why doesn't it insert in database?

gilgalbiblewhee · #1 (**permalink**) 06-15-06, 21:57

Code:

<html>

<body>

<form action="feedbacksent.asp" method="get" enctype="text/plain">

<h3>Your feedback is important.</h3> 
<h5>To send your comments put your:</h5><br>
Name:<br>
<input type="text" name="name" size="18" value="Put your name" class="form-input" onBlur="if(this.value==''){this.value='Put your name';}" onFocus="if(this.value=='Put your name'){this.value='';}">

<br>
Email:<br>
<input type="text" name="email" size="22" value="Put your email address" class="form-input" onBlur="if(this.value==''){this.value='Put your email address';}" onFocus="if(this.value=='Put your email address'){this.value='';}">

<br>
Subject:<br>
<input type="text" name="subject" size="40" value="Put your subject" class="form-input" onBlur="if(this.value==''){this.value='Put your subject';}" onFocus="if(this.value=='Put your subject'){this.value='';}">

<br>
<textarea rows="10" name="comment" cols="60" value="Put your comments" class="form-input" onBlur="if(this.value==''){this.value='Put your comments';}" onFocus="if(this.value=='Put your comments'){this.value='';}"></textarea>
<br><br>
<input type="submit" value="Send">
<input type="reset" value="Reset">

</form>
</body>
</html>

Code:

<html>
<body>

<%
'Dim connStr
'connStr = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("Kjv.mdb")
set conn=Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open "kjv.mdb"

sql="INSERT INTO feedback (ID,name,"
sql=sql & "subject,email,comment)"
sql=sql & " VALUES "
sql=sql & "('" & Request.Form("ID") & "',"
sql=sql & "'" & Request.Form("name") & "',"
sql=sql & "'" & Request.Form("email") & "',"
sql=sql & "'" & Request.Form("subject") & "',"
sql=sql & "'" & Request.Form("comment") & "')"

on error resume next
conn.Execute sql,recaffected
if err<>0 then
  Response.Write("No update permissions!")
else 
  Response.Write("<h3>" & recaffected & " record added</h3>")
end if
conn.close
%>

</body>
</html>

csamuels · #2 (**permalink**) 06-16-06, 10:56

in your form tag change method to post.

Code:

<form action="feedbacksent.asp" method="post" enctype="text/plain">

MrWizard · #3 (**permalink**) 06-17-06, 03:47

Also... your SQL statement includes ID, but you're not passing an ID, and ID values are usually auto-assigned anyway, to prevent duplicates (provided the DB is set to do this). And... your SQL shows the fields in one order, and the contents of the fields being passed in a different order. Many potential issues.

If I were you, I would do a response.write "SQL: " & sql just after building up the SQL statement, just to see what you've got.

SEFL · #4 (**permalink**) 06-19-06, 01:21

The other thing you're going to need to keep in mind is SQL Injection. This is where idiots, losers, and people who really should have something better to do attempt to send SQL commands via your various form fields that will mess up your database.

Countering it is relatively easy, however.

Basically, for each of your form fields, put Replace (field, "'", "''") and you'll be fine.

plsh · #5 (**permalink**) 06-22-06, 06:11

Also if you are using a acess mdb you will have to specify the path much as you commented out the server.mappath

gmann001 · #6 (**permalink**) 06-22-06, 13:12

Quote:

Originally Posted by SEFL

The other thing you're going to need to keep in mind is SQL Injection. This is where idiots, losers, and people who really should have something better to do attempt to send SQL commands via your various form fields that will mess up your database.

Countering it is relatively easy, however.

Basically, for each of your form fields, put Replace (field, "'", "''") and you'll be fine.

Is there more someone can do (easily) to counter SQL Injection?

Internet Services

Web Development

Digital Marketing

Consumer Tech