Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - easy asp help, cant spot error
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

easy asp help, cant spot error
 Post Reply Post Reply Page  12>
Author
  Topic Search Topic Search  Topic Options Topic Options
ainsworth14 View Drop Down
Groupie
Groupie


Joined: 05 August 2003
Location: United Kingdom
Status: Offline
Points: 62 		Post Options Post Options   Thanks (0) Thanks(0)   Quote ainsworth14 Quote  Post ReplyReply Direct Link To This Post Topic: easy asp help, cant spot error
    Posted: 11 November 2004 at 3:08pm

Hi guys, you have answered many of my queries in the past so thanks on that, but i need help on this.

i have  a simple form on a page passing a score, level and playername

the code below is on a page that should write to a db. i have done this before on my own site and have compared this code with other code and it looks fine, however, i keep getting a syntax error in INSERT INTO statement. I have played with things and taken the numbers out and it seeems to be ok just insert the playername field. so prob something to with the numbers?

any ideas?

<%

level = Trim(request("level"))
score = Trim(request("score"))
playername = Trim(request("playername"))


Dim objConn
Dim strConnectionString

strConnectionString = MM_fr_record_webtest_STRING
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.open strConnectionString


sqlstring = "INSERT INTO highscores ( level, score, playername ) " &_
"VALUES (" & Replace(level, "'", "''") & "," & Replace(score, "'", "''") & ",'" & Replace(playername, "'", "''") & "')"

objConn.Execute (sqlString)

%>

 

Cheers
Mark



Edited by ainsworth14
Back to Top
michael View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 April 2002
Location: United States
Status: Offline
Points: 4670 		Post Options Post Options   Thanks (0) Thanks(0)   Quote michael Quote  Post ReplyReply Direct Link To This Post Posted: 11 November 2004 at 3:29pm
First off why do you do a replace on level as it appears to be a integer value. at least you don't have text indentifiers. If it does contain characters you need to put it within ' '
Also if you have ' in the field you need to make sure they don't terminate a field if you have a playername of ainsworth'114 and it gets replaced to ainsworth''114 the sql would read ....,'ainsworth''114') which depending could terminate the field. So in a nutshell, verify your data types and use a better injection prevention then replacing ' with ''
Blog | MPG Tracker
Back to Top
ainsworth14 View Drop Down
Groupie
Groupie


Joined: 05 August 2003
Location: United Kingdom
Status: Offline
Points: 62 		Post Options Post Options   Thanks (0) Thanks(0)   Quote ainsworth14 Quote  Post ReplyReply Direct Link To This Post Posted: 11 November 2004 at 5:01pm

Hi

my original code was without all the 'replace' bits and was simply

"VALUES (" & level & "," & score & ",'" & playername & "')"

 

and still didn't work



Edited by ainsworth14
Back to Top
Mart View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 November 2002
Status: Offline
Points: 2304 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Mart Quote  Post ReplyReply Direct Link To This Post Posted: 11 November 2004 at 5:34pm
What values are you feeding into this page?
Back to Top
ainsworth14 View Drop Down
Groupie
Groupie


Joined: 05 August 2003
Location: United Kingdom
Status: Offline
Points: 62 		Post Options Post Options   Thanks (0) Thanks(0)   Quote ainsworth14 Quote  Post ReplyReply Direct Link To This Post Posted: 11 November 2004 at 6:05pm

level and score are numeric:

level = 3

score = 3660

playername = john smith

level< size=5 name=level>
score< size=10 name=score>
player_name< size=50 name=pname>
< =submit value=go>

as i say changing the sql code so i am just inserting playername is fine, i can do that, it just fails when i try to insert a number
Back to Top
michael View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 April 2002
Location: United States
Status: Offline
Points: 4670 		Post Options Post Options   Thanks (0) Thanks(0)   Quote michael Quote  Post ReplyReply Direct Link To This Post Posted: 11 November 2004 at 9:02pm
do a response.write(sqlquery) instead of executing it and you should see what its actually trying to do.
Blog | MPG Tracker
Back to Top
ainsworth14 View Drop Down
Groupie
Groupie


Joined: 05 August 2003
Location: United Kingdom
Status: Offline
Points: 62 		Post Options Post Options   Thanks (0) Thanks(0)   Quote ainsworth14 Quote  Post ReplyReply Direct Link To This Post Posted: 12 November 2004 at 2:59am

yup done that before

i get this

INSERT INTO highscores ( level, score, playername ) VALUES (1,2,'mark')
Back to Top
michael View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 April 2002
Location: United States
Status: Offline
Points: 4670 		Post Options Post Options   Thanks (0) Thanks(0)   Quote michael Quote  Post ReplyReply Direct Link To This Post Posted: 12 November 2004 at 9:26am
well the syntax is correct so what are those three field types in the database?
Blog | MPG Tracker
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.