Updating sql server through classic asp and vbscript
Im trying to update details of a single customer and I'm having problems updating with the new user input. I can see the changes being passed but its not updating the sql. Here is the code -
'Update'
updateC = request.QueryString("action")
if updateC = "update" then
Id = request.QueryString("Id")
Name = request.QueryString("Name")
Address = request.QueryString("Address")
Suburb = request.QueryString("Suburb")
Postcode = request.QueryString("Postcode")
Age = request.QueryString("Age")
Email = request.QueryString("Email")
end if
%>
<form method="get" action="CreateCustomer.asp">
Name: <input type="text" value="<%=Name %>" name="Name"><br/>
Address: <input type="text" value="<%=Address %>" name="Address"><br/>
Suburb: <input type="Suburb" value="<%=Suburb %>" name="Suburb"><br/>
Postcode: <input type="text" value="<%=Postcode %>" name="Postcode"><br/>
Age: <input type="text" value="<%=Age %>" name="Age"><br/>
Email: <input type="text" value="<%=Email %>" name="Email"><br/><br/>
<% if updateC = "update" then%>
<input type="hidden" value="update" name="updateButton">
<input type="submit" value="Update Customer">
<% else %>
<input type="hidden" value="insert" name="insert">
<input type="submit" value="New Customer">
<% end if %>
</form>
<%
'Assign Variables'
insertCheck = request.QueryString("insert")
updCheck = request.QueryString("updateButton")
if insertCheck = "insert" or updCheck = "update" then
开发者_StackOverflow社区
ID = request.QueryString("Id")
Name = request.QueryString("Name")
Address = request.QueryString("Address")
Suburb = request.QueryString("Suburb")
Postcode = request.QueryString("Postcode")
Age = request.QueryString("Age")
Email = request.QueryString("Email")
end if
'update customer'
updButton = request.QueryString("updateButton")
if updButton = "update" and name<>"" then
updateCustomer()
end if
'Update customer sub procedure'
sub updateCustomer()
Dim uSQL, objCon
Set objCon = CreateObject("ADODB.Connection")
objCon.Open "Provider=SQLOLEDB.1;Password=xxxx;Persist Security Info=True;User ID=xxxx;Initial Catalog=Customer;Data Source=PC"
uSQL = "UPDATE Customer SET Name = " & "'" & Name & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Address = " & "'" & Address & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Suburb = " & "'" & Suburb & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Postcode = " & "'" & Postcode & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Age = " & "'" & Age & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
uSQL = "UPDATE Customer SET Email = " & "'" & Email & "'" & " Where ID = " & "'" & Id & "'"
objCon.Execute(uSQL)
objCon.Close
end sub
The code above is from createcustomer.asp and the code below is from table.asp
<td><Center><a href="CreateCustomer.asp?action=update&Id=<%= objRS("Id") %>&Name=<%= objRS("Name") %>&Address=<%= objRS("Address") %>&suburb=<%= objRS("Suburb") %>&postcode=<%= objRS("Postcode") %>&age=<%= objRS("Age") %>&email=<%= objRS("Email") %>">
<input type="submit" value="Update"></a></Center></td>
Change
<% if updateC = "update" then%>
<input type="hidden" value="update" name="updateButton">
<input type="submit" value="Update Customer">
<% else %>
<input type="hidden" value="insert" name="insert">
<input type="submit" value="New Customer">
<% end if %>
to
<% if updateC = "update" then%>
<input type="hidden" value="<%=id%>" name="id">
<input type="hidden" value="update" name="updateButton">
<input type="submit" value="Update Customer">
<% else %>
<input type="hidden" value="insert" name="insert">
<input type="submit" value="New Customer">
<% end if %>
Because in your current code you do not pass the id of the customer so the update method does not know who to update.
As others have stated though there is room for a lot of improvement, like
- avoid SQL Injection attack by sanitizing your input or using parameterized queries.
- Update the record in one go instead of an
update
for each field. - Re-use your declared variable instead of reading the
queryString
whenever you need something (you already have most values in variables)
Change
updateC = request.QueryString("action")
to
updateC = request.QueryString("updateButton")
精彩评论