Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: ASP.NET SQL
Hello
 
I have never done any code like this before (I am a web designer).
 
We have a 'dealer request' form on out website, where 'dealers' can put in there Name, Contact Info, Dealer Account #, etc.
 
Currently - when this form is filled out and submitted, all that happens is that I get an email with that information, and then I manually input it into the SQL database.
 
I followed a tutorial online, but each time I hit the 'submit', I just get a 500 Internal Server error. Here is the current form_ac.asp (I removed the login credentials obviously):
 
<%
' Declaring variables
Dim first, last, account, email, state, comments, data_source, con, sql_insert
 
' A Function to check if some field entered by user is empty
Function ChkString(string)
	ChkString = Replace( Trim(string) , "'", "''")
End Function
 
' Receiving values from Form
first = ChkString(Request.Form("first"))
last = ChkString(Request.Form("last"))
dealer = ChkString(Request.Form("dealer"))
account = ChkString(Request.Form("account"))
email = ChkString(Request.Form("email"))
state = ChkString(Request.Form("state"))
phone_area = ChkString(Request.Form("phone_area"))
data_source = Server=SERVERNAME; Database=DB NAME;User Id=USERID;Password=PASSWORD; 
sql_insert = "insert into users (first, last, dealer, account, email, state, phone_area) values ('" & _
                first & "','" last & "','" & dealer & "', '" & account & "', '" & email & "', '" & state & "', '" & phone_area & "')"
 

' Creating Connection Object and opening the database
Set con = Server.CreateObject("ADODB.Connection")
con.Open data_source
con.Execute sql_insert
 
' Done. Close the connection
con.Close
Set con = Nothing
%>
 
Any advice, suggestions or guidance would be greatly appreciated.
Posted 2-Jan-13 12:39pm
Comments
Sergey Alexandrovich Kryukov at 2-Jan-13 19:09pm
   
Consider your code is already cracked. ;-)
—SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

Hi there,
 
the best way is use command parameters, any user would pass any sql injection after that Smile | :)
 
see below link
 
http://msdn.microsoft.com/en-us/library/windows/desktop/ms675869(v=vs.85).aspx[^]
 
let me know if you have any query
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Hey Christian,
 
Thanks for the quick reply! Ok, I believe it would be better for me to pursue another method to complete this. Do you have any (better) recommendations to accomplish this?
 
Thanks,
-J
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

This is asp. Not asp.net. asp has been obsolete for a decade. You should avoid using it, if you can. Of course, your code is open to SQL injection and needs to be fixed. The easiest way to do that, is to use a stored proc.
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 310
1 Sergey Alexandrovich Kryukov 176
2 PhilLenoir 164
3 Magic Wonder 162
4 Gihan Liyanage 119
0 Sergey Alexandrovich Kryukov 6,140
1 OriginalGriff 5,195
2 CPallini 2,473
3 Richard MacCutchan 1,607
4 Abhinav S 1,505


Advertise | Privacy | Mobile
Web01 | 2.8.140814.1 | Last Updated 3 Jan 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100