473,320 Members | 1,969 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Using the like command in SQL

I have a form that uses the POST method to call up test.asp and it
passes what is typed into the text box. Since is uses the Like command
the user can enter stuff like %Constant% to get something that is like
what the user typed in. When I call up the test.asp page it is grabbing
the text fine but isn't running the SQL command the correct way. The
SQL command ends up being

SELECT * FROM [Everyone] WHERE (Name LIKE ':: & strName & ::')

Here is my code
strName = Request.Form("Search")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.RecordSet")
Conn.Open "PhoneList"
sSQL = "SELECT * FROM [Everyone] WHERE (Name LIKE ':: & strName & ::')"
Set Rs = Conn.Execute(sSQL)

Nov 3 '05 #1
3 8493
MasterChief wrote:
I have a form that uses the POST method to call up test.asp and it
passes what is typed into the text box. Since is uses the Like command
the user can enter stuff like %Constant% to get something that is like
what the user typed in. When I call up the test.asp page it is
grabbing the text fine but isn't running the SQL command the correct
What database are you using?
way. The SQL command ends up being

SELECT * FROM [Everyone] WHERE (Name LIKE ':: & strName & ::')
Is it Access?
http://www.aspfaq.com/show.asp?id=2096

Here is my code
strName = Request.Form("Search")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.RecordSet")
Conn.Open "PhoneList"
sSQL = "SELECT * FROM [Everyone] WHERE (Name LIKE ':: & strName &
::')"


What is the reason for the double-colons? They should not be there. Also,
you need to concatenate the _value_ of the variable into your string, not
the name of the variable.

sSQL = "SELECT * FROM [Everyone] WHERE Name LIKE '" & _
strName & "'"

You should know that you are leaving your site and database vulnerable to
hackers using sql injection:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf

You should not be using dynamic sql, and you should not be allowing users to
control your sql statement by what they type in your form. You should
provide a checkbox on your form to allow users to specify whether or not a
wildcard search is to be performed. Then, depending on the value of the
checkbox, use the appropriate sql statement:

if wildcard_on then
sSQL = "SELECT * FROM [Everyone] WHERE Name LIKE '%" & _
strName & "%'"
else
sSQL = "SELECT * FROM [Everyone] WHERE Name ='" & _
strName & "'"
end if

Here are some links about using parameters:
http://groups.google.com/groups?hl=e...tngp13.phx.gbl

http://groups.google.com/groups?hl=e...TNGP11.phx.gbl

http://www.google.com/groups?selm=eE...&output=gplain

http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

Using Command object:
http://groups-beta.google.com/group/...e36562fee7804e

SQL Server
http://tinyurl.com/jyy0

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Nov 3 '05 #2
Bob Barrows [MVP] wrote:
You should know that you are leaving your site and database
vulnerable to hackers using sql injection:


That depends on 1) your definition of "vulnerable", and more importantly, 2)
the permissions afforded the connection credentials.

Not that I disagree with you. He is almost certainly wide open for SQL
injection.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Nov 3 '05 #3
This is an Access Database. I am not to worried about SQL injections.
This is actually an intranet site for a lumber company. I know almost
every employee here and they have a hard enough time with the basic
stuff. But yes I do understand your point about using this in a real
world scenario. I will try your suggestion in a while. I put the ::
because original the search page was one page and I used a tutorial
online that worked and they had me use the :: so I thought it was
something that had to be used.

Nov 4 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Kevin Ollivier | last post by:
Hi all, I've come across a problem that has me stumped, and I thought I'd send a message to the gurus to see if this makes sense to anyone else. =) Basically, I'm trying to upload a series of...
5
by: Bruno Alexandre | last post by:
Hi guys, withou using SP, I want to be able to add a Parameter to the SQL Query and retrive the Recordset so I can use the Paging property under the recorset object.... how can I do this? I'm...
121
by: typingcat | last post by:
First of all, I'm an Asian and I need to input Japanese, Korean and so on. I've tried many PHP IDEs today, but almost non of them supported Unicode (UTF-8) file. I've found that the only Unicode...
4
by: Tim Golden | last post by:
Tim Golden enlightened us with: > > Well, I'm with you. I'm sure a lot of people will chime in to point > > out just how flexible and useful and productive Linux is as a > > workstation, but every...
13
by: Andrew | last post by:
I use conditional compiler constants, set through the VBA IDE in Tools, <projectname> Properties, that I refer to throughout my code to control which code is used during development, and which...
2
by: meganrobertson22 | last post by:
Hi- I'd like to try to have text displayed when I move my mouse over a command button. For example: let's say I have a form with 3 different command buttons. Each command button launches a...
5
by: John Salerno | last post by:
I'm experimenting with this now and I'm a little confused about transferring commands. This might be more of an FTP question than strictly Python, but it's still related to how to use the ftplib...
8
by: Andrew Robinson | last post by:
Are these two equivalent? Is one better than the other? I tend to go with #1 but started wondering.... Thanks, 1: using (SqlConnection cn = new SqlConnection(DataConnection)) using...
1
by: Anonieko | last post by:
Understanding and Using Exceptions (this is a really long post...only read it if you (a) don't know what try/catch is OR (b) actually write catch(Exception ex) or catch{ }) The first thing I...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.