Results 1 to 5 of 5
  1. #1
    Join Date
    Feb 2008
    Posts
    120

    Unanswered: delete and insert using variables

    Hi all..
    Can anyone see what the problem is with this delete and insert command?
    I'm using classic ASP and MS SQL.

    Code:
    ClientIDStrg =Request.QueryString("ClientIDStrg")
    Code:
    delete from RelatedProducts where ProductID=" & ProductID & "AND ClientID=" & ClientIDStrg & "or RelatedProductID=" & ProductID & "AND ClientID=" & ClientIDStrg
    Code:
    insert into RelatedProducts (ProductID,RelatedProductID,ClientID) values (" & ProductID & "," & arr(i) & "," & ClientIDStrg & ")"
    If i use 1 inplace of the ClientIDStrg variable, all works fine.
    The productID varailbe uses the same method and that works fine.

    The database uses int for both fields.

    The error i get is:

    Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
    [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or'.

    Thanks in advance
    Andy (scratching head)

  2. #2
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    Lookup prepared statements/commands, particularly in the context of sql injection. The approach you're taking is both cumbersome to write and extremely dangerous when exposed to a malicious user.
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

  3. #3
    Join Date
    Nov 2003
    Location
    Christchurch, New Zealand
    Posts
    1,618
    Pretty sure your delete statment will get upset due to lack of spaces between your variables and your AND and OR clauses...

  4. #4
    Join Date
    Sep 2011
    Posts
    71

    Lightbulb Your Problem Solution ,as i thought

    hello just do these modifications on your code ,and reply me:


    1-At our Dot net code ,First check query string value to be insure not null

    2-convert to int using ,int.parse(querystring.ToString())

    [COLOR="rgb(160, 82, 45)"]Thanks[/COLOR]
    Last edited by paultech; 09-28-11 at 22:02. Reason: update

  5. #5
    Join Date
    Sep 2011
    Posts
    71
    Hello , I thought that you should use single quotation instead of double quotation
    Try please and tell me your results.
    thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •