Background:

I am using Frontpage 2003 and have a form that collects user inputs to query our SQL database. Everything was working fine and then all of a sudden I kept getting the following message "Database Results Wizard Error The operation failed. If this continues, please contact your server administrator" without changing anything. I found the solution after searching the web.

Evidently, there is a problem with FrontPage 2003 files FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution was to get the same files from FrontPage 2000. Microsoft, are you listening??????

It worked, but this has raised a question about security. Am I opening myself up to any security issues (someone has mentioned sql injection attack risk) by using the Frontpage 2000 files????

To the best of my understanding, yes.

The ASP version of the DRW has become increasingly
troublesome when asked to do INSERT, UPDATE, and DELETE
operations. You'll probbly have greater success using the
ASP.NET version, or writing your own ASP code.

Writing your own ASP code for inserting records isn't
difficult. Try the advice at:

Saving Form Data in a Database
http://www.interlacken.com/winnt/tip...ow.aspx?tip=44

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------



>-----Original Message-----
>Background:
>
>I am using Frontpage 2003 and have a form that collects
user inputs to query our SQL database. Everything was
working fine and then all of a sudden I kept getting the
following message "Database Results Wizard Error The
operation failed. If this continues, please contact your
server administrator" without changing anything. I found
the solution after searching the web.
>
>Evidently, there is a problem with FrontPage 2003 files
FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution
was to get the same files from FrontPage 2000. Microsoft,
are you listening??????
>
>It worked, but this has raised a question about
security. Am I opening myself up to any security issues
(someone has mentioned sql injection attack risk) by using
the Frontpage 2000 files????
>
>
>
>.
>

Sorry, I interpreted your first message to mean you were using the DRW
to *insert* the records.

Are you using the ASP.NET version of the DRW? If so, open the
_fpclass/fpdbnet.cs file and on about line 342, change

private bool DebugOn = false;
to
private bool DebugOn = true;

This won't fix the problem, but it'll probbly get you a better error
message.

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------



"rick" <(E-Mail Removed)> wrote in message news:<ABE23495-0DC5-4483-8812-(E-Mail Removed)>...
> Jim, thanks for your reply.
>
> We are not updating, inserting, or deleting - we are just querying. Does
> this still expose us?
>
> We are rookies at this so are only knowledgeable at using the DRW. If the
> answer is that even querying the DB exposes us to security problems such as
> injection then we have a Catch 22, don't we? Use the files from FP2003 or be
> exposed but the files in FP2003 don't work. Or are you saying that even if
> FP2003 worked, we would be exposed?
>
> Can we reduce the risk if we created a view with the pertinent data and
> queried the View?
>
> Would appreciate any quidance you can provide.
>
> "Jim Buyens" wrote:
>
> > To the best of my understanding, yes.
> >
> > The ASP version of the DRW has become increasingly
> > troublesome when asked to do INSERT, UPDATE, and DELETE
> > operations. You'll probbly have greater success using the
> > ASP.NET version, or writing your own ASP code.
> >
> > Writing your own ASP code for inserting records isn't
> > difficult. Try the advice at:
> >
> > Saving Form Data in a Database
> > http://www.interlacken.com/winnt/tip...ow.aspx?tip=44
> >
> > Jim Buyens
> > Microsoft FrontPage MVP
> > http://www.interlacken.com
> > Author of:
> > *----------------------------------------------------
> > |\---------------------------------------------------
> > || Microsoft Office FrontPage 2003 Inside Out
> > ||---------------------------------------------------
> > || Web Database Development Step by Step .NET Edition
> > || Microsoft FrontPage Version 2002 Inside Out
> > || Faster Smarter Beginning Programming
> > || (All from Microsoft Press)
> > |/---------------------------------------------------
> > *----------------------------------------------------
> >
> >
> >
> > >-----Original Message-----
> > >Background:
> > >
> > >I am using Frontpage 2003 and have a form that collects
> > user inputs to query our SQL database. Everything was
> > working fine and then all of a sudden I kept getting the
> > following message "Database Results Wizard Error The
> > operation failed. If this continues, please contact your
> > server administrator" without changing anything. I found
> > the solution after searching the web.
> > >
> > >Evidently, there is a problem with FrontPage 2003 files
> > FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution
> > was to get the same files from FrontPage 2000. Microsoft,
> > are you listening??????
> > >
> > >It worked, but this has raised a question about
> > security. Am I opening myself up to any security issues
> > (someone has mentioned sql injection attack risk) by using
> > the Frontpage 2000 files????
> > >
> > >
> > >
> > >.
> > >
> >

Jim,

I am not using .net but I did change the coding initially to get a more
precise error message but all the stuff on the web said that there was no fix
and only work around was to use FP2000 files as mentioned below. So do you
know if I am exposed to injection risk or other security risk and if
Microsoft plans on fixing the FP2003 DRW?
"Jim Buyens" wrote:

> Sorry, I interpreted your first message to mean you were using the DRW
> to *insert* the records.
>
> Are you using the ASP.NET version of the DRW? If so, open the
> _fpclass/fpdbnet.cs file and on about line 342, change
>
> private bool DebugOn = false;
> to
> private bool DebugOn = true;
>
> This won't fix the problem, but it'll probbly get you a better error
> message.
>
> Jim Buyens
> Microsoft FrontPage MVP
> http://www.interlacken.com
> Author of:
> *----------------------------------------------------
> |\---------------------------------------------------
> || Microsoft Office FrontPage 2003 Inside Out
> ||---------------------------------------------------
> || Web Database Development Step by Step .NET Edition
> || Microsoft FrontPage Version 2002 Inside Out
> || Faster Smarter Beginning Programming
> || (All from Microsoft Press)
> |/---------------------------------------------------
> *----------------------------------------------------
>
>
>
> "rick" <(E-Mail Removed)> wrote in message news:<ABE23495-0DC5-4483-8812-(E-Mail Removed)>...
> > Jim, thanks for your reply.
> >
> > We are not updating, inserting, or deleting - we are just querying. Does
> > this still expose us?
> >
> > We are rookies at this so are only knowledgeable at using the DRW. If the
> > answer is that even querying the DB exposes us to security problems such as
> > injection then we have a Catch 22, don't we? Use the files from FP2003 or be
> > exposed but the files in FP2003 don't work. Or are you saying that even if
> > FP2003 worked, we would be exposed?
> >
> > Can we reduce the risk if we created a view with the pertinent data and
> > queried the View?
> >
> > Would appreciate any quidance you can provide.
> >
> > "Jim Buyens" wrote:
> >
> > > To the best of my understanding, yes.
> > >
> > > The ASP version of the DRW has become increasingly
> > > troublesome when asked to do INSERT, UPDATE, and DELETE
> > > operations. You'll probbly have greater success using the
> > > ASP.NET version, or writing your own ASP code.
> > >
> > > Writing your own ASP code for inserting records isn't
> > > difficult. Try the advice at:
> > >
> > > Saving Form Data in a Database
> > > http://www.interlacken.com/winnt/tip...ow.aspx?tip=44
> > >
> > > Jim Buyens
> > > Microsoft FrontPage MVP
> > > http://www.interlacken.com
> > > Author of:
> > > *----------------------------------------------------
> > > |\---------------------------------------------------
> > > || Microsoft Office FrontPage 2003 Inside Out
> > > ||---------------------------------------------------
> > > || Web Database Development Step by Step .NET Edition
> > > || Microsoft FrontPage Version 2002 Inside Out
> > > || Faster Smarter Beginning Programming
> > > || (All from Microsoft Press)
> > > |/---------------------------------------------------
> > > *----------------------------------------------------
> > >
> > >
> > >
> > > >-----Original Message-----
> > > >Background:
> > > >
> > > >I am using Frontpage 2003 and have a form that collects
> > > user inputs to query our SQL database. Everything was
> > > working fine and then all of a sudden I kept getting the
> > > following message "Database Results Wizard Error The
> > > operation failed. If this continues, please contact your
> > > server administrator" without changing anything. I found
> > > the solution after searching the web.
> > > >
> > > >Evidently, there is a problem with FrontPage 2003 files
> > > FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution
> > > was to get the same files from FrontPage 2000. Microsoft,
> > > are you listening??????
> > > >
> > > >It worked, but this has raised a question about
> > > security. Am I opening myself up to any security issues
> > > (someone has mentioned sql injection attack risk) by using
> > > the Frontpage 2000 files????
> > > >
> > > >
> > > >
> > > >.
> > > >
> > >
>

Rick,

Another option is to hand code your ASP/VBScript and not rely on the FP database components.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)
http://www.ycoln-resources.com
FrontPage Resources, WebCircle, MS KB Quick Links, etc.
==============================================
To assist you in getting the best answers for FrontPage support see:
http://www.net-sites.com/sitebuilder/newsgroups.asp

"rick" <(E-Mail Removed)> wrote in message
news:E687D4D7-E8D3-4A6F-93D2-(E-Mail Removed)...
> Jim,
>
> I am not using .net but I did change the coding initially to get a more
> precise error message but all the stuff on the web said that there was no fix
> and only work around was to use FP2000 files as mentioned below. So do you
> know if I am exposed to injection risk or other security risk and if
> Microsoft plans on fixing the FP2003 DRW?
> "Jim Buyens" wrote:
>
> > Sorry, I interpreted your first message to mean you were using the DRW
> > to *insert* the records.
> >
> > Are you using the ASP.NET version of the DRW? If so, open the
> > _fpclass/fpdbnet.cs file and on about line 342, change
> >
> > private bool DebugOn = false;
> > to
> > private bool DebugOn = true;
> >
> > This won't fix the problem, but it'll probbly get you a better error
> > message.
> >
> > Jim Buyens
> > Microsoft FrontPage MVP
> > http://www.interlacken.com
> > Author of:
> > *----------------------------------------------------
> > |\---------------------------------------------------
> > || Microsoft Office FrontPage 2003 Inside Out
> > ||---------------------------------------------------
> > || Web Database Development Step by Step .NET Edition
> > || Microsoft FrontPage Version 2002 Inside Out
> > || Faster Smarter Beginning Programming
> > || (All from Microsoft Press)
> > |/---------------------------------------------------
> > *----------------------------------------------------
> >
> >
> >
> > "rick" <(E-Mail Removed)> wrote in message
news:<ABE23495-0DC5-4483-8812-(E-Mail Removed)>...
> > > Jim, thanks for your reply.
> > >
> > > We are not updating, inserting, or deleting - we are just querying. Does
> > > this still expose us?
> > >
> > > We are rookies at this so are only knowledgeable at using the DRW. If the
> > > answer is that even querying the DB exposes us to security problems such as
> > > injection then we have a Catch 22, don't we? Use the files from FP2003 or be
> > > exposed but the files in FP2003 don't work. Or are you saying that even if
> > > FP2003 worked, we would be exposed?
> > >
> > > Can we reduce the risk if we created a view with the pertinent data and
> > > queried the View?
> > >
> > > Would appreciate any quidance you can provide.
> > >
> > > "Jim Buyens" wrote:
> > >
> > > > To the best of my understanding, yes.
> > > >
> > > > The ASP version of the DRW has become increasingly
> > > > troublesome when asked to do INSERT, UPDATE, and DELETE
> > > > operations. You'll probbly have greater success using the
> > > > ASP.NET version, or writing your own ASP code.
> > > >
> > > > Writing your own ASP code for inserting records isn't
> > > > difficult. Try the advice at:
> > > >
> > > > Saving Form Data in a Database
> > > > http://www.interlacken.com/winnt/tip...ow.aspx?tip=44
> > > >
> > > > Jim Buyens
> > > > Microsoft FrontPage MVP
> > > > http://www.interlacken.com
> > > > Author of:
> > > > *----------------------------------------------------
> > > > |\---------------------------------------------------
> > > > || Microsoft Office FrontPage 2003 Inside Out
> > > > ||---------------------------------------------------
> > > > || Web Database Development Step by Step .NET Edition
> > > > || Microsoft FrontPage Version 2002 Inside Out
> > > > || Faster Smarter Beginning Programming
> > > > || (All from Microsoft Press)
> > > > |/---------------------------------------------------
> > > > *----------------------------------------------------
> > > >
> > > >
> > > >
> > > > >-----Original Message-----
> > > > >Background:
> > > > >
> > > > >I am using Frontpage 2003 and have a form that collects
> > > > user inputs to query our SQL database. Everything was
> > > > working fine and then all of a sudden I kept getting the
> > > > following message "Database Results Wizard Error The
> > > > operation failed. If this continues, please contact your
> > > > server administrator" without changing anything. I found
> > > > the solution after searching the web.
> > > > >
> > > > >Evidently, there is a problem with FrontPage 2003 files
> > > > FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution
> > > > was to get the same files from FrontPage 2000. Microsoft,
> > > > are you listening??????
> > > > >
> > > > >It worked, but this has raised a question about
> > > > security. Am I opening myself up to any security issues
> > > > (someone has mentioned sql injection attack risk) by using
> > > > the Frontpage 2000 files????
> > > > >
> > > > >
> > > > >
> > > > >.
> > > > >
> > > >
> >

