Web Wiz - Solar Powered Eco Web Hosting

  New Posts New Posts RSS Feed - Search for Text within a String
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Search for Text within a String

 Post Reply Post Reply
Author
kennywhite View Drop Down
Groupie
Groupie


Joined: 26 February 2009
Location: Indy
Status: Offline
Points: 106
Post Options Post Options   Thanks (0) Thanks(0)   Quote kennywhite Quote  Post ReplyReply Direct Link To This Post Topic: Search for Text within a String
    Posted: 05 July 2011 at 4:09pm
I have a website that I built, using an MS Access database. There is one field in the database called "SERIALS" this field holds all serial numbers for a specific part number. There are already thousands of records in this database, but the users would like a way to search for specific serial numbers. Is this possible? If so, how can I go about doing that? Again, the field holds 1 to dozens of different serial numbers, separated only by a single space. 

I have tried 
WHERE Serials = '" &  Request.QueryString("serial") & "' 
and
WHERE Serials LIKE '" &  Request.QueryString("serial") & "' 

I didn't expect either of these to work and they did not. Any ideas on how I can do this without having to create a new table and manually move all of the data over?

Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9791
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 05 July 2011 at 4:29pm
For a start you need to santise the user reponse, using the querystring directly in an SQL Query is leaving yourself wide open to an SQL Injection attack from either a hacker, malware, or virus.

You should place the querystring in to a variable then remove or escape any unsafe SQL from the variable before using it in your SQL Query.

Once you sanitise your input try the following:-


strSerialNumber  =  Request.QueryString("serial")
strSerialNumber  = Replace(strSerialNumber, "'", "''")

WHERE Serials LIKE '%" &  strSerialNumber & "%'

Back to Top
kennywhite View Drop Down
Groupie
Groupie


Joined: 26 February 2009
Location: Indy
Status: Offline
Points: 106
Post Options Post Options   Thanks (0) Thanks(0)   Quote kennywhite Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2011 at 2:29pm
No luck there. I am getting almost every record back, instead of just the one containing the text I'm looking for.

Thanks for the tip on sanitizing, though. I'll definitely start doing this for all of my pages.
 
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.07
Copyright ©2001-2024 Web Wiz Ltd.


Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Policy

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2024 Web Wiz Ltd. All rights reserved.