replace query string with post method

[eddie wang]

I try to replace the following STATEMENT ONE with STATEMENT TWO. But it
doesn't work. How to make it work??? Thanks.

STATEMENT ONE:
<td colspan="10" align="center"><a
href="ExcelExport.asp?noIncludes=yes&sqlStr=<%=replace(Server.URLEncode(
strSQl),"'","`")%>"><img src='images/excel.gif' border='0' alt='Export
to Excel'></a></td>

STATEMENT TWO:
<FORM NAME='formname' METHOD=POST ACTION='ExcelExport.asp'
<INPUT TYPE='Hidden' NAME='strSQL' VALUE='" &
replace(Server.URLEncode(strSQl) & "'>
<tr><td BGCOLOR=E4E4E4 ID='bodytext' COLSPAN='8' align='center'><input
TYPE=SUBMIT value='export'></td></tr>
</form>

 

[Ray at]

What "doesn't work" about it? Do you get an error?
You have all kinds of syntax issues there. Is this in a response.write?
Where are the quotes? What's going on here?


Try:
%>

<FORM NAME="formname" METHOD="POST" ACTION="ExcelExport.asp">
<INPUT TYPE="Hidden" NAME="strSQL"
VALUE="<%=replace(Server.URLEncode(strSQl), "'", "''")%>">


BUT, what are you doing here? Why are you putting SQL in a form input? I
could go create a form like this and post it to your site:

<form action="http://yoursite.com/excelexport.asp" method="post">
<input name="strSQL" value="DROP TABLE
TheNameOfTheTableThatISawInAViewSSource">

Ray at work