MasterChief wrote:
I have a form that uses the POST method to call up test.asp and it
passes what is typed into the text box. Since is uses the Like command
the user can enter stuff like %Constant% to get something that is like
what the user typed in. When I call up the test.asp page it is
grabbing the text fine but isn't running the SQL command the correct
What database are you using?
way. The SQL command ends up being
SELECT * FROM [Everyone] WHERE (Name LIKE ':: & strName & ::')
Is it Access?
http://www.aspfaq.com/show.asp?id=2096
Here is my code
strName = Request.Form("Search")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.RecordSet")
Conn.Open "PhoneList"
sSQL = "SELECT * FROM [Everyone] WHERE (Name LIKE ':: & strName &
::')"
What is the reason for the double-colons? They should not be there. Also,
you need to concatenate the _value_ of the variable into your string, not
the name of the variable.
sSQL = "SELECT * FROM [Everyone] WHERE Name LIKE '" & _
strName & "'"
You should know that you are leaving your site and database vulnerable to
hackers using sql injection:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 http://www.nextgenss.com/papers/adva..._injection.pdf
You should not be using dynamic sql, and you should not be allowing users to
control your sql statement by what they type in your form. You should
provide a checkbox on your form to allow users to specify whether or not a
wildcard search is to be performed. Then, depending on the value of the
checkbox, use the appropriate sql statement:
if wildcard_on then
sSQL = "SELECT * FROM [Everyone] WHERE Name LIKE '%" & _
strName & "%'"
else
sSQL = "SELECT * FROM [Everyone] WHERE Name ='" & _
strName & "'"
end if
Here are some links about using parameters:
http://groups.google.com/groups?hl=e...tngp13.phx.gbl http://groups.google.com/groups?hl=e...TNGP11.phx.gbl http://www.google.com/groups?selm=eE...&output=gplain http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
Using Command object:
http://groups-beta.google.com/group/...e36562fee7804e
SQL Server
http://tinyurl.com/jyy0
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.