simple insert statement

I can't seem to get this to work right.
Here's my page Code.

Re: simple insert statement

Billy Barth wrote:
> I can't seem to get this to work right.
> Here's my page Code.

>
>
> <%
> if request.form("title")<>"" then
> strSQL="INSERT INTO News (title,date,story) VALUES
> ('"&request.form("title")&"','"&request.form("date")&"','"&r eplace(request.form("story"),"'","''")&"')"
> response.write(strsql)
> con.execute(strsql) <-----line 52>
> end if
> %>
>
> Here's what comes out of the string sql : INSERT INTO News
> (title,date,story) VALUES ('story title here','4/6/2007','story text
> here')
> My error is :
>
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
>
> [Microsoft][ODBC Microsoft Access Driver] Syntax error in INSERT INTO
> statement.

Nothing to do with your problem, but, read this:
http://www.aspfaq.com/show.asp?id=2126

Getting to your problem: I will give you the same answer I gave jason in
this post:
http://groups.google.com/group/microsoft.public.inetserver.a sp.general/msg/713f592513bf333c?hl=en&lr=&ie=UTF-8&oe=UTF-8

Further points to consider:
Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Re: simple insert statement

"Bob Barrows [MVP]" wrote in message
news:%239K%23UzGeHHA.1216@TK2MSFTNGP03.phx.gbl...
> Billy Barth wrote:
>> I can't seem to get this to work right.
>> Here's my page Code.
>
>>
>>
>> <%
>> if request.form("title")<>"" then
>> strSQL="INSERT INTO News (title,date,story) VALUES
>> ('"&request.form("title")&"','"&request.form("date")&"','"&r eplace(request.form("story"),"'","''")&"')"
>> response.write(strsql)
>> con.execute(strsql) <-----line 52>
>> end if
>> %>
>>
>> Here's what comes out of the string sql : INSERT INTO News
>> (title,date,story) VALUES ('story title here','4/6/2007','story text
>> here')
>> My error is :
>>
>> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
>>
>> [Microsoft][ODBC Microsoft Access Driver] Syntax error in INSERT INTO
>> statement.
>
> Nothing to do with your problem, but, read this:
> http://www.aspfaq.com/show.asp?id=2126
>

I don't know for sure, but I think this DOES contribute something to the
problem. Access should be quite happy with apostrophes as date delimiters.
It certainly is when you use the Jet 4 driver. I am guessing that the ODBC
driver doesn't like them.

--
Mike Brind

Re: simple insert statement

Mike Brind wrote:
> I don't know for sure, but I think this DOES contribute something to
> the problem. Access should be quite happy with apostrophes as date
> delimiters. It certainly is when you use the Jet 4 driver. I am guessing
> that
> the ODBC driver doesn't like them.

Well, that's certainly news to me, which is not a surprise since I've never
tried to use anything other than octothorpes to delimit dates with Jet. I
guess I need to revise my instructions ...

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"