Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > INSERT INTO using HTML forms

Reply
Thread Tools

INSERT INTO using HTML forms

 
 
Ian Griffiths
Guest
Posts: n/a
 
      10-26-2003
I'm having issues witht the code I'm writing. I've dealt with SQL before,
although only for extracting data, not adding it to the database. I've been
intensively learning ASP/ADO over the past week or so. I have a HTML form
that posts data to the following ASP file:

<HTML>
<HEAD>
<TITLE>Sight Bites</TITLE>
</HEAD>

<BODY>

<%
set conn = Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open(Server.Mappath("data/guest.mdb"))

stmt = "INSERT INTO Guest (Name, Location, Date, Email, Website, Comment)"
stmt = stmt & "VALUES ('" & Request.Form("Name") & "', '" &
Request.Form("Location") & "', '" & Date & "', '"
stmt = stmt & Request.Form("Email") & "', '" & Request.Form("Website") &
"', '" & Request.Form("Comment") & "')"


on error resume next
conn.Execute stmt, recaffected
if err<>0 then
response.write "VBScript Errors Occured:" & "<P>"
response.write "Error Number=" & err.number & "<P>"
response.write "Error Descr.=" & err.description & "<P>"
response.write "Help Context=" & err.helpcontext & "<P>"
response.write "Help Path=" & err.helppath & "<P>"
response.write "Native Error=" & err.nativeerror & "<P>"
response.write "Source=" & err.source & "<P>"
response.write "SQLState=" & err.sqlstate & "<P>"
else
Response.Write("Updated!")
end if
conn.Close
%>

<HR/>
<CENTER><H5><I>2003 Ian Griffiths</I></H5></CENTER>
</BODY>
</HTML>

I've run this using IIS, but I always seem to get a systax error in my
INSERT statement, but I can't spot one. Anyone got any pointers?

Cheers,

Ian Griffiths.


 
Reply With Quote
 
 
 
 
Dan Brussee
Guest
Posts: n/a
 
      10-26-2003
On Sun, 26 Oct 2003 13:09:41 +0000 (UTC), "Ian Griffiths"
<(E-Mail Removed)> wrote:


>
> stmt = "INSERT INTO Guest (Name, Location, Date, Email, Website, Comment)"
> stmt = stmt & "VALUES ('" & Request.Form("Name") & "', '" &
>Request.Form("Location") & "', '" & Date & "', '"
> stmt = stmt & Request.Form("Email") & "', '" & Request.Form("Website") &
>"', '" & Request.Form("Comment") & "')"
>
>
>
>I've run this using IIS, but I always seem to get a systax error in my
>INSERT statement, but I can't spot one. Anyone got any pointers?
>


Check a couple things...

First off, use Response.Write stmt just before issuing the statement
to SQL. This might show you more.

Next look at the syntax for delimiters on dates using Access
databases. It requires "#" marks for delimiters.

Lastly, take a look at the comments. If they contain single quotes
anywhere in them, this will make the statement fail. For any data that
a user will type in, it is a good idea to "clean" that data by at
least replacing single quotes with two single quotes. This escapes the
single quote and puts it into the data value and does not use it for a
delimiter. For example: If comment was

I'm Thirsty

then your stmt section would be...

....,'http://www.myweb.com','I'm Thirsty')

The single quote in I'm throws everything off.
 
Reply With Quote
 
 
 
 
The Mighty Chaffinch
Guest
Posts: n/a
 
      10-27-2003
> stmt = "INSERT INTO Guest (Name, Location, Date, Email, Website,
Comment)"
> stmt = stmt & "VALUES ('" & Request.Form("Name") & "', '" &


I imagine 'date' is a reserved word in Jet SQL, and possibly 'name' and
some of the others too. In Jet SQL you can use a [...] syntax around
table/column names to use reserved words, but these probably aren't good
choices for column names anyway.

MightyC



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.520 / Virus Database: 318 - Release Date: 18/09/03


 
Reply With Quote
 
CJM
Guest
Posts: n/a
 
      10-28-2003
> First off, use Response.Write stmt just before issuing the statement
> to SQL. This might show you more.


I would echo this. Output your SQL string, which you can then test in
Access's Query Builder to test the validity of the SQL. Then you can work
backwards to your ASP code.

> Lastly, take a look at the comments. If they contain single quotes
> anywhere in them, this will make the statement fail. For any data that
> a user will type in, it is a good idea to "clean" that data by at
> least replacing single quotes with two single quotes. This escapes the
> single quote and puts it into the data value and does not use it for a
> delimiter. For example: If comment was
>
> I'm Thirsty
>
> then your stmt section would be...
>
> ...,'http://www.myweb.com','I'm Thirsty')
>
> The single quote in I'm throws everything off.


Rather than inserting to single quotes, you might conder just filtering them
out.

This improves the security of yout site, by reducing the risk of attack via
SQL Injection:

http://www.nextgenss.com/papers/adva..._injection.pdf

This article explains it much better than I ever could...

hth

Chris


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
insert html into html mcnewsxp HTML 24 01-07-2012 07:07 AM
Insert data into MySQL from HTML Form using .psp script brianrpsgt1 Python 0 11-08-2008 04:43 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
using dreamweaver : how can I insert HTML file into another html file? johnsonholding@yahoo.com HTML 3 01-10-2006 08:06 PM
How To Insert Code With Javascript, How to insert into a div an amountof code Sergio del Amo Javascript 4 05-29-2005 02:45 AM



Advertisments