troubles with INSERT

[shank]

Can anyone see anything wrong with this INSERT code? It doesn't INSERT and I
get the following error when I try to submit data...

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]The name 'Sammy' is not
permitted in this context. Only constants, expressions, or variables allowed
here. Column names are not permitted.
Line 20

I was using the name Sammy in the fname form field.

<%
varFname = Request("fname")
varEmail = Request("email")
varCountry = Request("country")
varOrderno = Request("orderno")
varPrice = Request("price")
varComments = Request("comments")
%>
<%
Dim DataConn, SQL
Set DataConn = Server.CreateObject("ADODB.Connection")
DataConn.Open SQL_STRING
SQL = "INSERT INTO IntCC ([Fname], , [Country], [OrderNo], [Price],
[Comments]) "
SQL = SQL & "VALUES (" & varFname & ", " & varEmail & ", " & varCountry & ",
" & varOrderno & ", " & varPrice & ", " & varComments & ") "
DataConn.Execute(SQL) <-- This is Line 20
%>

 

[Ray at]

Post the result of:

Response.Write SQL
Response.END
''commented out: DataConn.Execute(SQL)

Other things:

http://www.aspfaq.com/show.asp?id=2111
http://www.aspfaq.com/show.asp?id=2424#db (The third bullet, OLEDB
connection vs. ODBC)

Ray at work

 

[Aaron Bertrand - MVP]

You need to denote string values with string delimiters.

sql = "INSERT ... VALUES('" & varFName & "', ...")

Also, beware of SQL injection! Replace ' with '' in all your strings that
come from anywhere if you're going to build dynamic SQL strings instead of
stored procedures.

To see why, create a table called foo with 10 rows of data, then hit your
page this way:

http://yourserver/yourfile.asp?fname='');DELETE+foo;--

Hint: use stored procedures.

 

[Aaron Bertrand - MVP]

http://yourserver/yourfile.asp?fname='');DELETE+foo;--

Actually, you'd have to include values for all the columns to bypass the
statement parse check, but you get the idea.