[thelist] Select QRY problem

Phil Turmel philip at turmel.org
Mon Mar 14 16:18:05 CST 2005

Pringle, Ron wrote:
> Peter et al-
> Thanks for the tips, it ended up being the simple fact that I hadn't
> converted my querystring into an integer, so of course it wasn't matching,
> and of course it wasn't selecting any records.
> Der.
> However, I would have thought it would have thrown a type mismatch error.
> Live and learn!


At the point in your code where you were doing the concatenation, you
had your base query as a string constant, and the result of
response.querystring.  Both of these are STRINGS.  No type mismatch
error is ever going to occur at that point.  Plus, ASP will perform
silent type conversion in many expressions, including string
concatenation (along with a whole bunch of other scripting languages).

You really need force querystrings into typed variables before they are
used anywhere else in your code, especially before they are passed to a
SQL driver.  Google "SQL injection" for a good scare.



More information about the thelist mailing list