Member Avatar for istteffy

Guys, I am trying to learn asp, but I am stuck on this error forever... I managed to display and create new, but I can't delete and update. I was told I had to remove the ' around cid, but it still gave me another erro. can someone please provide me with a quick solution.

  <html>
<body>

<h2>Update Record</h2>
<%
set conn=Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open "c:/webdata/northwind.mdb"

cid=Request.Form("customerID")

if Request.form("companyname")="" then
  set rs=Server.CreateObject("ADODB.Recordset")
  rs.open "SELECT * FROM customers WHERE customerID='" & cid & "'",conn
  %>
  <form method="post" action="demo_update.asp">
  <table>
  <%for each x in rs.Fields%>
  <tr>
  <td><%=x.name%></td>
  <td><input name="<%=x.name%>" value="<%=x.value%>"></td>
  <%next%>
  </tr>
  </table>
  <br><br>
  <input type="submit" value="Update record">
  </form>
<%
else
  sql="UPDATE customers SET "
  sql=sql & "companyname='" & Request.Form("companyname") & "',"
  sql=sql & "contactname='" & Request.Form("contactname") & "',"
  sql=sql & "address='" & Request.Form("address") & "',"
  sql=sql & "city='" & Request.Form("city") & "',"
  sql=sql & "postalcode='" & Request.Form("postalcode") & "',"
  sql=sql & "country='" & Request.Form("country") & "'"
  sql=sql & " WHERE customerID='" & cid & "'"
  on error resume next
  conn.Execute sql
  if err<>0 then
    response.write("No update permissions!")
  else
    response.write("Record " & cid & " was updated!")
  end if
end if
conn.close
%>

</body>
</html>
  • 4 Contributors
  • 3 Replies
  • 236 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by Blueie
Member Avatar for hericles

Compare what data type the cid column in the database is to what the cid variable holds after the line: cid = Request.Form("customerID").
Data type erros normally mean you are passing in the wrong type against what is expected (string vs int for example).

Member Avatar for JorgeM

On a related note, you should consider using parameterized queries instead so that your parameters are passed as literal text. This prevents errors and is good for security.

A simple example regarding why you should use parameterized queries.. say any of the variables you are using in your SQL query contains an apostrophe... the appostophe will cause your application to fail.

Here is an example online on how to use parameterized queries in Classic ASP.

http://blogs.technet.com/b/neilcar/archive/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets.aspx

Member Avatar for Blueie

You would need to open northwind.mdb, double-click on the 'customers' table, and select 'Design View'. That will show you the Data Type for each field. The data you are passing into that field needs to correspond to the 'data type' for that field. So you wouldn't, for instance, have a 'Text' data type if you were updating a currency field.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.