"rick" <(E-Mail Removed)> wrote in message news:<E687D4D7-E8D3-4A6F-93D2-(E-Mail Removed)>...
> Jim,
>
> I am not using .net but I did change the coding initially to get a more
> precise error message but all the stuff on the web said that there was no
> fix and only work around was to use FP2000 files as mentioned below. So
> do you know if I am exposed to injection risk or other security risk

Yes, you would be exposed.

> and if Microsoft plans on fixing the FP2003 DRW?

I really have no insight on this. Generically, I know:

o They have a bug list.
o It's categorized by crashing bugs, lost functionality bugs,
and so forth.
o They review it from time to time, and select bugs to be fixed
by hot fix, service pack, next release, or distant future.
o User feedback contributes to those decisions.

But as to the status of this or any other specific bug, I have no
inside knowledge.

To register an official complaint, browse
http://register.microsoft.com/mswish/suggestion.asp
and fill out the form.

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------

> "Jim Buyens" wrote:
>
> > Sorry, I interpreted your first message to mean you were using the DRW
> > to *insert* the records.
> >
> > Are you using the ASP.NET version of the DRW? If so, open the
> > _fpclass/fpdbnet.cs file and on about line 342, change
> >
> > private bool DebugOn = false;
> > to
> > private bool DebugOn = true;
> >
> > This won't fix the problem, but it'll probbly get you a better error
> > message.
> >
> > Jim Buyens
> > Microsoft FrontPage MVP
> > http://www.interlacken.com
> > Author of:
> > *----------------------------------------------------
> > |\---------------------------------------------------
> > || Microsoft Office FrontPage 2003 Inside Out
> > ||---------------------------------------------------
> > || Web Database Development Step by Step .NET Edition
> > || Microsoft FrontPage Version 2002 Inside Out
> > || Faster Smarter Beginning Programming
> > || (All from Microsoft Press)
> > |/---------------------------------------------------
> > *----------------------------------------------------
> >
> >
> >
> > "rick" <(E-Mail Removed)> wrote in message news:<ABE23495-0DC5-4483-8812-(E-Mail Removed)>...
> > > Jim, thanks for your reply.
> > >
> > > We are not updating, inserting, or deleting - we are just querying. Does
> > > this still expose us?
> > >
> > > We are rookies at this so are only knowledgeable at using the DRW. If the
> > > answer is that even querying the DB exposes us to security problems such as
> > > injection then we have a Catch 22, don't we? Use the files from FP2003 or be
> > > exposed but the files in FP2003 don't work. Or are you saying that even if
> > > FP2003 worked, we would be exposed?
> > >
> > > Can we reduce the risk if we created a view with the pertinent data and
> > > queried the View?
> > >
> > > Would appreciate any quidance you can provide.
> > >
> > > "Jim Buyens" wrote:
> > >
> > > > To the best of my understanding, yes.
> > > >
> > > > The ASP version of the DRW has become increasingly
> > > > troublesome when asked to do INSERT, UPDATE, and DELETE
> > > > operations. You'll probbly have greater success using the
> > > > ASP.NET version, or writing your own ASP code.
> > > >
> > > > Writing your own ASP code for inserting records isn't
> > > > difficult. Try the advice at:
> > > >
> > > > Saving Form Data in a Database
> > > > http://www.interlacken.com/winnt/tip...ow.aspx?tip=44
> > > >
> > > > Jim Buyens
> > > > Microsoft FrontPage MVP
> > > > http://www.interlacken.com
> > > > Author of:
> > > > *----------------------------------------------------
> > > > |\---------------------------------------------------
> > > > || Microsoft Office FrontPage 2003 Inside Out
> > > > ||---------------------------------------------------
> > > > || Web Database Development Step by Step .NET Edition
> > > > || Microsoft FrontPage Version 2002 Inside Out
> > > > || Faster Smarter Beginning Programming
> > > > || (All from Microsoft Press)
> > > > |/---------------------------------------------------
> > > > *----------------------------------------------------
> > > >
> > > >
> > > >
> > > > >-----Original Message-----
> > > > >Background:
> > > > >
> > > > >I am using Frontpage 2003 and have a form that collects
> > > > user inputs to query our SQL database. Everything was
> > > > working fine and then all of a sudden I kept getting the
> > > > following message "Database Results Wizard Error The
> > > > operation failed. If this continues, please contact your
> > > > server administrator" without changing anything. I found
> > > > the solution after searching the web.
> > > > >
> > > > >Evidently, there is a problem with FrontPage 2003 files
> > > > FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution
> > > > was to get the same files from FrontPage 2000. Microsoft,
> > > > are you listening??????
> > > > >
> > > > >It worked, but this has raised a question about
> > > > security. Am I opening myself up to any security issues
> > > > (someone has mentioned sql injection attack risk) by using
> > > > the Frontpage 2000 files????
> > > > >
> > > > >
> > > > >
> > > > >.
> > > > >
> > > >
> >

Jim, thanks for responding. What if I create a View with only the data
columns of interest and let the user query against that View. Does that
solve the injection risk??

"Jim Buyens" wrote:

