SQL WHERE command and IF

[gjoneshtfc]

Hello

I have a two menus where the user chooses the make and model of a car.
After submitting, a results page shows depending on their inputs. My
SQL is currently:

SELECT *
FROM MainTable
WHERE [model] = '" & chosenmodel & "'
ORDER BY Price DESC

I now want to introduce an option where they can search for any model
of a selected make, whilst still giving the option of searching by a
specific model. What i need is something like:

IF chosenmodel = "Any"
SELECT *
FROM MainTable
WHERE [make] = '" & chosenmake & "'
ORDER BY Price DESC

ELSE
SELECT *
FROM MainTable
WHERE [model] = '" & chosenmodel & "'
ORDER BY Price DESC

Unfortunately I have no idea how i can put this into SQL code as i am
new to the language. My searching for an answer so far has only lead to
me to using AND and OR as part of the WHERE command. However, this will
not work for what i want to do. Please can anyone help me?!

Thanks for your time,
Gareth

 

[Bob Barrows [MVP]]

Hello

I have a two menus where the user chooses the make and model of a car.
After submitting, a results page shows depending on their inputs. My
SQL is currently:

SELECT *

Nothing to do with your problem, but:
http://www.aspfaq.com/show.asp?id=2096

FROM MainTable
WHERE [model] = '" & chosenmodel & "'
ORDER BY Price DESC

Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

I now want to introduce an option where they can search for any model
of a selected make, whilst still giving the option of searching by a
specific model. What i need is something like:

IF chosenmodel = "Any"
SELECT *
FROM MainTable
WHERE [make] = '" & chosenmake & "'
ORDER BY Price DESC

ELSE
SELECT *
FROM MainTable
WHERE [model] = '" & chosenmodel & "'
ORDER BY Price DESC

Unfortunately I have no idea how i can put this into SQL code as i am
new to the language. My searching for an answer so far has only lead
to me to using AND and OR as part of the WHERE command. However, this
will not work for what i want to do. Please can anyone help me?!

What database (type and version, please) are you using? In the future,
please provide this information upfront: it is almost always relevant.

Bob Barrows

 

[gjoneshtfc]

Thanks Bob,

Whilst waiting for a reply i have been messing around and have managed
to solve my problem using ASP IF and Else to set the recordset. Thanks
for the reply and i will be sure to look into your suggestions to make
my coding more secure.

Thanks again,
Gareth

Hello

I have a two menus where the user chooses the make and model of a car.
After submitting, a results page shows depending on their inputs. My
SQL is currently:

SELECT *

Nothing to do with your problem, but:
http://www.aspfaq.com/show.asp?id=2096

FROM MainTable
WHERE [model] = '" & chosenmodel & "'
ORDER BY Price DESC

Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

I now want to introduce an option where they can search for any model
of a selected make, whilst still giving the option of searching by a
specific model. What i need is something like:

IF chosenmodel = "Any"
SELECT *
FROM MainTable
WHERE [make] = '" & chosenmake & "'
ORDER BY Price DESC

ELSE
SELECT *
FROM MainTable
WHERE [model] = '" & chosenmodel & "'
ORDER BY Price DESC

Unfortunately I have no idea how i can put this into SQL code as i am
new to the language. My searching for an answer so far has only lead
to me to using AND and OR as part of the WHERE command. However, this
will not work for what i want to do. Please can anyone help me?!

What database (type and version, please) are you using? In the future,
please provide this information upfront: it is almost always relevant.

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"