1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Like

Discussion in 'C#' started by Vegaanders, Apr 14, 2008.

  1. #1
    Hi guys!

    I send this link to open a new page
    <a href="http://www.kraft-fahrer.de/fahrerlist.asp?S_plz=6
    SEMrush
    I pick it up in a Sql string like this
    "SELECT * FROM catman_fahrerkraft.fahrers Where Active = '1' AND PLZ LIKE " & Request("S_plz")

    Now I need to add a % in the end to get all PLZ that start with a 6 in this case. How do I do that

    Regards from a first time poster

    Anders Svensson
     
    Vegaanders, Apr 14, 2008 IP
    SEMrush
  2. MarkusJ_NZ

    MarkusJ_NZ Well-Known Member

    Messages:
    240
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    108
    #2
    Hi, try this (I'm assuming that the field PLZ is of type char/ varchar)

    "SELECT * FROM catman_fahrerkraft.fahrers Where Active = '1' AND PLZ LIKE '" & Request("S_plz") & "%'"

    Cheers
    Markus
     
    MarkusJ_NZ, Apr 14, 2008 IP
  3. nubsii

    nubsii Peon

    Messages:
    36
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    if you want just items starting with the character "6" do:
    
    select from yourtable where yourcolumn like '6%'
    
    Code (markup):
     
    nubsii, Apr 14, 2008 IP
  4. dylanj

    dylanj Peon

    Messages:
    173
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #4
    
    "SELECT * FROM catman_fahrerkraft.fahrers Where Active = '1' AND PLZ LIKE " & Request("S_plz")
    
    Code (markup):
    Depending on whether it's an administrative part of the website or not, you need to take great care in filtering inputs so that your website can't be compromised. Putting a Request straight into an SQL statement like that is not very secure. Try this:
    
    FilteredPLZ = Replace(Request("S_plz"), "'", "")
    FilteredPLZ = Replace(FilteredPLZ, ",", "")
    FilteredPLZ = Replace(FilteredPLZ, "/", "")
    '--------
    "SELECT * FROM catman_fahrerkraft.fahrers WHERE [Active] = '1' AND PLZ LIKE " & FilteredPLZ & "%"
    
    Code (markup):
    See how i've placed [] around "Active". This is because "Active" sounds like a reserved word, which can cause other problems at runtime.

    Also, normally, you would apply a lot more filters to "FilteredPLZ", but of course, you can choose which characters to filter out.
     
    dylanj, May 4, 2008 IP
  5. mintoj

    mintoj Peon

    Messages:
    317
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #5
    You should always use command parameters in your queries, this ensures protection against sql injection attacks, where somone may add sql statements to the querystring parameter and compromise your database security.

    J
     
    mintoj, May 6, 2008 IP