> "rick" <(E-Mail Removed)> wrote in message news:<E687D4D7-E8D3-4A6F-93D2-(E-Mail Removed)>...
> > Jim,
> >
> > I am not using .net but I did change the coding initially to get a more
> > precise error message but all the stuff on the web said that there was no
> > fix and only work around was to use FP2000 files as mentioned below. So
> > do you know if I am exposed to injection risk or other security risk
>
> Yes, you would be exposed.
>
> > and if Microsoft plans on fixing the FP2003 DRW?
>
> I really have no insight on this. Generically, I know:
>
> o They have a bug list.
> o It's categorized by crashing bugs, lost functionality bugs,
> and so forth.
> o They review it from time to time, and select bugs to be fixed
> by hot fix, service pack, next release, or distant future.
> o User feedback contributes to those decisions.
>
> But as to the status of this or any other specific bug, I have no
> inside knowledge.
>
> To register an official complaint, browse
> http://register.microsoft.com/mswish/suggestion.asp
> and fill out the form.
>
> Jim Buyens
> Microsoft FrontPage MVP
> http://www.interlacken.com
> Author of:
> *----------------------------------------------------
> |\---------------------------------------------------
> || Microsoft Office FrontPage 2003 Inside Out
> ||---------------------------------------------------
> || Web Database Development Step by Step .NET Edition
> || Microsoft FrontPage Version 2002 Inside Out
> || Faster Smarter Beginning Programming
> || (All from Microsoft Press)
> |/---------------------------------------------------
> *----------------------------------------------------
>
> > "Jim Buyens" wrote:
> >
> > > Sorry, I interpreted your first message to mean you were using the DRW
> > > to *insert* the records.
> > >
> > > Are you using the ASP.NET version of the DRW? If so, open the
> > > _fpclass/fpdbnet.cs file and on about line 342, change
> > >
> > > private bool DebugOn = false;
> > > to
> > > private bool DebugOn = true;
> > >
> > > This won't fix the problem, but it'll probbly get you a better error
> > > message.
> > >
> > > Jim Buyens
> > > Microsoft FrontPage MVP
> > > http://www.interlacken.com
> > > Author of:
> > > *----------------------------------------------------
> > > |\---------------------------------------------------
> > > || Microsoft Office FrontPage 2003 Inside Out
> > > ||---------------------------------------------------
> > > || Web Database Development Step by Step .NET Edition
> > > || Microsoft FrontPage Version 2002 Inside Out
> > > || Faster Smarter Beginning Programming
> > > || (All from Microsoft Press)
> > > |/---------------------------------------------------
> > > *----------------------------------------------------
> > >
> > >
> > >
> > > "rick" <(E-Mail Removed)> wrote in message news:<ABE23495-0DC5-4483-8812-(E-Mail Removed)>...
> > > > Jim, thanks for your reply.
> > > >
> > > > We are not updating, inserting, or deleting - we are just querying. Does
> > > > this still expose us?
> > > >
> > > > We are rookies at this so are only knowledgeable at using the DRW. If the
> > > > answer is that even querying the DB exposes us to security problems such as
> > > > injection then we have a Catch 22, don't we? Use the files from FP2003 or be
> > > > exposed but the files in FP2003 don't work. Or are you saying that even if
> > > > FP2003 worked, we would be exposed?
> > > >
> > > > Can we reduce the risk if we created a view with the pertinent data and
> > > > queried the View?
> > > >
> > > > Would appreciate any quidance you can provide.
> > > >
> > > > "Jim Buyens" wrote:
> > > >
> > > > > To the best of my understanding, yes.
> > > > >
> > > > > The ASP version of the DRW has become increasingly
> > > > > troublesome when asked to do INSERT, UPDATE, and DELETE
> > > > > operations. You'll probbly have greater success using the
> > > > > ASP.NET version, or writing your own ASP code.
> > > > >
> > > > > Writing your own ASP code for inserting records isn't
> > > > > difficult. Try the advice at:
> > > > >
> > > > > Saving Form Data in a Database
> > > > > http://www.interlacken.com/winnt/tip...ow.aspx?tip=44
> > > > >
> > > > > Jim Buyens
> > > > > Microsoft FrontPage MVP
> > > > > http://www.interlacken.com
> > > > > Author of:
> > > > > *----------------------------------------------------
> > > > > |\---------------------------------------------------
> > > > > || Microsoft Office FrontPage 2003 Inside Out
> > > > > ||---------------------------------------------------
> > > > > || Web Database Development Step by Step .NET Edition
> > > > > || Microsoft FrontPage Version 2002 Inside Out
> > > > > || Faster Smarter Beginning Programming
> > > > > || (All from Microsoft Press)
> > > > > |/---------------------------------------------------
> > > > > *----------------------------------------------------
> > > > >
> > > > >
> > > > >
> > > > > >-----Original Message-----
> > > > > >Background:
> > > > > >
> > > > > >I am using Frontpage 2003 and have a form that collects
> > > > > user inputs to query our SQL database. Everything was
> > > > > working fine and then all of a sudden I kept getting the
> > > > > following message "Database Results Wizard Error The
> > > > > operation failed. If this continues, please contact your
> > > > > server administrator" without changing anything. I found
> > > > > the solution after searching the web.
> > > > > >
> > > > > >Evidently, there is a problem with FrontPage 2003 files
> > > > > FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution
> > > > > was to get the same files from FrontPage 2000. Microsoft,
> > > > > are you listening??????
> > > > > >
> > > > > >It worked, but this has raised a question about
> > > > > security. Am I opening myself up to any security issues
> > > > > (someone has mentioned sql injection attack risk) by using
> > > > > the Frontpage 2000 files????
> > > > > >
> > > > > >
> > > > > >
> > > > > >.
> > > > > >
> > > > >
> > >
>

I don't know, because we never tracked down the actual source of your
problem. So try this:

1. Rerun the Database Results Wizard.
2. On page 2, of the wizard, click Custom Query and Edit.
3. Copy the contents of the SQL Statement box and post them to this
thread.
4. Cancel out of the DRW.

