i'm missing something simple here...

Results 1 to 4 of 4

Thread: i'm missing something simple here...

  1. #1
    Join Date
    Dec 1969
    Posts
    53

    Default i'm missing something simple here...

    ugh...something basic...but can&#039;t figure out my problem<BR><BR>Working with ASP 3.0 - <BR>I&#039;ve got one database - testing - with one table - test with the following fields:<BR>ID (key - autonumber); Protocol, Title, Disease, PI, Submitted (yes/no field)<BR><BR>The first webpage shows the user everything that was submitted. The only field hyperlinked is the Disease field. This brings the user to the second web page which shows everything in that table with that particular disease.<BR><BR>I&#039;m having troubles...trying to keep this simple by keeping it all in one table (system won&#039;t be growing, this is something static) ...<BR><BR>my code for the first webpage is:<BR>&#060;%<BR> Set rs = Server.CreateObject("ADODB.Recordset")<BR> rs.Open "SELECT * FROM testing WHERE Submitted = -1 order by [ID] asc"<BR>%&#062;<BR> &#060;% <BR> If Not rs.EOF Then<BR> While Not rs.EOF<BR>%&#062;<BR>&#060;% Response.Write rs("PI") %&#062;<BR>&#060;a href="protocolview.asp?Disease=&#060;%= rs("Disease") %&#062;"&#062; &#060;% Response.Write rs("Disease") %&#062; &#060;/a&#062; <BR><BR>with the movenext, yada yada...first page works like a charm...<BR><BR>second page code:<BR>&#060;%<BR> CurrentDisease = Request.Form("Disease") <BR> set rs = conn.Execute ("SELECT * FROM testing Where Disease = " & CurrentDisease)<BR>%&#062;<BR>this is the code that is generating this error:<BR>Error Type:<BR>Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)<BR>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression &#039;Disease =&#039;.<BR>/cto/protocolview.asp, line 17<BR><BR>I know this is something basic, but I&#039;ve been banging my head and can&#039;t figure it out!! please help!<BR><BR>thanks in advance :)<BR>

  2. #2
    Join Date
    Dec 1969
    Posts
    2,809

    Default RE: i'm missing something simple here...

    Try changing <BR>CurrentDisease = Request.Form("Disease") <BR><BR>to<BR><BR>CurrentDisease = Request.QueryString("Disease")

  3. #3
    Join Date
    Dec 1969
    Posts
    18,177

    Default Disease is a text field.

    Therefore, it needs &#039; around it:<BR>Set rs = conn.Execute("SELECT * FROM testing Where Disease = &#039;" & CurrentDisease & "&#039;")<BR><BR>Now - you need to learn about SQL Injection. And, you should protect yourself against it. Read this:<BR>http://www.27seconds.com/kb/article_view.asp?id=34<BR><BR>And, then you would use the code:<BR>Set rs = conn.Execute("SELECT * FROM testing WHERE Disease = " & SQLStringFieldValue(CurrentDisease, sqlDataTypeText))<BR><BR>

  4. #4
    Join Date
    Dec 1969
    Posts
    53

    Default thank you!

    thank you both! I&#039;ll read that article too :)<BR>


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •