Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ASP variables in sql statement


  • Please log in to reply
3 replies to this topic

#1 KamakaZ

KamakaZ

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:49 AM

Posted 11 December 2009 - 08:49 AM

any idea's why this wouldn't work?

<html>
<body>
<%
' Declaring variables
Dim back_height, arms, data_source, con, sql_select

' A Function to check if some field entered by user is empty
Function ChkString(string)
	If string = "" Then string = " "
	ChkString = Replace(string, "'", "''")
End Function


' Receiving values from Form
arms= ChkString(Request.Form("arms"))
back= ChkString(Request.Form("back"))




	data_source = "DSN=GunnSrvModODBC"
	sql_select = "SELECT * FROM ZZ_Chair WHERE back ='" & back & "'" IF arms = 1 { & " AND na <> 0" } END IF 
	
	Response.Write sql_select

	' Creating Connection Object and opening the database
	Set con = Server.CreateObject("ADODB.Connection")
	con.Open data_source
	con.Execute sql_select
	
	' Done. Close the connection
	con.Close
	Set con = Nothing
	%>


	<br />
	<h4>Complete...</h4>
	<h5>Show Options:</h5>
	<form>
	<input type="button" onclick="window.location='index.asp'" value="Back"/>
	</form>
	<hr />

</body>
</html>

it's obviously a problem with the sql, it error's on line 22 always around the back = '"& back &"' ... section sometimes after the = sometimes after the second &.

~ Kam

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:49 AM

Posted 11 December 2009 - 12:08 PM

You need to print out the content of the query string to make sure it is being built like you think it is. If it was a SQL syntax error, the error would be in the same place all the time. Since it isn't, make sure that there isn't some strange character in the strings being represented by your variable.

What happens to the query where arms = 1 and na = 0?

#3 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:49 AM

Posted 11 December 2009 - 12:25 PM

na is a field in the table, if it's avaliable with arm's it has a price, if not it's 0. double checked no weird characters are in the string... at the moment back should be = to M and arm's = to 0.

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:49 AM

Posted 11 December 2009 - 12:34 PM

Could you print out the actual string so that I can see that? And the error message?

EDIT: Also, does the query work if arm = 0?

EDIT2: Also, try hardcoding a query and see if it works. And then finally, try the hardcoded query from the sql command line and see what happens.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users