Generically, SQL statement injection occurs when the visitor gets to
modify your SQL statement. For example, You may have a SQL statement
like:

SELECT * FROM mytable WHERE lastname = '::lname::'

where lname is the name of a form field that supplies search criteria.
Now, suppose the visitor enters the following lname value:

x';DELETE FROM mytable WHERE lastname 'x' = 'x

after merging in this "input" you get:

SELECT * FROM mytable WHERE lastname = 'x';DELETE FROM mytable WHERE
'x'= 'x'

This sends two SQL statements to the DBMS: one that performs a
harmless query, and one that deletes all the records in the table.

With some DBMS's, it's even possible to inject SQL code that supplies
the DBMS with an operating system command to run. This is pretty scary
if your DBMS is running under the SYSTEM account or an administrator
account.

In ASP code, you can largely eliminate this risk by changing all
apostrophes to double apostrophes. For example:

SELECT * FROM mytable WHERE lastname = 'O''Hara'

searches for the last name O'Hara. So hopefully, when the DRW creates
a SQL statement like

SELECT * FROM mytable WHERE lastname = '::lastname::'

it changes all apostrophes in the lastname form field to double
apostrophes before merging the value into the SQL statement. I'm not
sure, however, if this is what the changes in the FPDBRGN1.ini
FPDBRGN2.ini and FPDBLIB.ini files do, or whether it was some other
fix.

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------


"rick" <(E-Mail Removed)> wrote in message news:<1AF9F6AF-3E36-4A7A-AFFD-(E-Mail Removed)>...
> Jim, thanks for responding. What if I create a View with only the data
> columns of interest and let the user query against that View. Does that
> solve the injection risk??
>
> "Jim Buyens" wrote:
>
> > "rick" <(E-Mail Removed)> wrote in message news:<E687D4D7-E8D3-4A6F-93D2-(E-Mail Removed)>...
> > > Jim,
> > >
> > > I am not using .net but I did change the coding initially to get a more
> > > precise error message but all the stuff on the web said that there was no
> > > fix and only work around was to use FP2000 files as mentioned below. So
> > > do you know if I am exposed to injection risk or other security risk
> >
> > Yes, you would be exposed.
> >
> > > and if Microsoft plans on fixing the FP2003 DRW?
> >
> > I really have no insight on this. Generically, I know:
> >
> > o They have a bug list.
> > o It's categorized by crashing bugs, lost functionality bugs,
> > and so forth.
> > o They review it from time to time, and select bugs to be fixed
> > by hot fix, service pack, next release, or distant future.
> > o User feedback contributes to those decisions.
> >
> > But as to the status of this or any other specific bug, I have no
> > inside knowledge.
> >
> > To register an official complaint, browse
> > http://register.microsoft.com/mswish/suggestion.asp
> > and fill out the form.
> >
> > Jim Buyens
> > Microsoft FrontPage MVP
> > http://www.interlacken.com
> > Author of:
> > *----------------------------------------------------
> > |\---------------------------------------------------
> > || Microsoft Office FrontPage 2003 Inside Out
> > ||---------------------------------------------------
> > || Web Database Development Step by Step .NET Edition
> > || Microsoft FrontPage Version 2002 Inside Out
> > || Faster Smarter Beginning Programming
> > || (All from Microsoft Press)
> > |/---------------------------------------------------
> > *----------------------------------------------------
> >
> > > "Jim Buyens" wrote:
> > >
> > > > Sorry, I interpreted your first message to mean you were using the DRW
> > > > to *insert* the records.
> > > >
> > > > Are you using the ASP.NET version of the DRW? If so, open the
> > > > _fpclass/fpdbnet.cs file and on about line 342, change
> > > >
> > > > private bool DebugOn = false;
> > > > to
> > > > private bool DebugOn = true;
> > > >
> > > > This won't fix the problem, but it'll probbly get you a better error
> > > > message.
> > > >
> > > > Jim Buyens
> > > > Microsoft FrontPage MVP
> > > > http://www.interlacken.com
> > > > Author of:
> > > > *----------------------------------------------------
> > > > |\---------------------------------------------------
> > > > || Microsoft Office FrontPage 2003 Inside Out
> > > > ||---------------------------------------------------
> > > > || Web Database Development Step by Step .NET Edition
> > > > || Microsoft FrontPage Version 2002 Inside Out
> > > > || Faster Smarter Beginning Programming
> > > > || (All from Microsoft Press)
> > > > |/---------------------------------------------------
> > > > *----------------------------------------------------
> > > >
> > > >
> > > >
> > > > "rick" <(E-Mail Removed)> wrote in message news:<ABE23495-0DC5-4483-8812-(E-Mail Removed)>...
