CODEWITHSUNDEEP
asp-classic
user1195283
user1195283

Reputation: 9

Syntax error (missing operator) in query expression

I know it is a common error, but I still can't solve it myself. What I am trying to do is I have a SELECT item called status that allow the user to choose their employment status, I want to simply get the result and update the user_table(access file) status cell. Any reply will be greatly appreciated!

The Code is below:

<!--#include file="../conn/conn.asp"-->
<%
id=request.QueryString("id")
status=request.Form("status")
sql="select * from user_table where id="&id
set rs=conn.execute(sql)     
sql="update user_table set Status='"+status+"' where id="&id
'response.Write sql
conn.execute(sql)
conn.close
response.Write "<script>alert('Change Sucessful!');</script>"
set conn=nothing
response.end()
%>

Upvotes: 0

Views: 1254

Answers (2)

Stephen Quan
Stephen Quan

Reputation: 25926

I think you may be having a problem with conn.execute(sql) as well as response.end()

To fix it, you need to do either:

conn.execute sql

or

Call conn.execute(sql)

But, yeah, you should follow other comments posted as your technique has security issues. You should consider changing it to use parameters:

<!--#include file="../conn/conn.asp"-->
<%

id = request.QueryString("id")
status = request.Form("status")

sql = "select * from user_table where id = @id"
Set cmd = CreateObject("ADODB.Command")
cmd.CommandText = sql
Set cmd.ActiveConnection = conn
cmd.Prepared = True
cmd.Parameters.Refresh 
cmd.Parameters("@id") = id
Set rs = cmd.Execute
Set rs = nothing
Set cmd = nothing

sql = "update user_table set status = @status where id = @id"
Set cmd = CreateObject("ADODB.Command")
cmd.CommandText = sql
Set cmd.ActiveConnection = conn
cmd.Prepared = True
cmd.Parameters.Refresh 
cmd.Parameters("@status") = status
cmd.Parameters("@id") = id
Set rs = cmd.Execute
Set rs = nothing
Set cmd = nothing

response.Write "<script>alert('Change Sucessful!');</script>"
Set conn = nothing
response.end
%>

Upvotes: 1

Rodolfo
Rodolfo

Reputation: 4183

I'm guessing conn.asp leaves conn open? otherwise you need to open it. Also, what shows when you uncomment the response.write sql line?

And, you are definitely opening yourself to hackers. You need to 'clean' anything that comes from a request.form or request.querystring (with at the very least, a replace(..., "'", "''"), or much better, use stored procedures instead of straight sql

Upvotes: 0

Related Questions