Forums
This topic is locked
Incorrect syntax near ','.
Posted 20 Aug 2008 16:04:29
1
has voted
20 Aug 2008 16:04:29 Shane Robinson posted:
Hi everyone,im getting the following error message,
Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near ','.
This is my SQl code....
"SELECT * FROM dbo.products WHERE category_name='lcd tv' OR category_name='televisions' OR category_name='plasma tv' ORDER BY " & Request.QueryString("SortField"
& ", " & Request.QueryString("SortOrder"any help will be appreciated, thank you...
Replies
Replied 20 Aug 2008 20:19:49
20 Aug 2008 20:19:49 Georgi Kralev replied:
Hi Shane,
Make sure that SortField and SortOrder have the appropriate values (For example, they are NOT emply, begins with a number or non-alphanumeric character).
To do that, you can print the ready SQL statement on your page and make sure that it is a correct one. For example:
Response.Write "SELECT * FROM dbo.products WHERE category_name='lcd tv' OR category_name='televisions' OR category_name='plasma tv' ORDER BY " & Request.QueryString("SortField" & ", " & Request.QueryString("SortOrder"
Hope this helps,
Regards,
Georgi Kralev
Homepage: gdkralev.googlepages.com
Make sure that SortField and SortOrder have the appropriate values (For example, they are NOT emply, begins with a number or non-alphanumeric character).
To do that, you can print the ready SQL statement on your page and make sure that it is a correct one. For example:
Response.Write "SELECT * FROM dbo.products WHERE category_name='lcd tv' OR category_name='televisions' OR category_name='plasma tv' ORDER BY " & Request.QueryString("SortField"
& ", " & Request.QueryString("SortOrder"Hope this helps,
Regards,
Georgi Kralev
Homepage: gdkralev.googlepages.com
Replied 21 Aug 2008 11:57:41
21 Aug 2008 11:57:41 Shane Robinson replied:
Thankyou for your reply, i was still getting error but i have now re-written the code as below,
"SELECT * FROM dbo.products WHERE category_name='lcd tv' OR category_name='televisions' OR category_name='plasma tv'" & Request.Form("SortField"
<form action="delete2.asp" method="post">
Sort by:
<select name="SortField">
<option>ORDER BY display_price ASC</option>
<option>ORDER BY display_price DESC</option>
</select>
<input type="submit" name="SortButton" value="Select">
</form>
The problem im having now is that im limiting the number of records being displayed on a page and when i click to go to the next 10 records the sort order is not being passed..
Any ideas how i can get round this?
Thank you.
"SELECT * FROM dbo.products WHERE category_name='lcd tv' OR category_name='televisions' OR category_name='plasma tv'" & Request.Form("SortField"
<form action="delete2.asp" method="post">
Sort by:
<select name="SortField">
<option>ORDER BY display_price ASC</option>
<option>ORDER BY display_price DESC</option>
</select>
<input type="submit" name="SortButton" value="Select">
</form>
The problem im having now is that im limiting the number of records being displayed on a page and when i click to go to the next 10 records the sort order is not being passed..
Any ideas how i can get round this?
Thank you.
Replied 22 Aug 2008 20:14:07
22 Aug 2008 20:14:07 Georgi Kralev replied:
Hi Shane,
There are different ways to pass the sort information. For example you can store SortField value into the session, or pass it in the URL.
The solution depends entirely on your choice and requirements.
<b>Note:</b>
Have in mind that your code is vulnerable to SQL Injection attacks. For example if someone send post request to your page and pass <b>ORDER BY display_price ASC;DROP TABLE dbo.products</b> in SortField it will delete your products table.
The same is true about your initial code (For example if the following code is passed in SortOrder the effect will be the same:
<b>ASC;DROP TABLE dbo.products</b>.
My suggestion is to take the necessary measures to secure your code.
Regards,
Georgi Kralev
Homepage: gdkralev.googlepages.com
There are different ways to pass the sort information. For example you can store SortField value into the session, or pass it in the URL.
The solution depends entirely on your choice and requirements.
<b>Note:</b>
Have in mind that your code is vulnerable to SQL Injection attacks. For example if someone send post request to your page and pass <b>ORDER BY display_price ASC;DROP TABLE dbo.products</b> in SortField it will delete your products table.
The same is true about your initial code (For example if the following code is passed in SortOrder the effect will be the same:
<b>ASC;DROP TABLE dbo.products</b>
.My suggestion is to take the necessary measures to secure your code.
Regards,
Georgi Kralev
Homepage: gdkralev.googlepages.com