Can someone please tell me what is wrong with this expression?

Question

Can someone please tell me what is wrong with this expression?

I use this to insert a few things into my table, and it keeps giving me this error:

  Microsoft VBScript compilation error '800a03ee'
 Expected ')'
 /thanks.asp, line 63

 Set rstSimple = cnnSimple.Execute ("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('" Request.QueryString ("payer_email") & "', '" & Request.QueryString ("payer_email") & "','" & Request.QueryString ("first_name") & "','" & Request.QueryString ("last_name") & "','" & Request.QueryString ("hash") ")))
 -------------------------------------------------- -------------------------------------------------- ----------------- ^

This is the code I'm using:

Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"'))

Can anyone help me out?

thanks

+1

sql vbscript asp-classic

anon271334 Jul 30 '10 at 10:39

source share

4 answers

Abel · Answer 1 · 2010-07-30T10:51:36+0000

I would suggest breaking my code as follows so that it becomes readable and understandable:

 Dim execSql execSql = "insert into SALT (Email, Username, FirstName, LastName, ActivationCode)" execSql = execSql & " VALUES ('" execSql = execSql & Request.QueryString("payer_email") execSql = execSql & "', '" execSql = execSql & Request.QueryString("payer_email") execSql = execSql & "', '" execSql = execSql & Request.QueryString("first_name") execSql = execSql & "', '" execSql = execSql & Request.QueryString("last_name") execSql = execSql & "', '" execSql = execSql & Request.QueryString("hash") execSql = execSql & "')" Set rstSimple = cnnSimple.Execute(execSql)

while typing, I deleted the error quotes from your string. Now it becomes more obvious where they are if you get a new error. In addition, the coloring of the code makes it readable and easily recognizes an error (depending on which editor you use).

Edit SQL Injection and Security

As mentioned earlier, your code is very susceptible to SQL injection attacks. Even if an attack is not intended (e.g. drop your database), it will fail if someone called d'Amour (French) or in 't Huys (Dutch) crashes your page. To get around this, do not try to filter your code, but rewrite it with the SQL command and parameters. It is easy, your code simply becomes the following:

 Set dbCommand = Server.CreateObject("ADODB.Command") Set dbCommand.ActiveConnection = cnnSimple dbCommand.CommandType = adCmdText dbCommand.CommandText = _ "INSERT INTO SALT (Email, Username, FirstName, LastName, ActivationCode) " + _ "VALUES (@email, @user, @firstname, @lastname, @code)" With dbCommand.Parameters .Add("email", adVarChar, adParamInput, , Request.QueryString("payer_email")) .Add("user", adVarChar, adParamInput, , Request.QueryString("payer_email")) .Add("firstname", adVarChar, adParamInput, , Request.QueryString("first_name")) .Add("lastname", adVarChar, adParamInput, , Request.QueryString("last_name")) .Add("code", adVarChar, adParamInput, , Request.QueryString("hash")) End With Set rstSimple = dbCommand.Execute()

Note: make sure to download and enable ADOVBS.INC , so you do not need to replace the adVarChar and adParamInput , etc. with their numerical equivalents.

For more information, see this answer by SO José Basilio , Google on “SQL Injection ASP” or “SQL Appropared Statement Classic ASP”, it should find you some hits.

Daniel Vassallo · Answer 2 · 2010-07-30T10:40:37+0000

There is no & :

 VALUES ('"Request.QueryString("payer_email") & "'

it should be:

 VALUES ('" & Request.QueryString("payer_email") & "'

And even in the last part of your statement you are missing & and missing " :

 Request.QueryString("hash")"'))

it should be:

 Request.QueryString("hash") & "')")

Therefore, you can try the following statement:

 cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('" & Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash") & "')")

Alvinfromdiaspar · Answer 3 · 2010-07-30T10:44:05+0000

There seems to be a syntax error related to your bracket. 2 brackets at the end of this line look like fish.

Fionnuala · Answer 4 · 2010-07-30T10:50:57+0000

Invalid ampersands and quotation marks may be the least of your problems.

It doesn't seem like you are cleaning the lines in any way. Strings can contain single quotes that are not escaped. You are open to SQL injection because you are not using parameters.

Can someone please tell me what is wrong with this expression?

Edit SQL Injection and Security

More articles: