Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Jan 2007
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    need help deleting multiple records

    I'm trying to delete multiple records, but I keep getting an error: Data type mismatch in criteria expression.

    Here's the code I'm working with:

    Code:
    <!--#INCLUDE FILE="connection.asp" -->
    
    <%
    DIM SQL, objRS, strID
    strID = Request.Form("idnumber")
    SQL = "SELECT * FROM records WHERE ID = ' " & strID & " ' " 
    Set objRS = Server.CreateObject("ADODB.Recordset")
    objRS.Open SQL, objConn, adOpenKeyset, adLockPessimistic, adCmdText
    
    IF objRS.EOF THEN
    Response.Write "Sorry, you do not have any customers. 
    
    ELSE
    DO WHILE NOT objRS.EOF
    objRS.Delete
    objRS.MoveNext
    Loop
    
    Response.Write "Your customers have been succesffully deleted from your database."
    END IF
    
    objRS.Close
    Set objRS = Nothing
    objCONN.Close
    Set objCONN = Nothing
    %>
    I'm still fairly new to programming. Any suggestions?

  • #2
    Senior Coder nikkiH's Avatar
    Join Date
    Jun 2005
    Location
    Near Chicago, IL, USA
    Posts
    1,973
    Thanks
    1
    Thanked 32 Times in 31 Posts
    Aside from the fact that this is an open door to an sql injection attack, ID is probably a number. If so, ditch the single quotes. If it's a string, ditch the spaces.

    And hope no one enters this as the id in the form field...
    0;drop database--
    Since I see no server side code here to prevent it.

    If this post contains any code, I may or may not have tested it. It's probably just example code, so no getting knickers in a bunch over a typo, OK? If it doesn't have basic error checking in it, such as object detection or checking if objects are null before using them, put that in there. I'm giving examples, not typing up your whole app for you. You run code at your own risk.
    Bored? Visit
    http://www.kaelisspace.com/

  • #3
    New to the CF scene
    Join Date
    Jan 2007
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    nikki -

    Thanks for the help. Like I said, I'm pretty new to programming still. How would I prevent the attack?

  • #4
    Senior Coder nikkiH's Avatar
    Join Date
    Jun 2005
    Location
    Near Chicago, IL, USA
    Posts
    1,973
    Thanks
    1
    Thanked 32 Times in 31 Posts
    Use real parameters instead of a string query, either in the code or in a stored procedure.

    http://www.wwwcoder.com/main/parenti...8/default.aspx
    http://aspalliance.com/385

    If this post contains any code, I may or may not have tested it. It's probably just example code, so no getting knickers in a bunch over a typo, OK? If it doesn't have basic error checking in it, such as object detection or checking if objects are null before using them, put that in there. I'm giving examples, not typing up your whole app for you. You run code at your own risk.
    Bored? Visit
    http://www.kaelisspace.com/


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •