Classic ASP Maximum Script Timeout Setting for Microsoft IIS

This is a re-post of a popular blog article from my old Blogger blog that was originally posted back in 2012.

I was scripting in old school ASP version 3.0 on IIS6 this week and had a script that needed a long time to run and kept timing out.

So I asked the question… What is the maximum script timeout setting for ASP on IIS?

After a lot of digging, I found out the answer.

The maximum value for ScriptTimeout is 2^32-1, or 2147483647.

If you try to set it to 2147483648 or higher, you will get the following error:
Microsoft VBScript runtime (0x800A0006)
Overflow: ‘server.scripttimeout’

Normally you would script it out like this.

<%
    Server.ScriptTimeout = 180
%>

Now with the maximum value, it looks like this.
 <%
    Server.ScriptTimeout = 2147483647
%>

The real solution was that my database was not performing at its best.  So needed to create additional indexes on more fields which increased the speed of the script.

 Hope this helps somebody out.

Happy coding!

Classic ASP: How to Do Parameterized Queries to Help Prevent SQL Injection

I’m a professional web developer who has spent 20+ years working in Classic ASP.

I work in modern stacks too but I still actively develop in Classic ASP on a side hustle project that is too expensive to re-write at this time.

This article focuses on an example of classic ASP SQL injection prevention using a basic parameterized query done in Classic ASP VBScript.

I’ve included links to all my references below.

Please note the first code example won’t work without translation of the “adCmdText” constant.

You can find the “adCmdText” reference in the adovbs.inc (include file) that contains all the ADO Constants we use for commands like the “adCmdText”.  None of the other sources mentioned that at all. 

I’ve added a second code example that should allow you to ditch the need for the include file and just enter an enumeration of the CommandType. 

ADOVBS.INC Example: 

'---- CommandTypeEnum Values ----
Const adCmdUnknown = &H0008
Const adCmdText = &H0001
Const adCmdTable = &H0002
Const adCmdStoredProc = &H0004

<%
 set rs = Server.CReateObject("ADODB.Recordset")
 set cmd1  = Server.CreateObject("ADODB.Command")
 Set conn = Server.CreateObject("ADODB.Connection")
 conn.Open [Connection String Value]
 cmd1.ActiveConnection = conn //connection object already created
 cmd1.CommandText = "SELECT * FROM [table] where ID = ?"
 cmd1.CommandType = adCmdText
 'cmd1.Prepared = True ' only needed if u plan to reuse this command often
 cmd1.Parameters.Refresh
 cmd1.Parameters(0).Value = "55"
 set rs = cmd1.Execute
 While NOT rs.eof
  Response.Write(rs("ID") & "
")
  rs.MoveNext
 Wend
 Set rs = Nothing
 Set conn = Nothing
%>
Can also be written replacing constant adCmdText with acceptable enumeration of 1 for the CommandType.
<%
set rs = Server.CReateObject("ADODB.Recordset")
set cmd1  = Server.CreateObject("ADODB.Command")
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open [Connection String Value]
cmd1.ActiveConnection = conn //connection object already created
cmd1.CommandText = "SELECT * FROM [table] where ID = ?"
cmd1.CommandType = 1
'cmd1.Prepared = True ' only needed if u plan to reuse this command often
cmd1.Parameters.Refresh
cmd1.Parameters(0).Value = "55"
set rs = cmd1.Execute
While NOT rs.eof
    Response.Write(rs("ID") & "
")
    rs.MoveNext
Wend
Set rs = Nothing
Set conn = Nothing
%>

References:

CommandType Enumeration

https://www.w3schools.com/asp/prop_comm_commandtype.asp

Parameters Collection (ADO)

https://docs.microsoft.com/en-us/sql/ado/reference/ado-api/parameters-collection-ado?view=sql-server-2017

https://blogs.technet.microsoft.com/neilcar/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets/

https://stackoverflow.com/questions/7654446/parameterized-query-in-classic-asp/9226886#9226886