Classic ASP Discussion - easy asp help, cant spot error

Print Page | Close Window

easy asp help, cant spot error

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=12502
Printed Date: 30 March 2026 at 9:39pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: easy asp help, cant spot error

Posted By: ainsworth14
Subject: easy asp help, cant spot error
Date Posted: 11 November 2004 at 3:08pm

Hi guys, you have answered many of my queries in the past so thanks on that, but i need help on this.

i have a simple form on a page passing a score, level and playername

the code below is on a page that should write to a db. i have done this before on my own site and have compared this code with other code and it looks fine, however, i keep getting a syntax error in INSERT INTO statement. I have played with things and taken the numbers out and it seeems to be ok just insert the playername field. so prob something to with the numbers?

any ideas?

level = Trim(request("level"))
score = Trim(request("score"))
playername = Trim(request("playername"))

Dim objConn
Dim strConnectionString

strConnectionString = MM_fr_record_webtest_STRING
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.open strConnectionString

sqlstring = "INSERT INTO highscores ( level, score, playername ) " &_
"VALUES (" & Replace(level, "'", "''") & "," & Replace(score, "'", "''") & ",'" & Replace(playername, "'", "''") & "')"

objConn.Execute (sqlString)

Cheers
Mark

Replies:

Posted By: michael
Date Posted: 11 November 2004 at 3:29pm

First off why do you do a replace on level as it appears to be a integer value. at least you don't have text indentifiers. If it does contain characters you need to put it within ' '
Also if you have ' in the field you need to make sure they don't terminate a field if you have a playername of ainsworth'114 and it gets replaced to ainsworth''114 the sql would read ....,'ainsworth''114') which depending could terminate the field. So in a nutshell, verify your data types and use a better injection prevention then replacing ' with ''

-------------
http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker

Posted By: ainsworth14
Date Posted: 11 November 2004 at 5:01pm

my original code was without all the 'replace' bits and was simply

"VALUES (" & level & "," & score & ",'" & playername & "')"

and still didn't work

Posted By: Mart
Date Posted: 11 November 2004 at 5:34pm

What values are you feeding into this page?

Posted By: ainsworth14
Date Posted: 11 November 2004 at 6:05pm

level and score are numeric:

level = 3

score = 3660

playername = john smith

level< size=5 name=level>
score< size=10 name=score>
player_name< size=50 name=pname>
< =submit value=go>

as i say changing the sql code so i am just inserting playername is fine, i can do that, it just fails when i try to insert a number

Posted By: michael
Date Posted: 11 November 2004 at 9:02pm

do a response.write(sqlquery) instead of executing it and you should see what its actually trying to do.

-------------
http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker

Posted By: ainsworth14
Date Posted: 12 November 2004 at 2:59am

yup done that before

i get this

INSERT INTO highscores ( level, score, playername ) VALUES (1,2,'mark')

Posted By: michael
Date Posted: 12 November 2004 at 9:26am

well the syntax is correct so what are those three field types in the database?

-------------
http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker

Posted By: Gullanian
Date Posted: 12 November 2004 at 10:24am

What error are you getting

Posted By: ainsworth14
Date Posted: 12 November 2004 at 1:06pm

syntax error in INSERT INTO statement