# Glaztech — `quo()` SQL parameterization fix list (for Tom) **Date:** 2026-06-05 · **Source:** live tree on `WWW` (`D:\web\glaztech_4`), via GuruRMM read-only `findstr` (excludes stale `Old_bin\` / `Old_code\` copies). Addresses assessment finding **C3**. ## What this is Every place the site builds dynamic SQL with the `quo()` helper (which wraps a value in quotes but does **not** escape embedded quotes → SQL injection). The fix is to **parameterize** these statements (use `SqlParameter`/`@params` instead of `quo()`-concatenation), then delete the `quo()` helper. No redesign — it's a mechanical, repetitive change. - **80 `quo()` call sites** across **15 live files** (these are the line-level edits). - That's roughly the **~59 concatenated SQL statements** the assessment counted — several statements use multiple `quo()` values per statement, so call-sites (80) > statements (~59). Both numbers are right. - Priority: the **payment / order / quote pages** (where customer input flows) first; the rest for completeness. ## Count per file | Sites | File | |---:|---| | 15 | `ach.aspx.vb` | | 14 | `customer-login\online-payment-pnc.aspx.vb` | | 14 | `customer-login\online-payment-ach-na.aspx.vb` | | 12 | `customer-login\quote-detail.aspx.vb` | | 12 | `customer-login\order-detail.aspx.vb` | | 2 | `quick-pay-ach.aspx.vb` | | 2 | `quick-pay.aspx.vb` | | 2 | `quick-pay-pnc.aspx.vb` | | 1 | `customer-login\Order-acknowledgements.aspx.vb` | | 1 | `customer-login\order-acknowledgements-approval.aspx.vb` | | 1 | `customer-login\online-payment-old.aspx.vb` | | 1 | `customer-login\settings.aspx.vb` | | 1 | `customer-login\CustomExportPdf.aspx.vb` | | 1 | `gs\appearance-makeup.aspx.vb` | | 1 | `gs\performance-makeup.aspx.vb` | ## Full list (file : line) ``` ach.aspx.vb:224, 276, 277, 278, 279, 280, 282, 283, 284, 285, 286, 634, 671, 1246, 1248 customer-login\online-payment-pnc.aspx.vb:1151, 1326, 1383, 1384, 1385, 1386, 1387, 1389, 1390, 1391, 1392, 1394, 1593, 1629 customer-login\online-payment-ach-na.aspx.vb:1208, 1388, 1444, 1445, 1446, 1447, 1448, 1450, 1451, 1452, 1453, 1454, 1653, 1692 customer-login\quote-detail.aspx.vb:96, 97, 98, 101, 102, 103, 286, 288, 310, 312, 1625, 1627 customer-login\order-detail.aspx.vb:113, 114, 115, 118, 119, 120, 299, 301, 321, 323, 1712, 1714 quick-pay.aspx.vb:880, 882 quick-pay-ach.aspx.vb:888, 890 quick-pay-pnc.aspx.vb:656, 658 customer-login\Order-acknowledgements.aspx.vb:384 customer-login\order-acknowledgements-approval.aspx.vb:39 customer-login\online-payment-old.aspx.vb:1152 customer-login\settings.aspx.vb:167 customer-login\CustomExportPdf.aspx.vb:564 gs\appearance-makeup.aspx.vb:211 gs\performance-makeup.aspx.vb:175 ``` ## Notes - `quo()` is defined **per page** (not one shared helper). Explicit `Function quo` definitions confirmed in `gs\appearance-makeup.aspx.vb:494` and `gs\performance-makeup.aspx.vb:482`; the payment pages carry their own local copies. So "delete `quo()`" means removing each page's local copy after its call sites are fixed. - The 12 stale copies under `Old_bin\` / `Old_code\` are **not** in this list (not the live code) — but those duplicate trees should be removed from the production host separately (assessment H1 / item 20). - Each page should be **tested after** parameterization (no staging — H1), confirming the queries still return correct results, on a maintenance window with rollback. - `online-payment-old.aspx.vb` looks like a legacy page — confirm whether it's still reachable; if dead, remove rather than fix.