Link to home
Start Free TrialLog in
Avatar of Evert Jor
Evert JorFlag for Norway

asked on

Need helt with sql statement for ASP

I have an issue with the syntax getting a record using an URL variable. Any advice?

strSQL4 = "SELECT * FROM products WHERE products.pID = <%=Request.QueryString("vnr")

Open in new window


Avatar of Éric Moreau
Éric Moreau
Flag of Canada image
aren't you missing a double quote and a concat operator:
strSQL4 = "SELECT * FROM products WHERE products.pID = " & <%=Request.QueryString("vnr") %>

Open in new window

Avatar of slightwv (䄆 Netminder)
slightwv (䄆 Netminder)
If pID is a number, it should work.  If it is a string, probably single quotes not double quotes in the SQL.

And use bind variables.  

What you have posted opens you up to SQL injection.  Wouldn't be hard to add "1 or 1=1" to your vnr on the query string and return ALL rows.
Avatar of zc2
zc2
Flag of United States of America image
I assume this is on the server side in vbscript language?
Then a correct syntax:
strSQL4 = "SELECT * FROM products WHERE products.pID = " & Request.QueryString("vnr")

Open in new window


A side note - you should never pass values from Request to SQL expressions, because that opens a door for SQL injections.
ASKER CERTIFIED SOLUTION
Avatar of HainKurt
HainKurt
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Evert Jor
Evert Jor
Flag of Norway image

ASKER

I'm getting this error:

Microsoft VBScript-kompileringsfeil error '800a03ea'

Syntax error

/vet/barcode/test.asp, line 60

strSQL4 = "SELECT * FROM products WHERE products.pID = " & <%=Request.QueryString("vnr") -----------------------------------------------------------^

Open in new window


Avatar of HainKurt
HainKurt
Flag of Canada image
I'm getting this error:

normal, you haven't used any code listed here, yet... 
Avatar of slightwv (䄆 Netminder)
slightwv (䄆 Netminder)
>>I'm getting this error:

Might get that error is there isn't a "vnr" on the querystring.

Might get that error if pID isn't a number column and you are passing in strings with or without proper encoding from the query string.
Avatar of HainKurt
HainKurt
Flag of Canada image
Might get that error is there isn't a "vnr" on the querystring

if querystring does not have such thing, he does not get this error
if it is empty or non-numberic, still no such erorr happens
we get sql errors...

he is getting it, because, he removed closing asp tags but not opening tag...
Avatar of Evert Jor
Evert Jor
Flag of Norway image

ASKER

Now I have this issue:

Microsoft VBScript-kompileringsfeil error '800a0401'

Forventet slutt på setning

/vet/barcode/test.asp, line 77

Response.write"<img src='http://localhost/vet/barcode/barcode.asp?code='&(rsProducts4("pSKU"))&height=40&width=2&mode=EAN-13&text=1'>" ---------------------------------------------------------------------------------------^

Open in new window


SOLUTION
Avatar of HainKurt
HainKurt
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial