tags:

views:

252

answers:

3
Q: 

Using ASP and INSERT INTO -

Hey, I am trying to create a simple page that enters data in to a database and my code is below.

<%@ LANGUAGE="VBSCRIPT" %>
<% Option Explicit %>
<!--#include FILE=dbcano.inc-->
<%

dim username,password,f_name,l_name,objConn,objs,query

username   = Request.Form("user")
password   = Request.Form("pass")
f_name     = Request.Form("fname")
l_name     = Request.Form("lname")

if((f_name <> null) or (f_name <> "")) then
    response.redirect("patti_account.asp")
else
    Set objConn = ConnectDB()
    query       = "INSERT INTO user (username,password,f_name,l_name) VALUES ('"& username &"','"& password &"','"& f_name &"','"& l_name &"')"
    Set objs    = objConn.Execute(query)

    Response.Redirect ("thankyou.asp")

end if

%>

I am getting this error when I run my page:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'user'.

create_account.asp, line 18

I have checked everything, my field names exist and my table name is correct as well.

Any suggestions?

Thanks,

Ryan

+3  A: 

User is a reserved word in SQL server. Put it into square brackets, e.g. [user].

M4N  2008-12-10 20:36:13
Worked like a charm! Thank you Martin. I didnt even think of checking to see if "user" was a reserved word
Coughlin  2008-12-11 22:18:59
+1  A: 

Try changing it to:

query       = "INSERT INTO [user] (username,password,f_name,l_name) VALUES ('"& username &"','"& password &"','"& f_name &"','"& l_name &"')"

(escape the table name since it is a reserved word)

Also, don't forget to validate keyboard input since this code is subject to SQL injection attacks.

daughtkom  2008-12-10 20:38:14
+2  A: 

This is vulnerable to SQL Injection. Imagine what would happen if someone put this in for the last name:

');DROP Table [user];--

Fix it or I will personally track you down and beat you with a wet noodle until you do.

Joel Coehoorn  2008-12-10 21:08:43
+1 for the wet noodle beating; Good point about injection too :)
seanb  2008-12-10 21:31:02
Thank you Joel! I will make sure to keep an eye on this..thanks again.Ryan
Coughlin  2008-12-11 22:18:27

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP