First of all, to fix your SQL Injection problems with your original code, you could just do this:
Code:
<%
...
custid = parseInt(custid); // ensure it really *IS* an integer
if ( isNaN(custid) )
{
Response.Redirect( "badCustomerId.html" ); // or wherever
Response.End( );
}
sql = "SELECT * FROM customers WHERE CustomerID=" + custid;
...
%>
***********************
But to do it the other way:
Code:
<%
...
var sql = "UPDATE customers SET FirstName=@fname, LastName=@lname WHERE CustomerId=@custid"
var sqlcmd = Server.CreateObject("ADODB.Command");
sqlcmd.CommandText = sql;
sqlcmd.CommandType = 1;
sqlcmd.Parameters.Append(sqlcmd.CreateParameter("@fname",200,1 ,100,firstName));
sqlcmd.Parameters.Append(sqlcmd.CreateParameter("@lname",200,1 ,100,lastName));
sqlcmd.Parameters.Append(sqlcmd.CreateParameter("@custid",3,1,,custID));
sqlcmd.Execute();
...
%>
That's if you are using SQL Server. If you are using Access, I *believe* you would need to use
var sql = "UPDATE customers SET FirstName=?, LastName=? WHERE CustomerId=?"
***************************
FINALLY...
You *COULD* do it the simplest way of all, you know:
Code:
<%
...
var sql = "UPDATE customers SET "
+ " FirstName='" + firstName.replace(/\'/g,"''") + "',"
+ " LastName='" + lastName.replace(/\'/g,"''") + "' "
+ " WHERE CustomerId=" + parseInt(custID);
connection.Execute( sql );
...
%>
How to update using ADODB
