Using ASP and INSERT INTO -

Question

Using ASP and INSERT INTO -

I am trying to create a simple page that enters data into a database and my code is below.

<%@ LANGUAGE="VBSCRIPT" %>
<% Option Explicit %>
<!--#include FILE=dbcano.inc-->
<%

dim username,password,f_name,l_name,objConn,objs,query

username   = Request.Form("user")
password   = Request.Form("pass")
f_name     = Request.Form("fname")
l_name     = Request.Form("lname")

if((f_name <> null) or (f_name <> "")) then
    response.redirect("patti_account.asp")
else
    Set objConn = ConnectDB()
    query       = "INSERT INTO user (username,password,f_name,l_name) VALUES ('"& username &"','"& password &"','"& f_name &"','"& l_name &"')"
    Set objs    = objConn.Execute(query)

    Response.Redirect ("thankyou.asp")

end if

%>

I am getting this error when starting my page:

Microsoft OLE DB Provider for SQL Server Error "80040e14"

Incorrect syntax near the keyword 'User'.

create_account.asp, line 18

I have checked everything, my field names exist and my table name is correct as well.

Any suggestions?

0

sql vbscript ado asp-classic

Coughlin Dec 10. '08 at 20:32

source to share

3 answers

This is vulnerable to SQL Injection. Imagine what happens if someone includes this name:

');DROP Table [user];--

Fix that or I will personally track you down and beat you with wet noodles until you are done.

+2

Joel coehoorn Dec 10. '08 at 21:08

source to share

Try changing it to:

query       = "INSERT INTO [user] (username,password,f_name,l_name) VALUES ('"& username &"','"& password &"','"& f_name &"','"& l_name &"')"

(remove the table name as it is a reserved word)

Also, do not forget to validate your keyboard input as this code is susceptible to SQL injection attacks.

+1

Scott Isaacs Dec 10. 08:38 PM

source to share

M4N · Accepted Answer · 2008-12-10T20:36:13+0000

User is a reserved word on the SQL server. Place it in square brackets, for example. [user] .

Using ASP and INSERT INTO -

More articles: