Forums
This topic is locked
UPDATE - 0x80040E14
Posted 11 Sep 2006 05:00:34
1
has voted
11 Sep 2006 05:00:34 Kelly Bell posted:
This is driving me crazy with this one. Can someone help me out please.Error:
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''The 70's Show',ProfileFavouriteBook= '',ProfileFavouriteMusic= '',ProfileFavouritePlace= '',ProfileDisplayAge= 'y' where UserName = 'andrew''.
The Script I wrote:
IF Request.Form("DisplayAge"
= "" THEN strShowAge = "n"IF Request.Form("DisplayAge"
= "y" THEN strShowAge = "y"ProfileMaritalStatus = Request.Form("ProfileMaritalStatus"
ProfileAboutMe = Request.Form("ProfileAboutMe"
ProfileOccupation = Request.Form("ProfileOccupation"
ProfileFavouriteQuote = Request.Form("ProfileFavouriteQuote"
ProfileFavouriteMovie = Request.Form("ProfileFavouriteMovie"
ProfileFavouriteTVShow = Request.Form("ProfileFavouriteTVShow"
ProfileFavouriteBook = Request.Form("ProfileFavouriteBook"
ProfileFavouriteMusic = Request.Form("ProfileFavouriteMusic"
ProfileFavouritePlace = Request.Form("ProfileFavouritePlace"
sql = "Update Users Set "
sql = sql & "ProfileMaritalStatus= '" & ProfileMaritalStatus & "',"
sql = sql & "ProfileAboutMe= '" & ProfileAboutMe & "',"
sql = sql & "ProfileOccupation= '" & ProfileOccupation & "',"
sql = sql & "ProfileFavouriteQuote= '" & ProfileFavouriteQuote & "',"
sql = sql & "ProfileFavouriteMovie= '" & StrProfileFavouriteMovie & "',"
sql = sql & "ProfileFavouriteTVShow= '" & ProfileFavouriteTVShow & "',"
sql = sql & "ProfileFavouriteBook= '" & ProfileFavouriteBook & "',"
sql = sql & "ProfileFavouriteMusic= '" & ProfileFavouriteMusic & "',"
sql = sql & "ProfileFavouritePlace= '" & ProfileFavouritePlace & "',"
sql = sql & "ProfileDisplayAge= '" & strShowAge & "'"
sql = sql & " where "
sql = sql & "UserName = '" & Session("UserID"
& "'"Set Conn = Server.CreateObject("ADODB.Connection"
Conn.Open ConnOpenUsers
Conn.Execute sql
Conn.Close
Set RS = Nothing
CAN ANYONE HELP ME PLEASE!!!
Thank You.
Replies
Replied 11 Sep 2006 05:02:56
11 Sep 2006 05:02:56 Kelly Bell replied:
Back Again... Everytime I put in a Apostrophe (The 70's Show) always comes up with an error.
Can anyone tell me the short cut to this.
Can anyone tell me the short cut to this.
Replied 11 Sep 2006 11:10:29
11 Sep 2006 11:10:29 Patrick Woldberg replied:
Use on all inputs the following:
<pre id=code><font face=courier size=2 id=code>ProfileMaritalStatus = Replace(Request.Form("ProfileMaritalStatus", "'", "''"</font id=code></pre id=code>
When you don't escape the apostrophe users could use sql injection to read your database or even delete it.
--------------------------------------------------
Patrick Woldberg
Web Developer at Dynamic Zones
Administrator at DMXzone.com, FLzone.net, FWzone.net and DNzone.com
--------------------------------------------------
<pre id=code><font face=courier size=2 id=code>ProfileMaritalStatus = Replace(Request.Form("ProfileMaritalStatus"
, "'", "''"</font id=code></pre id=code>When you don't escape the apostrophe users could use sql injection to read your database or even delete it.
--------------------------------------------------
Patrick Woldberg
Web Developer at Dynamic Zones
Administrator at DMXzone.com, FLzone.net, FWzone.net and DNzone.com
--------------------------------------------------
Replied 13 Sep 2006 14:41:58
13 Sep 2006 14:41:58 Kelly Bell replied:
Thanks Patrick.
Yes I know that but I want to keep the Apostrophe when people sumit the form.
Cheers
Yes I know that but I want to keep the Apostrophe when people sumit the form.
Cheers
Replied 13 Sep 2006 14:43:55
13 Sep 2006 14:43:55 Kelly Bell replied:
' " ' "
Replied 13 Sep 2006 14:50:44
13 Sep 2006 14:50:44 Kelly Bell replied:
It works... Thanks mate...