
Dim rsCustomer, strSQLSet rsCustomer = Server.CreateObject("ADODB.RecordSet")
strSQL = "DELETE FROM Customers WHERE CustomerID='ALFKI'"
rsCustomer.CursorType = 2
rsCustomer.LockType =3
rsCustomer.Open strSQL, SQLConnection
set rsCustomer = nothing
%>

If you’re using a login script on your site you probably store usernames and passwords in a database for authenticating the login.

For security reasons, you should never store these as plain text but should encrypt them with a one-way hash function such as md5 or sha1.

As neither of these funtions are included with ASP, you’ll need to download and unzip the hash function you want to use and upload it to your webspace.

To use the functions, include the file in the pages you want to use hashing.

<!--#include file="md5.asp"-->
or
<!--#include file="sha1.asp"-->

Then you simply call the function with either:

<% MD5("string") or SHA1("string") %>

For example, if you wanted to encrypt a Username and Password on a signup form, you would collect the Username and Password from the submitted form, hash them and then insert the hashed values into your database

<%
strHashedUsername = MD5(Request.Form("Username"))
strHashedPassword = MD5(Request.Form("Password"))
%>

To authenticate a user who is attempting to sign in, Hash the username and Password from the form and compare these with the strHashedUsername and strHashedPassword stored in your database.

If a user forgets their password you’ll need to generate a new, pseudo-random password for the user as hashing is one-way can’t be unencrypted.

Downloads: md5.zip sha1.zip

SELECT email, COUNT(email) AS NumOccurrences
FROM users
GROUP BY email
HAVING ( COUNT(email) > 1 )

You could also use this technique to find rows that occur exactly once:

SELECT email
FROM users
GROUP BY email
HAVING ( COUNT(email) = 1 )

Inner Join

The INNER JOIN returns all rows from both tables where there is a match. If there are rows in Employees that do not have matches in Orders, those rows will not be listed.

Example

Who has ordered a product, and what did they order?

SELECT Employees.Name, Orders.Product
FROM Employees
INNER JOIN Orders
ON Employees.Employee_ID=Orders.Employee_ID

Result

Left Join

The LEFT JOIN returns all the rows from the first table (Employees), even if there are no matches in the second table (Orders). If there are rows in Employees that do not have matches in Orders, those rows also will be listed.

Example

List all employees, and their orders – if any.

SELECT Employees.Name, Orders.Product
FROM Employees
LEFT JOIN Orders
ON Employees.Employee_ID=Orders.Employee_ID

Result

Right Join

The RIGHT JOIN returns all the rows from the second table (Orders), even if there are no matches in the first table (Employees).

Example

List all employees, and their orders – if any

SELECT Employees.Name, Orders.Product
FROM Employees
RIGHT JOIN Orders
ON Employees.Employee_ID=Orders.Employee_ID

Result