Evert Jor
asked on
Need helt with sql statement for ASP
I have an issue with the syntax getting a record using an URL variable. Any advice?
strSQL4 = "SELECT * FROM products WHERE products.pID = <%=Request.QueryString("vnr")
If pID is a number, it should work. If it is a string, probably single quotes not double quotes in the SQL.
And use bind variables.
What you have posted opens you up to SQL injection. Wouldn't be hard to add "1 or 1=1" to your vnr on the query string and return ALL rows.
And use bind variables.
What you have posted opens you up to SQL injection. Wouldn't be hard to add "1 or 1=1" to your vnr on the query string and return ALL rows.
I assume this is on the server side in vbscript language?
Then a correct syntax:
A side note - you should never pass values from Request to SQL expressions, because that opens a door for SQL injections.
Then a correct syntax:
strSQL4 = "SELECT * FROM products WHERE products.pID = " & Request.QueryString("vnr")
A side note - you should never pass values from Request to SQL expressions, because that opens a door for SQL injections.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm getting this error:
Microsoft VBScript-kompileringsfeil error '800a03ea'
Syntax error
/vet/barcode/test.asp, line 60
strSQL4 = "SELECT * FROM products WHERE products.pID = " & <%=Request.QueryString("vnr") -----------------------------------------------------------^
I'm getting this error:
normal, you haven't used any code listed here, yet...
>>I'm getting this error:
Might get that error is there isn't a "vnr" on the querystring.
Might get that error if pID isn't a number column and you are passing in strings with or without proper encoding from the query string.
Might get that error is there isn't a "vnr" on the querystring.
Might get that error if pID isn't a number column and you are passing in strings with or without proper encoding from the query string.
Might get that error is there isn't a "vnr" on the querystring
if querystring does not have such thing, he does not get this error
if it is empty or non-numberic, still no such erorr happens
we get sql errors...
he is getting it, because, he removed closing asp tags but not opening tag...
ASKER
Now I have this issue:
Microsoft VBScript-kompileringsfeil error '800a0401'
Forventet slutt på setning
/vet/barcode/test.asp, line 77
Response.write"<img src='http://localhost/vet/barcode/barcode.asp?code='&(rsProducts4("pSKU"))&height=40&width=2&mode=EAN-13&text=1'>" ---------------------------------------------------------------------------------------^
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window