0

Getting this error when trying to add a new group using the information entered by the user.

Microsoft Access Database Engine error '80040e14'

Syntax error in INSERT INTO statement.

/student/s0190204/wip/group-add.asp, line 79

This is the sql, the session is getting the ID of the user logged in.

sql_comd="INSERT INTO group (grp_USERID, grp_name, grp_caption, grp_content, grp_DATECREATED, grp_OPEN) VALUES('" &_
session("usr_ID") & "','" & _
request("grp_name") & "','" & _
request("grp_caption") & "','" & _
request("grp_content") & "','" & _
date & "','" & _
request("grp_open") & "')"

Thanks

Improve this question
7
  • 2
    Did you try the solution offered on your other question? Commented Dec 30, 2013 at 18:11
  • 2
    Is it possible that one of the variables you are putting in the query contains an apostrophe? This would cause an error. Commented Dec 30, 2013 at 18:12
  • 4
    This will be vulnerable to sql injection attacks. It's practically begging to get hacked. Commented Dec 30, 2013 at 18:12
  • 2
    What does response.write( sql_comd ) show? Commented Dec 30, 2013 at 18:12
  • 2
    Did you try printing out your sql_comd string value to see the completly formatted statement? Commented Dec 30, 2013 at 18:12

1 Answer 1

Reset to default
2

I suggest you trace this through, and post the output string that you're passing directly to SQL. Just put a breakpoint in there right as the string is created and check it out.

There's not much wrong with this code, persay, but you haven't made sure that your input strings are clean. It's probable that they have a quotation mark in them or the date isn't in the proper string format and so on.

Additionally, note that this query is highly susceptible to query injection because it seems to stuff input directly from the request through to the database.

OH, and. Your 'Insert INTO' needs Group in []. (like [Group]) And your dates should probably be DateTimes instead of strings. (if this works with just the brackets) See my note on your other question. (And avoid using these (http://technet.microsoft.com/en-us/library/ms189822.aspx) in your schema)

And you can set the 'default' of the date to '=GetDate()' instead of passing it through from the C# side, which I personally prefer.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.