How to use ASP variables in SQL statement

Question

<%
postit = request.querystring(\"thispost\")
response.write(postit)
%> 

postit is the v

Answer 1

Add a parameter to the SQL:

delCmd.CommandText="DELETE * FROM post WHERE (pos_ID = ?)"
delCmd.Parameters.Append delCmd.CreateParameter("posid", adInteger, adParamInput)   ' input parameter
delCmd.Parameters("posid").Value = postit

Answer 2

More easy for delete, this way is useful when not need to check the recordset:

cn.open "yourconnectionstring"
cn.execute "DELETE * FROM post WHERE pos_ID = " & request.querystring("thispost")
cn.close

Answer 3

Try this code:

<% Dim postit, stringSQL, objectCon
   postit = request.querystring("thispost")

   Set objectCon = Server.CreateObject("ADODB.Connection")
   objectCon.ConnectionString  "Driver={SQL SERVER};Server=server_name;UID=user_name;PWD=password;Database=database_name" 'SET CONNECTION STRING OF YOUR DATABASE
   stringSQL = "DELETE FROM post WHERE pos_id='" & postit & "'"

   objectCon.Open
   objectCon.Execute(stringSQL)
   objectCon.Close() %>

Answer 4

Couple of things that will help you in the future

1. Use Option Explicit to avoid hiding issues that will come back to bite you later on
2. Use ADODB.Command object, which is very versatile enabling to do a range of database calls, from simple dynamic SQL statements to Stored Procedures without the risk of SQL injection.

There are a few tips that can speed things up when using the ADODB.Command object in your code which will be demonstrated in the example below (assumes you already have a connection string stored in a global config call gs_connstr);

<%
Option Explicit

Dim postit
postit = Request.QueryString("thispost")
'Always do some basic validation of your Request variables
If Len(postit) > 0 And IsNumeric(postit) Then CLng(postit) Else postit = 0

Dim o_cmd, o_rs, a_rs, i_row, i_rows, l_affected
Dim SQL

'SQL statement to be executed. For CommandType adCmdText this can be any dynamic
'statement, but adCmdText also gives you an added bonus - Parameterised Queries
'instead of concatenating values into your SQL you can specify placeholders (?)
'that you will define values for that will get passed to the provider in the order
'they are defined in the SQL statement.
SQL = "DELETE * FROM post WHERE (pos_ID = ?)"

Set o_cmd = Server.CreateObject("ADODB.Command")
With o_cmd
  'ActiveConnection will accept a Connection String so there is no need
  'to instantiate a separate ADODB.Connection object the ADODB.Command object
  'will handle this and also open the connection ready.
  .ActiveConnection = gs_connstr
  .CommandType = adCmdText
  .CommandText = SQL
  'When using Parameters the most important thing to remember is the order you
  'appended your parameters to the Parameters collection as this will determine
  'the order in which they are applied to your SQL query at execution. Because
  'of this the name you give to your parameters is not important in terms of
  'execution but I find specifying a meaningful name is best (especially when
  'revisiting some code a few years down the line).
  Call .Parameters.Append(.CreateParameter("@pos_ID", adInteger, adParamInput, 4))
  'Parameter values can be passed in via the Execute() method using an Array
  'without having to define the parameter values explicitly. You can also specify
  'the records affected value to return number of rows affected by a DELETE,
  'INSERT or UPDATE statement.
  .Execute(l_affected, Array(postit))
End With
'Always tidy up after yourself, by releasing your object from memory, this will
'also tidy up your connection as it was created by the ADODB.Command object.
Set o_cmd = Nothing
%>

Answer 5

You're not passing the value of postit to Access; instead, you're telling Access to find & use a variable called postit. Of course, said variable doesn't exist in Access -- it only exists in your code. The fix is just a couple of quote marks and a pair of ampersands.

delCmd.CommandText="DELETE * FROM post WHERE (pos_ID = " & postit & " )"

(Naturally, you should validate postit before you go sending it off to your database. A simple CDbl() can do the trick, assuming it's a numeric value.)