Here is my asp code that queries against an MS SQL 2000 database.All works good except if the string I query for contains an apostrophe like Dog's. I have tried replacing all single quotes with 2 single quotes, but that doesn't work either. What am i doing wrong
Code:
Set objCmd = Server.CreateObject("ADODB.Command")
objCmd.ActiveConnection = Conn
objCmd.CommandType = adCmdText
objCmd.CommandText = "SELECT ISBN" &_
" FROM Books" &_
" WHERE Title LIKE '%' + ? + '%' "
'Create the parameter and populate it.
Set objParam = objCmd.CreateParameter("", adVarChar, adParamInput, 200, "Dog's")
objCmd.Parameters.Append objParam
response.Write(sQuery)
set rsBooks = objCmd.Execute()
I just found out that SQL Injection could be avoided by parameterized queries. Uptill now I've been using simple (concatenation) queries. I have no idea about what parameterized queries are and how to write them. I suppose they have to do something with the SQL procedures. I've tried to google it but couldn't found any useful resource on it. Please explain what parameterized queries are give an example.
In Access you use "*" + [passed variable] + "*", + can be replaced with & Calling a parameterized query in Access requires % be used in place of *, however, all that I have read show dynamic SQL passed to Access:
WHERE [some column] LIKE '" & ASPvar & "' % ORDER BY ...
However, my call is similar to:
conn.qMyLookup strVar, rs
If I modify the query in Access to:
"%" & [passed variable] & "%"
I get all records. If I only put it at the end, as suggested, I only get matches at the end, not throughout the column. Code:
My code retrieves a username and a password from a form. Then this information is compared to some usernames and passwords that are stored in a database. The important thing here is that the comparison must be case sensitive meaning that "passWord" is not the same thing as "password"
I have this code, working fine in access 2003
SQL = "SELECT * FROM users WHERE StrComp(username_column,'" & entered_username_in_form & "',0) = 0 AND StrComp(password_column,'" & entered_password_in_form & "',0) = 0"
but get the following error when I run it against my sql 2005 database.
[Microsoft][SQL Native Client][SQL Server]'StrComp' is not a recognized built-in function name.
I don't know the corresponding t-sql for the query.
I am running a querry on an access database and have set the number of records/page displayed at 20. if there are more than 20 records returned, then 1st page will show the first 20, the next page will show next 20 and so on....
The trouble:
the count of total records displayed is correct and the first page is displayed correctly. But when i click on *Next* to go to the next page, all the records of the database get displayed (not the 2nd page of records from the query).
I can't write the sum of a certain colum in a table of a db.
<% sql_Sum_Tax="SELECT SUM(vtax) AS sql_Sum_Tax_RS_Var FROM orderstats WHERE vcompletedate BETWEEN "& startDate &" AND "& endDate & ";" Set sql_Sum_Tax_RS = Server.CreateObject("ADODB.Recordset") sql_Sum_Tax_RS.Open sql_Sum_Tax, conn1 %>
I have an Access database of literature that I want to search using an ASP page using multiple search criteria (author, title, year, discipline,etc). I'm using a form to collect the criteria from the user and then sending it to an ASP page. I'm creating the SQL statement using variables that pick up values passed from the form.
Code:
strSQL = "SELECT * FROM Literature WHERE " & _ "(Author Like '%" & mauthor & "%') AND " & _ "(Title Like '%" & mtitle & "%') AND " & _ "(Journal Like '%" & mjournal & "%') AND "& _ "(ArticleBook Like '%" & mBookOption & "%') AND " & _ "(Year Like '%" & myear & "%') " & _ "ORDER BY Title ASC;"
This would probably work if I used "OR" in my SQL, but I want to be able to use "AND." My problem is that I'm not getting records that have null values in some of these fields.
