Member Avatar for weezie

First of all i'm a newbie so bear with me...
I have created a form in which people submit a phonebumebr to a database, curently if they put a space in there it throws up an error.

I have been told that :

Never insert unsanitized data into your database.
Always validate submitted form data

If your field is a number then that's your problem. Use Replace() to remove the spaces in the variable.

My field number is text
Here is my code:

<%
'Dimension variables
Dim adoCon 'Holds the Database Connection Object
Dim strSQL 'Holds the SQL query to query the database
'Create an ADO connection object
Set adoCon = Server.CreateObject("ADODB.Connection")

'Set an active connection to the Connection object using a DSN-less connection
adoCon.Open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("../../db/faxremove.mdb")
'Create an ADO recordset object
strSQL = "INSERT INTO  tblComments (FaxNumber) VALUES (" & Request.Form("FaxNumber") &  ")"
adoCon.Execute strSQL
Set adoCon = Nothing
'Redirect to the guestbook.asp page
Response.Redirect "default2.asp"
%>

can anyone advise me what I need to do?

  • 2 Contributors
  • 4 Replies
  • 143 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by weezie
Member Avatar for madmital 
<%
'Create an ADO recordset object
strSQL = "INSERT INTO  tblComments (FaxNumber) VALUES (" & Request.Form("FaxNumber") &  ")"
adoCon.Execute strSQL
Set adoCon = Nothing

can anyone advise me what I need to do?

Since it's a text column in the DB, simply try enclosing the "FaxNumber" in single quotes:

<%
'strSQL = "INSERT INTO  tblComments (FaxNumber) VALUES ('" & Request.Form("FaxNumber") &  "')"
adoCon.Execute strSQL
Set adoCon = Nothing
Member Avatar for weezie

Since it's a text column in the DB, simply try enclosing the "FaxNumber" in single quotes:

<%
'strSQL = "INSERT INTO  tblComments (FaxNumber) VALUES ('" & Request.Form("FaxNumber") &  "')"
adoCon.Execute strSQL
Set adoCon = Nothing

That worked fine thanks.

If I want to date stamp when the numbers are entered how would I do that?

Member Avatar for madmital

That worked fine thanks.

If I want to date stamp when the numbers are entered how would I do that?

If its' an Access DB, you can enter the default value "Now()" in the date stamp field.
Or, you can add a date stamp in your sql:
"DateValue(Now)" will return the date only (like: 10-10-2006)
"Now" will return the date and time (like : 10-10-2006 12:12:00).

So:

"INSERT INTO  tblComments (FaxNumber, timeStamp) VALUES ('" & Request.Form("FaxNumber") & "', '" & Now & '")"
Member Avatar for weezie

Thanks :-)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.