Using ASP and INSERT INTO -

Question

I am trying to create a simple page that enters data in to a database and my code is below.

<%@ LANGUAGE="VBSCRIPT" %>
<% Option Explicit %>
<!--#include FILE=dbcano.inc-->
<%

dim username,password,f_name,l_name,objConn,objs,query

username   = Request.Form("user")
password   = Request.Form("pass")
f_name     = Request.Form("fname")
l_name     = Request.Form("lname")

if((f_name <> null) or (f_name <> "")) then
    response.redirect("patti_account.asp")
else
    Set objConn = ConnectDB()
    query       = "INSERT INTO user (username,password,f_name,l_name) VALUES ('"& username &"','"& password &"','"& f_name &"','"& l_name &"')"
    Set objs    = objConn.Execute(query)

    Response.Redirect ("thankyou.asp")

end if

%>

I am getting this error when I run my page:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'user'.

create_account.asp, line 18

I have checked everything, my field names exist and my table name is correct as well.

Any suggestions?

Answer 1

This is vulnerable to SQL Injection. Imagine what would happen if someone put this in for the last name:

');DROP Table [user];--

Fix it or I will personally track you down and beat you with a wet noodle until you do.

Answer 2

Try changing it to:

query       = "INSERT INTO [user] (username,password,f_name,l_name) VALUES ('"& username &"','"& password &"','"& f_name &"','"& l_name &"')"

(escape the table name since it is a reserved word)

Also, don't forget to validate keyboard input since this code is subject to SQL injection attacks.

Answer 3

User is a reserved word in SQL server. Put it into square brackets, e.g. [user].