Click here to Skip to main content
15,614,608 members
Please Sign up or sign in to vote.
3.50/5 (2 votes)
See more:

I have never done any code like this before (I am a web designer).

We have a 'dealer request' form on out website, where 'dealers' can put in there Name, Contact Info, Dealer Account #, etc.

Currently - when this form is filled out and submitted, all that happens is that I get an email with that information, and then I manually input it into the SQL database.

I followed a tutorial online, but each time I hit the 'submit', I just get a 500 Internal Server error. Here is the current form_ac.asp (I removed the login credentials obviously):

' Declaring variables
Dim first, last, account, email, state, comments, data_source, con, sql_insert

' A Function to check if some field entered by user is empty
Function ChkString(string)
	ChkString = Replace( Trim(string) , "'", "''")
End Function

' Receiving values from Form
first = ChkString(Request.Form("first"))
last = ChkString(Request.Form("last"))
dealer = ChkString(Request.Form("dealer"))
account = ChkString(Request.Form("account"))
email = ChkString(Request.Form("email"))
state = ChkString(Request.Form("state"))
phone_area = ChkString(Request.Form("phone_area"))
data_source = Server=SERVERNAME; Database=DB NAME;User Id=USERID;Password=PASSWORD; 
sql_insert = "insert into users (first, last, dealer, account, email, state, phone_area) values ('" & _
                first & "','" last & "','" & dealer & "', '" & account & "', '" & email & "', '" & state & "', '" & phone_area & "')"

' Creating Connection Object and opening the database
Set con = Server.CreateObject("ADODB.Connection")
con.Open data_source
con.Execute sql_insert

' Done. Close the connection
Set con = Nothing

Any advice, suggestions or guidance would be greatly appreciated.
Sergey Alexandrovich Kryukov 2-Jan-13 19:09pm    
Consider your code is already cracked. ;-)

This is asp. Not asp has been obsolete for a decade. You should avoid using it, if you can. Of course, your code is open to SQL injection and needs to be fixed. The easiest way to do that, is to use a stored proc.
Share this answer
Hey Christian,

Thanks for the quick reply! Ok, I believe it would be better for me to pursue another method to complete this. Do you have any (better) recommendations to accomplish this?

Share this answer
Hi there,

the best way is use command parameters, any user would pass any sql injection after that :)

see below link[^]

let me know if you have any query
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900