-1

I am creating a website with classic ASP on the backend. The form on the frontend submits to the Classic ASP page on the backend just fine. I am also able to connect to the database just fine. (I have tested both of these.)

The problem occurs when I try and add the form inputs into the database table. (form method is POST).

Here is what I am trying to do -

conn.Execute "insert into table1(firstn, lastn, dato, scene) values (fn, ln, sd, sce)"

table1 exists with firstn, lastn, dato, and scene as its columns. conn and the fn, sd, ln, sd, and sce variables have been declared and initialized correctly.

However, I am still getting an "Invalid column name fn" error. Why is that?

How can I fix this error?

Improve this question
10
  • Each string value must be surrounded with single quote - or better yet, use a prepared statement. Voting to close this as a typo. Commented Jun 17, 2020 at 23:47
  • fn refers to a column with the way you've expressed it here. Do you mean the variable fn? Commented Jun 17, 2020 at 23:48
  • Do this with prepared statements and placeholder values, then bind the data when executing. Commented Jun 17, 2020 at 23:48
  • 2
    You won't be able to add your form values like that, instead use an ADODB.Command object to execute a parameterised query. Commented Jun 18, 2020 at 0:23
  • 2
    @June7 "if SQL injection is a concern, use parameters"?? There's no "if" just don't do it. There is no scenario where suggesting there is an alternative is viable. Commented Jun 18, 2020 at 0:26

1 Answer 1

Reset to default
0

Try to use:

conn.Execute "insert into table1(firstn, lastn, dato, scene) values (" &fn& ", " &ln& ", " &sd& ", " &sce& ")"

So you will input fn, ln, sd and sce as variables and not content into your query.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

firstn, lastn are most likely strings i.e. your example will give an error as strings should be enclosed with a single quote '
No user2316116, he do not specified the type of the variable or column.
it doesn't mean it makes your answer correct. 1) you suggested a way to make the code vulnerable for sql injections 2) it will not work for values other than numeric values
The question is not about how to prevent slq injections and about why isn’t working

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.