SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Update SQL Statement


Update SQL Statement

Author
Message
poloarun
poloarun
SSC Rookie
SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)

Group: General Forum Members
Points: 44 Visits: 35
I am creating some questions site by ASP, by filling in the answers in a table on SQL 2005 and passing to the next site.
I'm giving the user a kind of tracking (identity), wich the user is passing over from on Question site to the other by Request.Form.

On the first Site the user is filling the name, first name, time and the kind of identity

sql= "INSERT INTO web(first name ,name,identy,time)VALUES('" & first name & "','" & name & "','" & identy & "','" & time & "')"

this works fine!

No I would like to continue with an Update Statement.

sql = Update web Set answer1='" & answer1 & "' where identity ='" & identity &

It gives me just an Internet Error Message: The page can't be shown...
Kyle Neier ,
Kyle Neier ,
SSC Eights!
SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)

Group: General Forum Members
Points: 870 Visits: 1188
I suspect that your browser is suppressing the real error message. You should look to see if Friendly HTTP Error messages is turned on.

Pertinent to this forum, what you are doing appears to be ripe for SQL injection. One of the basics is to use stored procedures and pass in parameters instead of building the ad-hoc SQL.

There are all sorts of best practices out there regarding ASP and SQL Server development. I strongly suggest that you visit a few of these websites before getting too far down this path.

Kyle
Jack Corbett
  Jack Corbett
SSC Guru
SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)

Group: General Forum Members
Points: 70492 Visits: 14946
If this is actually the line of code:

sql = Update web Set answer1='" & answer1 & "' where identity ='" & identity & 



Then it isn't going to work as you do not have an opening double-quote on the string and you are ending the line with the concatenation character.

Beyond that you are leaving yourself open to SQL Injection by using the methods you are using. At the very least you should be using a command object with parameters instead of a straight SQL string.



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming
At best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at work

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
poloarun
poloarun
SSC Rookie
SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)

Group: General Forum Members
Points: 44 Visits: 35
It is obvious, the SQL Satement is wrong,
But I can't yet manage it the right way.

sql = "Update web Set antwort1="' & antwort1 & "' where erkennung='" & erkennung & "'"

It doesnt work too!


Can anybody help my aboout the Update Statement ?
Jack Corbett
  Jack Corbett
SSC Guru
SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)SSC Guru (70K reputation)

Group: General Forum Members
Points: 70492 Visits: 14946
Have you viewed the SQL string that is built and verified that it is valid in SSMS? Just a Response.Write(SQL) so you can verify the string is bing built correctly would help. If your table and column names are correct then I can't see anything wrong with SQL Statement.



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming
At best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at work

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Kyle Neier ,
Kyle Neier ,
SSC Eights!
SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)SSC Eights! (870 reputation)

Group: General Forum Members
Points: 870 Visits: 1188
Look at the quotes after "antwort1="

You have "' and I believe it should be '" .
poloarun
poloarun
SSC Rookie
SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)

Group: General Forum Members
Points: 44 Visits: 35
I am trying out:

Actually
sql = "Update web Set answer1='" & answer1 & "' where identity='" & identity & "'"

Gives the error message with
Response.Write (SQL)
Response.End



Update web Set answer11='gerste' where identity=''3597@10P136P12P125''

Wich is not yet working.
Roy Ernest
Roy Ernest
SSChampion
SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)

Group: General Forum Members
Points: 13662 Visits: 6903
Is this the output of your response.write?
Update web Set answer11='gerste' where identity=''3597@10P136P12P125''

I see double quotes in the identity part. Check the Identity part. Also if I am not mistaken Identity (Your Column Name) is a Keyword. Put a square bracket for IDENTITY.

-Roy
poloarun
poloarun
SSC Rookie
SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)

Group: General Forum Members
Points: 44 Visits: 35
identity is just a normal column, not the identifier, I know, it is probalbly not right to use this word as an normal column, since it it reserved as identifier.
I don't know how to make the square brackets.
What would the SQL Statement be ?
poloarun
poloarun
SSC Rookie
SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)SSC Rookie (44 reputation)

Group: General Forum Members
Points: 44 Visits: 35
I found the right SQL Statement.
sql = "Update web Set answer1='" & answer1 & "'" & " where identity=" & identity

Thanks a lot for your replies.
SQL seems to be very delicate.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search