I have a page that is writing to a database (Access) and I am having problems getting the actual SQL statement to execute properly. The code in question is as follows:
sql = "INSERT INTO article (maincat, subcatid, subject, article)"
sql = sql & " Values ('"
sql = sql & quotes(Request.form("maincat")) & "', '"
sql = sql & quotes(Request.form("subcatid")) & "', '"
sql = sql & quotes(Request.form("subject")) & "', '"
sql = sql & quotes(Request.form("article")) & "')"
The response I get is... "Data Type Mismatch in Criteria Expression"
The post data does not have quotes around the data - I am thinking this is the problem.
Any help would be appreciated!Welcome to the ASP.NET Forums, mr_atlanta2kx.
Before you proceed any further, you must read the following:
Please, please, please, learn about injection attacks!|||Thank you for the heads up. This particular function is only available via a password and IP address protected page that is going to be used on an Intranet.|||Assuming subcatid is numeric -> don't use the 'quotes' function on this field.|||Use params, apart from lots of other goodies they take care of irratating things like SQL within a value (including single quotes).
No comments:
Post a Comment