1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

what is the problem?

Discussion in 'C#' started by eric5, Aug 6, 2006.

  1. #1
    may i know what is my problem, why i alway cant success add record??

    <html>
    <body>
    <%
    Dim adoCon
    Dim rsAddComments 
    Dim strSQL 
    
    Set adoCon = Server.CreateObject("ADODB.Connection") 
    adoCon.Open "DRIVER={MySQL ODBC 3.51 Driver};SERVER=localhost; DATABASE=mydatabase; UID=root;PASSWORD=1234; OPTION=3"
    Set rsAddComments = Server.CreateObject("ADODB.Recordset")
    
    strSQL="INSERT INTO mytable (domain_name, expiry_date, company_name, administrator, hosting_amt, dns_amt, hosting_desc, dns_desc, invoice_date, remarks, status, timestamp_update, timestamp_create)" 
    strSQL=strSQL & " VALUES "
    strSQL=strSQL & "('" & Request.Form("domain_name") & "',"
    strSQL=strSQL & "'" & Request.Form("expiry_date") & "',"
    strSQL=strSQL & "'" & Request.Form("company_name") & "',"
    strSQL=strSQL & "'" & Request.Form("administrator") & "',"
    strSQL=strSQL & "'" & Request.Form("hosting_amt") & "',"
    strSQL=strSQL & "'" & Request.Form("dns_amt") & "')"
    strSQL=strSQL & "'" & Request.Form("hosting_desc") & "',"
    strSQL=strSQL & "'" & Request.Form("dns_desc") & "',"
    strSQL=strSQL & "'" & Request.Form("invoice_date") & "',"
    strSQL=strSQL & "'" & Request.Form("remarks") & "')"
    strSQL=strSQL & "'" & Request.Form("status") & "',"
    strSQL=strSQL & "'" & Request.Form("timestamp_update") & "',"
    strSQL=strSQL & "'" & Request.Form("timestamp_create") & "')"
    
    on error resume next
    adocon.Execute strSQL, recaffeted
    
    if err<>0 then
      Response.Write("Record Add Fail!")
    else 
      Response.Write("<h3>" & recaffected & " record added</h3>")
    end if
    
    adocon.Close
    Set adocon = Nothing
    strSQL.Close
    Set strSQL = Nothing
    
    %>
    
    </body>
    </html>
    
    Code (markup):

    SEMrush
     
    eric5, Aug 6, 2006 IP
    SEMrush
  2. Free Born John

    Free Born John Guest

    Messages:
    111
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #2
    I think your error handling is probably supressing the error message - might be worthwhile temporarily removing it.

    Try writing the sql string to the screen and then manually execute that query against your database. That should show what's wrong with it.

    regards

    FBJ
     
    Free Born John, Aug 7, 2006 IP
  3. vectorgraphx

    vectorgraphx Guest

    Messages:
    545
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    0
    #3
    good advice john. eric try his suggestions and let us know what you see.

    Also, eric, it's extremely bad practice to pass form data directly to the database, fyi. this is an open door for hackers to gain access to your files through something called "sql injection". see http://forums.digitalpoint.com/showthread.php?t=101943 for a primer - it's got various methods of cleansing data, so pick your poison, but do cleanse your variables one way or another before they are passed to your sql query.

    read this article for more info on how sql injection is achieved and what you can do to prevent it.

    http://www.securiteam.com/securityreviews/5DP0N1P76E.html
     
    vectorgraphx, Aug 7, 2006 IP
  4. whiteshark

    whiteshark Peon

    Messages:
    58
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Avoiding a SQL Injection is simple.

    You write a function that filters out (replaces) the following words from your SQL String:

    truncate
    delete from
    alter table
    ;
    exec

    There are other dangerous commands and you'll have to include them all here.

    The basic idea is that you'll call the function against your SQL string just before it's to be executed.
     
    whiteshark, Aug 7, 2006 IP