need help deleting multiple records

I'm trying to delete multiple records, but I keep getting an error: Data type mismatch in criteria expression.

Here's the code I'm working with:



<!--#INCLUDE FILE="connection.asp" -->

<%
DIM SQL, objRS, strID
strID = Request.Form("idnumber")
SQL = "SELECT * FROM records WHERE ID = ' " & strID & " ' "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open SQL, objConn, adOpenKeyset, adLockPessimistic, adCmdText

IF objRS.EOF THEN
Response.Write "Sorry, you do not have any customers.

ELSE
DO WHILE NOT objRS.EOF
objRS.Delete
objRS.MoveNext
Loop

Response.Write "Your customers have been succesffully deleted from your database."
END IF

objRS.Close
Set objRS = Nothing
objCONN.Close
Set objCONN = Nothing
%>




I'm still fairly new to programming. Any suggestions?

Aside from the fact that this is an open door to an sql injection attack, ID is probably a number. If so, ditch the single quotes. If it's a string, ditch the spaces. :D

And hope no one enters this as the id in the form field...
0;drop database--
Since I see no server side code here to prevent it.

nikki -

Thanks for the help. Like I said, I'm pretty new to programming still. How would I prevent the attack?

Use real parameters instead of a string query, either in the code or in a stored procedure.

http://www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx
http://aspalliance.com/385