Ive been working with queries through asp on a mdb file. The biggest problem i have is that when i query a certian column that had embedded hyperlinks in it, the query also returns the value of the hyperlink. Is there any way not to have to remove the hyperlinks in the database and not have them show up on queries? Code:
I am learning ASP from the Wrox Begining E-Commerce book, which uses Visual Basic to create a DLL and it also uses MTS as well. I have been trying to find hosting not realising the problem with registering custom dll's on server and know realise that this isn't the best way to do this. I wanted to know if there was anything i could do to change this. I have read a little bit about the Global.isa file but am not sure about this. Could i just transfer all the code into the global.isa and then use it like this. My website access a sql database and uses a mts pipeline for order processing. I don't have enough experience of ASP to re-write this code and am not sure of what to do. I have tried searching the web but am not really finding any solutions that I understand.
I am trying to have the SQL query select from a table where two conditions exist. The line:
Code:
SQL = "SELECT * FROM CompsIn WHERE Out = -1 "
Works, but I want to have it also select from compsin where UserGroup = Session("UserGroup") Until I connect the login and the CompsOut pages,adding Where UserGroup='CSU836' will work just fine.
and say 4569 belongs to joseph i want to tell what josephs rank is looking at the values his rank is 1 if 124 belongs to justin then his rank is 4 the more the points the higher the rank can someone tell me how my sql query will be
Is there a way to query for a users IP address with classic ASP/VBScript?
I'm building a local app that will feature a simple logging system. I'd like to have any user be able to update a form and when submitted, the page can look up the users IP and know that this update came from "Jeff's Workstation", for example.
There would only be 40 or so users, each of whom has a static IP that I could use to perform the lookup.
Can anyone point me the right direction, or perhaps suggest a better way to approach this problem?
I have a column in a db which has valus separated by , e.g. 1,4,12,5 I want to be able to search the db and return info where a variable has similar values to the ones in the column. So they don't all need to be the same. They could be 18,4,9,199 and the common no. 4 would be matched and info extracted. I have tried using % in my SQL but it doen't work 100%. (e.g select * from table where column_data LIKE '%"variable"')
I need help with a SQL statement using AND OR properly. Say I want to list all records which are of the type page, state active but belong to different groups. My statement to list from one group might look like this:
Select * From Objects Where rs.Type=0 And rs.State=2 and rs.Group=3
Adding an OR clause, how would I list all groups (say 1-5)? Do I have to specify type, state and group 5 times?
I am trying to compare the students current preference to all of the preferences they have already selected. ie: If they select a preference of '1', and they have already selected that preference before, then they get an error. This is the SQL that I have so far:
SQLPreference = "SELECT DISTINCT [tblStudents.Preference] FROM [tblStudents] WHERE (tblStudents.Student = '" & session("Valid") & "') AND (tblStudents.Preference = '" & Request.Form("Preference") & "');"
Now, this works perfectly when they have already selected that preference... They get the proper error. However, the problem is that if the two don't match up, then I get a 'Exception occurred' error. I know why this is happening... Simply because the SQL statement can't find Request.Form("Preference") in the database, and thus is generating an error. Code:
i have this query but for some reason it is not working... Code:
SQL = "SELECT * FROM " & strTableName & " WHERE category = '" & cat & "' AND
i have a problem with the category part... for some reason it does not read it, but the variable cat is working fine because i had a response.write before and it displays it..
I'm having trouble thinking how to write a query ... i have two tables customer and contact ...they share a common element of customerID ... their is a login form based on the contactID, contactPassword within the contact table, based on that i want the contactID and customerID of contact, to display the fields of the customer table .
My search works fine using a simple SQL statement, but I'm trying to limit it by using a pull-down menu. In the example below, its by category. It seems the "search" overrides the dropdown, however. So if i search for something, it shows ALL, instead of the category I had specified. Code:
I need a return of all RoomDesc fields which do NOT have bookings between the specified Arrival and Departure dates. I thought it would be something along the lines of:
SELECT ResourceDetail.ResourceDesc FROM ResourceDetail, Booking
WHERE Booking.ResourceDetailID Like ResourceDetail.ResourceDetailID
AND Booking.Arrival NOT BETWEEN MyADate and MyLDate AND Booking.Departure NOT BETWEEN MyADate and MyLDate
i have this table in my database "amount" and i want to sum up that field.im searching for the right codes but i really dont understand how they do it.