...

View Full Version : need help deleting multiple records



cool263
02-07-2007, 08:40 PM
I'm trying to delete multiple records, but I keep getting an error: Data type mismatch in criteria expression.

Here's the code I'm working with:




<!--#INCLUDE FILE="connection.asp" -->

<%
DIM SQL, objRS, strID
strID = Request.Form("idnumber")
SQL = "SELECT * FROM records WHERE ID = ' " & strID & " ' "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open SQL, objConn, adOpenKeyset, adLockPessimistic, adCmdText

IF objRS.EOF THEN
Response.Write "Sorry, you do not have any customers.

ELSE
DO WHILE NOT objRS.EOF
objRS.Delete
objRS.MoveNext
Loop

Response.Write "Your customers have been succesffully deleted from your database."
END IF

objRS.Close
Set objRS = Nothing
objCONN.Close
Set objCONN = Nothing
%>




I'm still fairly new to programming. Any suggestions?

nikkiH
02-07-2007, 10:38 PM
Aside from the fact that this is an open door to an sql injection attack, ID is probably a number. If so, ditch the single quotes. If it's a string, ditch the spaces. :D

And hope no one enters this as the id in the form field...
0;drop database--
Since I see no server side code here to prevent it.

cool263
02-08-2007, 04:56 PM
nikki -

Thanks for the help. Like I said, I'm pretty new to programming still. How would I prevent the attack?

nikkiH
02-08-2007, 05:19 PM
Use real parameters instead of a string query, either in the code or in a stored procedure.

http://www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx
http://aspalliance.com/385



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum