Mike Swanson
185a329770
- 2026-06-05-tom-message-draft.md: Mike's final relief-framed wording - 2026-06-05-quo-sql-fix-list.md: 80 live quo call sites across 15 files (C3) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3.5 KiB
3.5 KiB
Glaztech — quo() SQL parameterization fix list (for Tom)
Date: 2026-06-05 · Source: live tree on WWW (D:\web\glaztech_4), via GuruRMM read-only findstr
(excludes stale Old_bin\ / Old_code\ copies). Addresses assessment finding C3.
What this is
Every place the site builds dynamic SQL with the quo() helper (which wraps a value in quotes but does
not escape embedded quotes → SQL injection). The fix is to parameterize these statements (use
SqlParameter/@params instead of quo()-concatenation), then delete the quo() helper. No redesign —
it's a mechanical, repetitive change.
- 80
quo()call sites across 15 live files (these are the line-level edits). - That's roughly the ~59 concatenated SQL statements the assessment counted — several statements use
multiple
quo()values per statement, so call-sites (80) > statements (~59). Both numbers are right. - Priority: the payment / order / quote pages (where customer input flows) first; the rest for completeness.
Count per file
| Sites | File |
|---|---|
| 15 | ach.aspx.vb |
| 14 | customer-login\online-payment-pnc.aspx.vb |
| 14 | customer-login\online-payment-ach-na.aspx.vb |
| 12 | customer-login\quote-detail.aspx.vb |
| 12 | customer-login\order-detail.aspx.vb |
| 2 | quick-pay-ach.aspx.vb |
| 2 | quick-pay.aspx.vb |
| 2 | quick-pay-pnc.aspx.vb |
| 1 | customer-login\Order-acknowledgements.aspx.vb |
| 1 | customer-login\order-acknowledgements-approval.aspx.vb |
| 1 | customer-login\online-payment-old.aspx.vb |
| 1 | customer-login\settings.aspx.vb |
| 1 | customer-login\CustomExportPdf.aspx.vb |
| 1 | gs\appearance-makeup.aspx.vb |
| 1 | gs\performance-makeup.aspx.vb |
Full list (file : line)
ach.aspx.vb:224, 276, 277, 278, 279, 280, 282, 283, 284, 285, 286, 634, 671, 1246, 1248
customer-login\online-payment-pnc.aspx.vb:1151, 1326, 1383, 1384, 1385, 1386, 1387, 1389, 1390, 1391, 1392, 1394, 1593, 1629
customer-login\online-payment-ach-na.aspx.vb:1208, 1388, 1444, 1445, 1446, 1447, 1448, 1450, 1451, 1452, 1453, 1454, 1653, 1692
customer-login\quote-detail.aspx.vb:96, 97, 98, 101, 102, 103, 286, 288, 310, 312, 1625, 1627
customer-login\order-detail.aspx.vb:113, 114, 115, 118, 119, 120, 299, 301, 321, 323, 1712, 1714
quick-pay.aspx.vb:880, 882
quick-pay-ach.aspx.vb:888, 890
quick-pay-pnc.aspx.vb:656, 658
customer-login\Order-acknowledgements.aspx.vb:384
customer-login\order-acknowledgements-approval.aspx.vb:39
customer-login\online-payment-old.aspx.vb:1152
customer-login\settings.aspx.vb:167
customer-login\CustomExportPdf.aspx.vb:564
gs\appearance-makeup.aspx.vb:211
gs\performance-makeup.aspx.vb:175
Notes
quo()is defined per page (not one shared helper). ExplicitFunction quodefinitions confirmed ings\appearance-makeup.aspx.vb:494andgs\performance-makeup.aspx.vb:482; the payment pages carry their own local copies. So "deletequo()" means removing each page's local copy after its call sites are fixed.- The 12 stale copies under
Old_bin\/Old_code\are not in this list (not the live code) — but those duplicate trees should be removed from the production host separately (assessment H1 / item 20). - Each page should be tested after parameterization (no staging — H1), confirming the queries still return correct results, on a maintenance window with rollback.
online-payment-old.aspx.vblooks like a legacy page — confirm whether it's still reachable; if dead, remove rather than fix.