SQL String query
i have this insert query im tryin to do but it isn't working. no matter how many variations, and variations of variations i try, it always has a problem with my code.
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES (<%=Request.QueryString(payer_email)%>, <%=Request.QueryString(payer_email)%>, <%=Request.QueryString(first_name)%>, <%=Request.QueryString(last_name)%>, <%=Request.QueryString(hash)%>, <%=Request.QueryString(txn_id)%>, <%=Request.QueryString(client_id)%>)")
I don't understand what its problem is: it keeps saying:
Microsoft VBScript compilation error '800a0409'
Unterminated string constant
/thanks.asp, line 62
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES (<%=Request.QueryString(payer_email)
-----------------------------------------------------------------------------开发者_C百科--------------------------------------------------------------------------------------------------^
Note: VBScript & ASP.
Can somebody please help me figure this out? Thank you.
You need to place quotes around your <%=Request.QueryString(xyz)%> expressions, and your parameter names, and as you're in script, you don't do <%= %>. e.g. as below:
insert into ... VALUES ('" & Request.QueryString("payer_email") & "', ...)
EDIT:
Here's the full statement:
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES ('" & Request.QueryString("payer_email") & "','" & Request.QueryString("payer_email") & "','" & Request.QueryString("first_name") & "','" & Request.QueryString("last_name") & "','" & Request.QueryString("hash") & "','" & Request.QueryString("txn_id") & "','" & Request.QueryString("client_id") & "')")
This comes with the usual BEWARE caveats about SQL injection.
I guess the parameters you're passing to Request.QueryString() should be enclosed in quotes:
Request.QueryString("payer_email")
UPDATE: Yes, and as @PHPology suggested, you should remove the <% %> and simply use string concatenation with &.
Try it like this:
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES ('" & Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash") & "', '" & Request.QueryString("txn_id") & "', '" & Request.QueryString("client_id") & "')")
Although not related to the problem, your query also appears to be vulnerable to SQL Injection.
Instead of doing...
"foo <%=bar%> foo"
...try this instead:
"foo" & bar & "foo"
remove your <% %> as you are already in ASP script mode.
it should be something like this for your values
'"& Request.QueryString("payer_email")&"', '"& Request.QueryString("first_name")&"', etc, etc
This isn't answering your question, but note that for string fields you will also need to quote the strings, i.e.
VALUES ('<%=Request.QueryString(payer_email)%>',
Your code is also very prone to SQL injection attacks - this will be an issue if your system is internet facing.
There are several problems with the code:
- You are using server tags (
<%= %>) in the server code. - You don't have quotation marks around the query string key names.
- You don't have apostrophes around the string values in the query.
- The string values are not encoded, so the query is wide open for SQL injection attacks.
You need a function to encode the strings, this works for MS Access and MS SQL Server:
Function SqlEncode(str)
SqlEncode = Replace(str, "'", "''")
End Function
Then you use that on the string values in the query:
Set rstSimple = cnnSimple.Execute( _
"insert into SALT " & _
"(Email, Username, FirstName, LastName, ActivationCode, TransactionID, ClientID) VALUES (" & _
"'" & SqlEncode(Request.QueryString("payer_email")) & "', " & _
"'" & SqlEncode(Request.QueryString("payer_email")) & "', " & _
"'" & SqlEncode(Request.QueryString("first_name")) & "', " & _
"'" & SqlEncode(Request.QueryString("last_name")) & "', " & _
"'" & SqlEncode(Request.QueryString("hash")) & "', " & _
"'" & SqlEncode(Request.QueryString("txn_id")) & "', " & _
"'" & SqlEncode(Request.QueryString("client_id")) & "'" & _
")")
加载中,请稍侯......
精彩评论