How to Concatenate a String using VBScript

How to Concatenate a String Value in VBScript

To concatenate string values using VBScript we use the ampersand (&) character to piece together our composite string value.

Code Example:

Srting1 = "Word 1"
String2 = "Word 2"
String3 = String1 & String2
or 
String3 = "Word 1" & "Word 2"
msgbox(String3)

The output value would be “Word 1 Word 2”.

If you’re more familiar with JavaScript, you might be used to concatenating strings using the plus character (+).

In VBScript you can only use the + operator on numeric values.

How to Delay a HTTP Response in Classic ASP, AKA Classic Sleep Function Alternative Solution

Is There a Sleep Method in Classic ASP?

First, and sorry, there is no built in sleep method in classic ASP. Probably for good reason. Keep reading for my solution below.

The key things to remember about classic ASP is that it is server-side and interpreted. Classic ASP is interpreted into HTML then served out the user’s web browser from the Microsoft IIS web server.

As a prerequisite, I can’t imagine why you would want to delay a Classic ASP page from being served to a user’s web browser for 10 seconds. That’s a long time to make a user wait but you can.

If you cause the HTTP Response to delay for a User Agent like Google bot, Google will probably exclude your website from their search indexes so I normally would not do this in practice on a website that needed any kind of Search Engine Optimization (SEO) friendliness.

Normally, when I think of sleep, I think of the sleep method in JavaScript where we can set a delay in seconds to pause some code in a function.

With Classic ASP, since we don’t have a native sleep or delay method, we can just build our own. By default, I’m going to stay with a delay of specific number of seconds as our end goal.

I’m sure we come up with a few way to do this but this is mine.

Building the Sleep Function from Scratch

  • We will set some variables for a start time and a current time.
  • Then start a While Loop that watches for # of seconds we’ve chosen.
  • We update the current time at each iteration of the loop and check it at start of each loop iteration.
  • Once current time increments by 10 seconds, loop completes giving you a delay of specified seconds.

Classic ASP Sleep Function Code

<%
Sub Delay(intSeconds)
	StartTime = Now()
	CurrentTime = Now()
	While DateDiff("s",StartTime,CurrentTime) < intSeconds
		CurrentTime = Now()
	Wend
End Sub

Response.Write("Something<br>")
call Delay(10)
Response.Write("Something 10 seconds later")
%>

I hope this helps you if you were looking for a simple Classic ASP HTTP Response delay function but be careful how you use it.

~Cyber Abyss

Classic ASP Maximum Script Timeout Setting for Microsoft IIS

This is a re-post of a popular blog article from my old Blogger blog that was originally posted back in 2012.

I was scripting in old school ASP version 3.0 on IIS6 this week and had a script that needed a long time to run and kept timing out.

So I asked the question… What is the maximum script timeout setting for ASP on IIS?

After a lot of digging, I found out the answer.

The maximum value for ScriptTimeout is 2^32-1, or 2147483647.

If you try to set it to 2147483648 or higher, you will get the following error:
Microsoft VBScript runtime (0x800A0006)
Overflow: ‘server.scripttimeout’

Normally you would script it out like this.

<%
    Server.ScriptTimeout = 180
%>

Now with the maximum value, it looks like this.
 <%
    Server.ScriptTimeout = 2147483647
%>

The real solution was that my database was not performing at its best.  So needed to create additional indexes on more fields which increased the speed of the script.

 Hope this helps somebody out.

Happy coding!

Classic ASP: How to Do Parameterized Queries to Help Prevent SQL Injection

I’m a professional web developer who has spent 20+ years working in Classic ASP.

I work in modern stacks too but I still actively develop in Classic ASP on a side hustle project that is too expensive to re-write at this time.

This article focuses on an example of classic ASP SQL injection prevention using a basic parameterized query done in Classic ASP VBScript.

I’ve included links to all my references below.

Please note the first code example won’t work without translation of the ADO property, “adCmdText”, constant.

You can find the “adCmdText” reference in the adovbs.inc (include file) that contains all the ADO Constants we use for commands like the “adCmdText”.  None of the other sources mentioned that at all. 

I’ve added a second code example that should allow you to ditch the need for the include file and just enter an enumeration of the CommandType. 

ADOVBS.INC Example: 

'---- CommandTypeEnum Values ----
Const adCmdUnknown = &H0008
Const adCmdText = &H0001
Const adCmdTable = &H0002
Const adCmdStoredProc = &H0004

<%
 set rs = Server.CReateObject("ADODB.Recordset")
 set cmd1  = Server.CreateObject("ADODB.Command")
 Set conn = Server.CreateObject("ADODB.Connection")
 conn.Open [Connection String Value]
 cmd1.ActiveConnection = conn //connection object already created
 cmd1.CommandText = "SELECT * FROM [table] where ID = ?"
 cmd1.CommandType = adCmdText
 'cmd1.Prepared = True ' only needed if u plan to reuse this command often
 cmd1.Parameters.Refresh
 cmd1.Parameters(0).Value = "55"
 set rs = cmd1.Execute
 While NOT rs.eof
  Response.Write(rs("ID") & "
")
  rs.MoveNext
 Wend
 Set rs = Nothing
 Set conn = Nothing
%>
Can also be written replacing constant adCmdText with acceptable enumeration of 1 for the CommandType.
<%
set rs = Server.CReateObject("ADODB.Recordset")
set cmd1  = Server.CreateObject("ADODB.Command")
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open [Connection String Value]
cmd1.ActiveConnection = conn //connection object already created
cmd1.CommandText = "SELECT * FROM [table] where ID = ?"
cmd1.CommandType = 1
'cmd1.Prepared = True ' only needed if u plan to reuse this command often
cmd1.Parameters.Refresh
cmd1.Parameters(0).Value = "55"
set rs = cmd1.Execute
While NOT rs.eof
    Response.Write(rs("ID") & "
")
    rs.MoveNext
Wend
Set rs = Nothing
Set conn = Nothing
%>

References:

CommandType Enumeration

https://www.w3schools.com/asp/prop_comm_commandtype.asp

Parameters Collection (ADO)

https://docs.microsoft.com/en-us/sql/ado/reference/ado-api/parameters-collection-ado?view=sql-server-2017

https://blogs.technet.microsoft.com/neilcar/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets/

https://stackoverflow.com/questions/7654446/parameterized-query-in-classic-asp/9226886#9226886