Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > SQL Server > SQL Server ASP
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
SQL Server ASP Discussions about ASP programming with Microsoft's SQL Server. For more ASP forums, see the ASP forum category.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the SQL Server ASP section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old April 6th, 2008, 11:46 AM
Authorized User
 
Join Date: Mar 2006
Location: , Ohio, USA.
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Insert Error

I have a client who's getting an error that I cannot duplicate.

Error Message:
Code:
Microsoft OLE DB Provider for SQL Server error '80040e14' 

Line 1: Incorrect syntax near 's'. 

/Private/couponcodesadd2.asp, line 19
'

couponcodesadd2.asp:


Code:
<%
varpromoamount = 0.00
promocode = Request.Form("promocode")
promodesc = Request.Form("promodesc")
promotype = Request.Form("promotype")
varpromoamount = varpromoamount + Request.Form("promoamount")
promoexpiration = Request.Form("promoexpiration")

adCmdText = 1

strInsert = "insert_PromoCodes_1 '" & promocode & "', '" & promodesc & "', '" & promotype & "', '" & CSng(varpromoamount) & "', '" & promoexpiration & "';"
'response.write promotype &" | " &promoamount    
set objCmd = Server.CreateObject("ADODB.Command")
set objCmd.ActiveConnection = objConn
objCmd.CommandText = strInsert
objCmd.CommandType = adCmdText
objCmd.Execute 'Line 19

Set objCmd = Nothing
%>
insert_PromoCodes_1:
Code:
ALTER PROCEDURE [dinners_sqladmin].[insert_PromoCodes_1]
    (@promocode_1     [varchar](20),
     @promodesc_2     [varchar](512),
     @promotype_3     [varchar](50),
     @promoamount_4     [decimal](18,2),
     @promoexpiration_5     [smalldatetime])

AS INSERT INTO [dinners_dbtd].[dinners_sqladmin].[PromoCodes] 
     ([promocode],
     [promodesc],
     [promotype],
     [promoamount],
     [promoexpiration]) 
 
VALUES 
    (@promocode_1,
     @promodesc_2,
     @promotype_3,
     @promoamount_4,
     @promoexpiration_5)
I've tried executing the insert from the web pages and directly through SQL Mgt Studio and cannot duplicate the error.

Any help is appreciated.

Reply With Quote
  #2 (permalink)  
Old April 6th, 2008, 12:43 PM
Imar's Avatar
Wrox Author
Points: 71,164, Level: 100
Points: 71,164, Level: 100 Points: 71,164, Level: 100 Points: 71,164, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 16,955
Thanks: 79
Thanked 1,556 Times in 1,533 Posts
Default

Your client is probably inserting something that contains an ' like O'Brien.

Since a ' has special meaning in SQL, this breaks things. The fix is easy: just replace a single ' for two before you send the data to the database. E.g.:

promocode = Replace(promocode, ".", "''")

Note that this is only a short term fix. Google for "SQL Injection" to learn why this is not only a client's nuisance, but also a thread to your application and server. Instead, you should look at solid escaping techniques / validation routines and parameterized queries. You need to use the Parameters collection of the Command object to add new parameters and provide their values.

Imar


---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of Beginning ASP.NET 3.5 : in C# and VB, ASP.NET 2.0 Instant Results and Dreamweaver MX 2004
Want to be my colleague? Then check out this post.
Reply With Quote
  #3 (permalink)  
Old April 7th, 2008, 07:45 AM
Authorized User
 
Join Date: Mar 2006
Location: , Ohio, USA.
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

That was it! Thanks for the help and the SQL Injection info.

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Insert Query Error & Run-Time Error 3022 DavidWE Access 1 July 31st, 2008 12:17 PM
Syntax error INSERT INTO ITladybug ADO.NET 2 January 31st, 2006 07:50 AM
HELP! Insert Query Error zrm22 Classic ASP Databases 1 January 30th, 2006 06:34 PM
INSERT INTO error akibaMaila Beginning VB 6 1 January 13th, 2005 02:44 PM



All times are GMT -4. The time now is 06:22 AM.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.