Click here to Skip to main content
13,147,540 members (32,095 online)
Rate this:
Please Sign up or sign in to vote.
See more:

I have never done any code like this before (I am a web designer).

We have a 'dealer request' form on out website, where 'dealers' can put in there Name, Contact Info, Dealer Account #, etc.

Currently - when this form is filled out and submitted, all that happens is that I get an email with that information, and then I manually input it into the SQL database.

I followed a tutorial online, but each time I hit the 'submit', I just get a 500 Internal Server error. Here is the current form_ac.asp (I removed the login credentials obviously):

' Declaring variables
Dim first, last, account, email, state, comments, data_source, con, sql_insert
' A Function to check if some field entered by user is empty
Function ChkString(string)
	ChkString = Replace( Trim(string) , "'", "''")
End Function
' Receiving values from Form
first = ChkString(Request.Form("first"))
last = ChkString(Request.Form("last"))
dealer = ChkString(Request.Form("dealer"))
account = ChkString(Request.Form("account"))
email = ChkString(Request.Form("email"))
state = ChkString(Request.Form("state"))
phone_area = ChkString(Request.Form("phone_area"))
data_source = Server=SERVERNAME; Database=DB NAME;User Id=USERID;Password=PASSWORD; 
sql_insert = "insert into users (first, last, dealer, account, email, state, phone_area) values ('" & _
                first & "','" last & "','" & dealer & "', '" & account & "', '" & email & "', '" & state & "', '" & phone_area & "')"

' Creating Connection Object and opening the database
Set con = Server.CreateObject("ADODB.Connection")
con.Open data_source
con.Execute sql_insert
' Done. Close the connection
Set con = Nothing

Any advice, suggestions or guidance would be greatly appreciated.
Posted 2-Jan-13 12:39pm
Consider your code is already cracked. ;-)
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

This is asp. Not asp has been obsolete for a decade. You should avoid using it, if you can. Of course, your code is open to SQL injection and needs to be fixed. The easiest way to do that, is to use a stored proc.
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

Hey Christian,

Thanks for the quick reply! Ok, I believe it would be better for me to pursue another method to complete this. Do you have any (better) recommendations to accomplish this?

Rate this: bad
Please Sign up or sign in to vote.

Solution 3

Hi there,

the best way is use command parameters, any user would pass any sql injection after that :)

see below link[^]

let me know if you have any query

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy |
Web02 | 2.8.170915.1 | Last Updated 3 Jan 2013
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100