> > > > > Jim, thanks for your reply.
> > > > >
> > > > > We are not updating, inserting, or deleting - we are just querying. Does
> > > > > this still expose us?
> > > > >
> > > > > We are rookies at this so are only knowledgeable at using the DRW. If the
> > > > > answer is that even querying the DB exposes us to security problems such as
> > > > > injection then we have a Catch 22, don't we? Use the files from FP2003 or be
> > > > > exposed but the files in FP2003 don't work. Or are you saying that even if
> > > > > FP2003 worked, we would be exposed?
> > > > >
> > > > > Can we reduce the risk if we created a view with the pertinent data and
> > > > > queried the View?
> > > > >
> > > > > Would appreciate any quidance you can provide.
> > > > >
> > > > > "Jim Buyens" wrote:
> > > > >
> > > > > > To the best of my understanding, yes.
> > > > > >
> > > > > > The ASP version of the DRW has become increasingly
> > > > > > troublesome when asked to do INSERT, UPDATE, and DELETE
> > > > > > operations. You'll probbly have greater success using the
> > > > > > ASP.NET version, or writing your own ASP code.
> > > > > >
> > > > > > Writing your own ASP code for inserting records isn't
> > > > > > difficult. Try the advice at:
> > > > > >
> > > > > > Saving Form Data in a Database
> > > > > > http://www.interlacken.com/winnt/tip...ow.aspx?tip=44
> > > > > >
> > > > > > Jim Buyens
> > > > > > Microsoft FrontPage MVP
> > > > > > http://www.interlacken.com
> > > > > > Author of:
> > > > > > *----------------------------------------------------
> > > > > > |\---------------------------------------------------
> > > > > > || Microsoft Office FrontPage 2003 Inside Out
> > > > > > ||---------------------------------------------------
> > > > > > || Web Database Development Step by Step .NET Edition
> > > > > > || Microsoft FrontPage Version 2002 Inside Out
> > > > > > || Faster Smarter Beginning Programming
> > > > > > || (All from Microsoft Press)
> > > > > > |/---------------------------------------------------
> > > > > > *----------------------------------------------------
> > > > > >
> > > > > >
> > > > > >
> > > > > > >-----Original Message-----
> > > > > > >Background:
> > > > > > >
> > > > > > >I am using Frontpage 2003 and have a form that collects
> > > > > > user inputs to query our SQL database. Everything was
> > > > > > working fine and then all of a sudden I kept getting the
> > > > > > following message "Database Results Wizard Error The
> > > > > > operation failed. If this continues, please contact your
> > > > > > server administrator" without changing anything. I found
> > > > > > the solution after searching the web.
> > > > > > >
> > > > > > >Evidently, there is a problem with FrontPage 2003 files
> > > > > > FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution
> > > > > > was to get the same files from FrontPage 2000. Microsoft,
> > > > > > are you listening??????
> > > > > > >
> > > > > > >It worked, but this has raised a question about
> > > > > > security. Am I opening myself up to any security issues
> > > > > > (someone has mentioned sql injection attack risk) by using
> > > > > > the Frontpage 2000 files????
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >.
> > > > > > >
> > > > > >
> > > >
> >