ansaurus

Question

Can someone please tell me what is wrong with this statement?

Answer 1

+1 A:

You have a missing & in here:

VALUES ('"Request.QueryString("payer_email") & "'

should be:

VALUES ('" & Request.QueryString("payer_email") & "'

And even in the last part of your statement, you have a missing & and a missing ":

Request.QueryString("hash")"'))

should be:

Request.QueryString("hash") & "')")

Therefore you may want to try the following statement:

cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('" & Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash") & "')")

Daniel Vassallo 2010-07-30 10:40:37

lucifer 2010-07-30 10:44:10

@j-t-s: Check my updated answer. You have a missing a quote as well, as @AlvinfromDiaspar noted in the other answer.

Daniel Vassallo 2010-07-30 10:47:17

I did that and its still giving me the same error

lucifer 2010-07-30 10:47:19

@j-t-s: there were quite a few other missing quotes, everywhere in the middle (but this answer's final statement seems correct). Check my answer (self-promoting, ouch!) for how to make your code slightly less error-prone and easier to spot your errors. Others show similar methods to make your code readable ;-).

Abel 2010-07-30 10:56:32

I just tried the very last sample on this answer and now it says: Microsoft VBScript runtime error '800a01a8'Object required: ''

lucifer 2010-07-30 11:37:46

@j-t-s: Maybe there was a problem with the connection when setting `cnnSimple`.

Daniel Vassallo 2010-07-30 11:44:14

Answer 2

+1 A:

Seems like there is a syntax error related to your parenthesis. The 2 parenthesis at the end of that line looks kind of fishy.

AlvinfromDiaspar 2010-07-30 10:44:05

Answer 3

+1 A:

The missing ampersands and quotes may be the least of your problems.

It does not look like you are cleaning the strings in any way. The strings could contain single quotes that are not escaped. You are open to SQL injection because you are not using parameters.

Remou 2010-07-30 10:50:57

still a missing `-)

Abel 2010-07-30 10:54:37

PS: the repeated e-mail value is correct (`UserName` and `Email` are equal), if you don't use that, the amount of values does not match the amount of fields anymore.

Abel 2010-07-30 11:07:52

Better? :) char

Remou 2010-07-30 11:18:28

ehrm, much better! lol

Abel 2010-07-30 11:42:46

Answer 4

+4 A:

I'd suggest breaking up your code as follows, so it becomes readable and understandable:

Dim execSql
execSql = "insert into SALT (Email, Username, FirstName, LastName, ActivationCode)"
execSql = execSql & " VALUES ('"
execSql = execSql & Request.QueryString("payer_email") 
execSql = execSql & "', '" 
execSql = execSql & Request.QueryString("payer_email") 
execSql = execSql & "', '" 
execSql = execSql & Request.QueryString("first_name") 
execSql = execSql & "', '" 
execSql = execSql & Request.QueryString("last_name") 
execSql = execSql & "', '" 
execSql = execSql & Request.QueryString("hash")
execSql = execSql & "')"

Set rstSimple = cnnSimple.Execute(execSql)

while typing, I removed the quote-errors of your string. Now it becomes more apparent where they are if you receive a new error. Also, the coloring of the code makes it readable and easy to spot the error (depening on what editor you use).

Edit on SQL Injection and security

As someone else already mentioned, your code is highly susceptible to SQL injection attacks. Even if no attack (i.e., to drop your database) is meant, it will fail if someone is named d'Amour (French) or in 't Huys (Dutch), crashing your page. To circumvent this, don't try to filter your code, but rewrite it using SQL Command and Parameters. It's easy, your code simply becomes this:

Set dbCommand = Server.CreateObject("ADODB.Command")
Set dbCommand.ActiveConnection = cnnSimple
dbCommand.CommandType = adCmdText
dbCommand.CommandText = _
    "INSERT INTO SALT (Email, Username, FirstName, LastName, ActivationCode) " + _ 
    "VALUES (@email, @user, @firstname, @lastname, @code)"
With dbCommand.Parameters
    .Add("email", adVarChar, adParamInput, , Request.QueryString("payer_email"))
    .Add("user", adVarChar, adParamInput, , Request.QueryString("payer_email"))
    .Add("firstname", adVarChar, adParamInput, , Request.QueryString("first_name"))
    .Add("lastname", adVarChar, adParamInput, , Request.QueryString("last_name"))
    .Add("code", adVarChar, adParamInput, , Request.QueryString("hash"))
End With

Set rstSimple = dbCommand.Execute()

Note: make sure to download and include ADOVBS.INC so you don't have to replace the constants adVarChar and adParamInput and such with their numeric equivalents.

For more info see this SO answer by Jose Basilio, Google on "SQL Injection ASP" or "SQL Prepared Statement Classic ASP", it should find you some hits.

Abel 2010-07-30 10:51:36

This is very similar to my advice. I don't know the language so I will trust you that this is better than my answer. +1

Mark Byers 2010-07-30 11:01:02

@Mark: your advice was excellent, but applied to ASP has some drawbacks (and it won't compile, see my comment under your answer). With Classic ASP it is better to be *very* conservative when coding. *(But C#, F# and Java are my languages of choice since 10 years now :)*

Abel 2010-07-30 11:03:36

I just tried that, but now it says: Expected end of statement/thanks.asp, line 63Dim execSql As String = "insert into SALT (Email, Username, FirstName, LastName, ActivationCode)"------------^

lucifer 2010-07-30 11:27:52

@j-t-s: my `Dim` was influenced by VB, sorry. Removed it now.

Abel 2010-07-30 11:41:18

ansaurus

tags:

views:

answers:

Can someone please tell me what is wrong with this statement?

Edit on SQL Injection and security

related questions