I'm trying to update a database from an FCKEditor form. But something's wrong with the UPDATE statement in the following code. I get this error message: Syntax error in string in query expression 'Sida = ''.
This is the code:
<%
If Request.QueryString("submit") = "true" Then
Dim Koden
For Each sForm in Request.Form %>
<%
Koden=Replace( Server.HTMLEncode( Request.Form(sForm) ), Chr(13), "<br>" )%>
<%
Next
%>
<%
SQL = "UPDATE Sidor SET Kod = '"& Koden &"' WHERE Sida = "& Kontakt&"'"
objCon.Execute SQL,,128
objCon.Close
Set objCon = Nothing
End If
%>
This is the code:
<%
If Request.QueryString("submit") = "true" Then
Dim Koden
For Each sForm in Request.Form %>
<%
Koden=Replace( Server.HTMLEncode( Request.Form(sForm) ), Chr(13), "<br>" )%>
<%
Next
%>
<%
SQL = "UPDATE Sidor SET Kod = '"& Koden &"' WHERE Sida = "& Kontakt&"'"
objCon.Execute SQL,,128
objCon.Close
Set objCon = Nothing
End If
%>
RE: Problem updating database
However your SQL problem is probably to do with single quotes. You need to escape them.
Koden = Replace(Koden, "'", "''")
Cheers
Jammin
RE: Problem updating database
About SQL Injection. How else can I update the database?
The user must be logged in (Session("admin") = "TRUE") from another page to access the edit page. I tried entering ' OR 1 = 1 as the password in that login form, but failing to log in.
RE: Problem updating database
That would protect you against anonymous users, as long as you can trust your authenticated users
The only truly safe way is to write a stored procedure to do your update. These are pre-compiled, so the data in the parameters passed to them cannot become a part of the executing query.
However it's a risk analysis you have to do yourself ... Stored procedures can be a bit of a pain, and I've done it both ways and personally never had a problem. Just thought I'd point out the possibilities.
Cheers
Jammin