0 
<html>
<title>Test</title>
<body bgcolor="FFFFFF">

<%
sort = CStr(Request("sort"))
search = CStr(Request("search"))
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "Provider=SQLOLEDB.1;Password=123;Persist Security Info=True;User   ID=sa;Initial Catalog=asdf;Data Source=WIN-123"

Set rs = Server.CreateObject("ADODB.Recordset")
If sort = "ascending" Then
SQL = "select top 50 * from asdf order by Name"
ElseIf (search Is Not Nothing)
SQL = "select * from asdf WHERE name = '" & search & "'"
Else
SQL = "select top 50 * from asdf"
End If
rs.open SQL, conn
%>
<center><form acion="index.asp">
Search Name:<input name="search" /><input type="submit" value="Submit" />
</form></center>

I'm getting an error on my 

Else If (search Is Not Nothing)

line, from what I can tell it should work. and of course I also cannot for some reason browse my site on my server to see what the actual error is.

Improve this question
1
  • Do not use string concatenation to include parameters. Use parameterized queries instead. You probably want to avoid using the "sa" user logon on SQL server too. Currently your code could exposes your site and network to all manner of malicious attacks. Search "SQL Injection". Commented Aug 24, 2012 at 9:18

1 Answer 1

Reset to default
1

Tested on my IIS 5, without option explicit, when you use

search=CStr(Request("search"))

your search has been initialized to string (VarType: 8).

So even if search is "empty", you can not use IsEmpty or similar function/statement to see if it's empty. Use

ElseIf search<>"" Then

directly.

Also, remember to sanitize your SQL queries...

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

"sanitize your SQL queries" what does that mean? How is it done?
@AnthonyWJones It simply means "avoid SQL injections and stuffs".
AnthonyWJones I used a regex with a alphanumeric pattern and a regex.replace on my input variables. Here is what I used: 4guysfromrolla.com/ASPScripts/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.