Results 1 to 6 of 6
  1. #1
    Join Date
    Jul 2004
    Posts
    494

    Unanswered: why doesn't it insert in database?

    Code:
    <html>
    
    <body>
    
    <form action="feedbacksent.asp" method="get" enctype="text/plain">
    
    <h3>Your feedback is important.</h3> 
    <h5>To send your comments put your:</h5><br>
    Name:<br>
    <input type="text" name="name" size="18" value="Put your name" class="form-input" onBlur="if(this.value==''){this.value='Put your name';}" onFocus="if(this.value=='Put your name'){this.value='';}">
    
    <br>
    Email:<br>
    <input type="text" name="email" size="22" value="Put your email address" class="form-input" onBlur="if(this.value==''){this.value='Put your email address';}" onFocus="if(this.value=='Put your email address'){this.value='';}">
    
    <br>
    Subject:<br>
    <input type="text" name="subject" size="40" value="Put your subject" class="form-input" onBlur="if(this.value==''){this.value='Put your subject';}" onFocus="if(this.value=='Put your subject'){this.value='';}">
    
    <br>
    <textarea rows="10" name="comment" cols="60" value="Put your comments" class="form-input" onBlur="if(this.value==''){this.value='Put your comments';}" onFocus="if(this.value=='Put your comments'){this.value='';}"></textarea>
    <br><br>
    <input type="submit" value="Send">
    <input type="reset" value="Reset">
    
    </form>
    </body>
    </html>
    Code:
    <html>
    <body>
    
    <%
    'Dim connStr
    'connStr = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("Kjv.mdb")
    set conn=Server.CreateObject("ADODB.Connection")
    conn.Provider="Microsoft.Jet.OLEDB.4.0"
    conn.Open "kjv.mdb"
    
    sql="INSERT INTO feedback (ID,name,"
    sql=sql & "subject,email,comment)"
    sql=sql & " VALUES "
    sql=sql & "('" & Request.Form("ID") & "',"
    sql=sql & "'" & Request.Form("name") & "',"
    sql=sql & "'" & Request.Form("email") & "',"
    sql=sql & "'" & Request.Form("subject") & "',"
    sql=sql & "'" & Request.Form("comment") & "')"
    
    on error resume next
    conn.Execute sql,recaffected
    if err<>0 then
      Response.Write("No update permissions!")
    else 
      Response.Write("<h3>" & recaffected & " record added</h3>")
    end if
    conn.close
    %>
    
    </body>
    </html>
    Compare bible texts (and other tools):
    TheWheelofGod

  2. #2
    Join Date
    Mar 2006
    Location
    south jersey, usa
    Posts
    53
    in your form tag change method to post.

    Code:
    <form action="feedbacksent.asp" method="post" enctype="text/plain">
    "They say Moses split the Red Sea
    I split the blunt and rolled the fat one, I'm deadly"
    -- Tupac 'Blasphemy'

  3. #3
    Join Date
    Mar 2003
    Location
    Atlanta, GA
    Posts
    191
    Also... your SQL statement includes ID, but you're not passing an ID, and ID values are usually auto-assigned anyway, to prevent duplicates (provided the DB is set to do this). And... your SQL shows the fields in one order, and the contents of the fields being passed in a different order. Many potential issues.

    If I were you, I would do a response.write "SQL: " & sql just after building up the SQL statement, just to see what you've got.
    Tim

  4. #4
    Join Date
    Jun 2006
    Posts
    6
    The other thing you're going to need to keep in mind is SQL Injection. This is where idiots, losers, and people who really should have something better to do attempt to send SQL commands via your various form fields that will mess up your database.

    Countering it is relatively easy, however.

    Basically, for each of your form fields, put Replace (field, "'", "''") and you'll be fine.

  5. #5
    Join Date
    Nov 2004
    Posts
    285
    Provided Answers: 1
    Also if you are using a acess mdb you will have to specify the path much as you commented out the server.mappath

  6. #6
    Join Date
    Jun 2006
    Posts
    1
    Quote Originally Posted by SEFL
    The other thing you're going to need to keep in mind is SQL Injection. This is where idiots, losers, and people who really should have something better to do attempt to send SQL commands via your various form fields that will mess up your database.

    Countering it is relatively easy, however.

    Basically, for each of your form fields, put Replace (field, "'", "''") and you'll be fine.
    Is there more someone can do (easily) to counter SQL Injection?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •