tags:

views:

70

answers:

6
Q: 

SQL String query

hey all

i have this insert query im tryin to do but it isn't working. no matter how many variations, and variations of variations i try, it always has a problem with my code.

Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES (<%=Request.QueryString(payer_email)%>, <%=Request.QueryString(payer_email)%>, <%=Request.QueryString(first_name)%>, <%=Request.QueryString(last_name)%>, <%=Request.QueryString(hash)%>, <%=Request.QueryString(txn_id)%>, <%=Request.QueryString(client_id)%>)")

I don't understand what its problem is: it keeps saying:

Microsoft VBScript compilation error '800a0409'

Unterminated string constant

/thanks.asp, line 62

Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES (<%=Request.QueryString(payer_email)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------^

Note: VBScript & ASP.

Can somebody please help me figure this out? Thank you.

+1  A: 

I guess the parameters you're passing to Request.QueryString() should be enclosed in quotes:

Request.QueryString("payer_email")

UPDATE: Yes, and as @PHPology suggested, you should remove the <% %> and simply use string concatenation with &.

Try it like this:

Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES ('" & Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash") & "', '" & Request.QueryString("txn_id") & "', '" & Request.QueryString("client_id") & "')")

Although not related to the problem, your query also appears to be vulnerable to SQL Injection.

Daniel Vassallo  2010-07-30 08:15:33
That's what I assumed at first. But not, it just gives me a different error. If I remember correctly, it was: "Expected end of line character". But like I said, it has a problem with everything.
lucifer  2010-07-30 08:17:05
Thank you. Your update worked, mostly. Now I just keep getting this error: Invalid column name 'Email'. Which makes me think that there is no Email column in the table, but even after I add one, it still bring up that same error.
lucifer  2010-07-30 08:46:21
+1  A: 

Instead of doing...

"foo <%=bar%> foo"

...try this instead:

"foo" & bar & "foo"
Amber  2010-07-30 08:17:45
+1  A: 

remove your <% %> as you are already in ASP script mode. it should be something like this for your values

'"& Request.QueryString("payer_email")&"', '"& Request.QueryString("first_name")&"', etc, etc
PHPology  2010-07-30 08:17:47
Thanks. But now it says: Microsoft VBScript compilation error '800a03ee'Expected ')'/thanks.asp, line 62
lucifer  2010-07-30 08:34:18
+2  A: 

You need to place quotes around your <%=Request.QueryString(xyz)%> expressions, and your parameter names, and as you're in script, you don't do <%= %>. e.g. as below:

insert into ... VALUES ('" &  Request.QueryString("payer_email") & "', ...)

EDIT:

Here's the full statement:

Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES ('" & Request.QueryString("payer_email") & "','" & Request.QueryString("payer_email") & "','" & Request.QueryString("first_name") & "','" & Request.QueryString("last_name") & "','" & Request.QueryString("hash") & "','" & Request.QueryString("txn_id") & "','" & Request.QueryString("client_id") & "')")

This comes with the usual BEWARE caveats about SQL injection.

Neil Moss  2010-07-30 08:19:38
+1  A: 

This isn't answering your question, but note that for string fields you will also need to quote the strings, i.e.

VALUES ('<%=Request.QueryString(payer_email)%>',

Your code is also very prone to SQL injection attacks - this will be an issue if your system is internet facing.

nonnb  2010-07-30 08:19:45
A: 

There are several problems with the code:

  • You are using server tags (<%= %>) in the server code.
  • You don't have quotation marks around the query string key names.
  • You don't have apostrophes around the string values in the query.
  • The string values are not encoded, so the query is wide open for SQL injection attacks.

You need a function to encode the strings, this works for MS Access and MS SQL Server:

Function SqlEncode(str)
  SqlEncode = Replace(str, "'", "''")
End Function

Then you use that on the string values in the query:

Set rstSimple = cnnSimple.Execute( _
  "insert into SALT " & _
  "(Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES (" & _
  "'" & SqlEncode(Request.QueryString("payer_email")) & "', " & _
  "'" & SqlEncode(Request.QueryString("payer_email")) & "', " & _
  "'" & SqlEncode(Request.QueryString("first_name")) & "', " & _
  "'" & SqlEncode(Request.QueryString("last_name")) & "', " & _
  "'" & SqlEncode(Request.QueryString("hash")) & "', " & _
  "'" & SqlEncode(Request.QueryString("txn_id")) & "', " & _
  "'" & SqlEncode(Request.QueryString("client_id")) & "'" & _
  ")")
Guffa  2010-07-30 08:55:45

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP