[thelist] Select QRY problem

Ken Schaefer Ken at adOpenStatic.com
Mon Mar 14 22:35:59 CST 2005


: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Phil Turmel
: Subject: Re: [thelist] Select QRY problem
: 
: Pringle, Ron wrote:
: > Peter et al-
: >
: > Thanks for the tips, it ended up being the simple fact that I hadn't
: > converted my querystring into an integer, so of course it wasn't
: matching,
: > and of course it wasn't selecting any records.
: >
: > Der.
: >
: > However, I would have thought it would have thrown a type mismatch
: error.
: > Live and learn!
: 
: Ron,
: 
: At the point in your code where you were doing the concatenation, you
: had your base query as a string constant, and the result of
: response.querystring.  Both of these are STRINGS.  No type mismatch
: error is ever going to occur at that point.  Plus, ASP will perform
: silent type conversion in many expressions, including string
: concatenation (along with a whole bunch of other scripting languages).
: 
: You really need force querystrings into typed variables before they are
: used anywhere else in your code, especially before they are passed to a
: SQL driver.  Google "SQL injection" for a good scare.

He is creating an *SQL* statement. What you are asking him to do is
irrelevant considering the error. The error is not the database complaining
about a type-mismatch. The database is complaining about a parameter being
*missing*. Casting a variable up in the ASP layer is completely irrelevant to
building an SQL statement. You need to make sure that the *database* can do
the necessary parsing/conversion, however in your ASP layer, everything will
still be a string (well, technically a variant since there are no strings in
ASP)

Cheers
Ken


More information about the thelist mailing list