delete and insert using variables

AndyJay · #1 (**permalink**) 09-01-11, 05:00

Hi all..
Can anyone see what the problem is with this delete and insert command?
I'm using classic ASP and MS SQL.

Code:

ClientIDStrg =Request.QueryString("ClientIDStrg")

Code:

delete from RelatedProducts where ProductID=" & ProductID & "AND ClientID=" & ClientIDStrg & "or RelatedProductID=" & ProductID & "AND ClientID=" & ClientIDStrg

Code:

insert into RelatedProducts (ProductID,RelatedProductID,ClientID) values (" & ProductID & "," & arr(i) & "," & ClientIDStrg & ")"

If i use 1 inplace of the ClientIDStrg variable, all works fine.
The productID varailbe uses the same method and that works fine.

The database uses int for both fields.

The error i get is:

Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or'.

Thanks in advance
Andy (scratching head)

Teddy · #2 (**permalink**) 09-01-11, 15:51

Lookup prepared statements/commands, particularly in the context of sql injection. The approach you're taking is both cumbersome to write and extremely dangerous when exposed to a malicious user.

rokslide · #3 (**permalink**) 09-01-11, 19:53

Pretty sure your delete statment will get upset due to lack of spaces between your variables and your AND and OR clauses...

paultech · #4 (**permalink**) 09-28-11, 21:01

hello just do these modifications on your code ,and reply me:

1-At our Dot net code ,First check query string value to be insure not null

2-convert to int using ,int.parse(querystring.ToString())

[COLOR="rgb(160, 82, 45)"]Thanks[/COLOR]

paultech · #5 (**permalink**) 10-27-11, 09:34

Hello , I thought that you should use single quotation instead of double quotation
Try please and tell me your results.
thanks

Internet Services

Web Development

Digital Marketing

Consumer Tech