Can someone please tell me what is wrong with this statement?

前端 未结 4 640
别跟我提以往
别跟我提以往 2021-01-24 17:07

I am using this to insert a few things into my table and it keeps giving me this error:

Microsoft VBScript compilation error \'800a03ee\'
Expected \')\'
/thanks.asp,          


        
相关标签:
4条回答
  • 2021-01-24 17:09

    Seems like there is a syntax error related to your parenthesis. The 2 parenthesis at the end of that line looks kind of fishy.

    0 讨论(0)
  • 2021-01-24 17:15

    You have a missing & in here:

    VALUES ('"Request.QueryString("payer_email") & "'
    

    should be:

    VALUES ('" & Request.QueryString("payer_email") & "'
    

    And even in the last part of your statement, you have a missing & and a missing ":

    Request.QueryString("hash")"'))
    

    should be:

    Request.QueryString("hash") & "')")
    

    Therefore you may want to try the following statement:

    cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('" & Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash") & "')")
    
    0 讨论(0)
  • 2021-01-24 17:19

    The missing ampersands and quotes may be the least of your problems.

    It does not look like you are cleaning the strings in any way. The strings could contain single quotes that are not escaped. You are open to SQL injection because you are not using parameters.

    0 讨论(0)
  • 2021-01-24 17:29

    I'd suggest breaking up your code as follows, so it becomes readable and understandable:

    Dim execSql
    execSql = "insert into SALT (Email, Username, FirstName, LastName, ActivationCode)"
    execSql = execSql & " VALUES ('"
    execSql = execSql & Request.QueryString("payer_email") 
    execSql = execSql & "', '" 
    execSql = execSql & Request.QueryString("payer_email") 
    execSql = execSql & "', '" 
    execSql = execSql & Request.QueryString("first_name") 
    execSql = execSql & "', '" 
    execSql = execSql & Request.QueryString("last_name") 
    execSql = execSql & "', '" 
    execSql = execSql & Request.QueryString("hash")
    execSql = execSql & "')"
    
    Set rstSimple = cnnSimple.Execute(execSql)
    

    while typing, I removed the quote-errors of your string. Now it becomes more apparent where they are if you receive a new error. Also, the coloring of the code makes it readable and easy to spot the error (depening on what editor you use).


    Edit on SQL Injection and security

    As someone else already mentioned, your code is highly susceptible to SQL injection attacks. Even if no attack (i.e., to drop your database) is meant, it will fail if someone is named d'Amour (French) or in 't Huys (Dutch), crashing your page. To circumvent this, don't try to filter your code, but rewrite it using SQL Command and Parameters. It's easy, your code simply becomes this:

    Set dbCommand = Server.CreateObject("ADODB.Command")
    Set dbCommand.ActiveConnection = cnnSimple
    dbCommand.CommandType = adCmdText
    dbCommand.CommandText = _
        "INSERT INTO SALT (Email, Username, FirstName, LastName, ActivationCode) " + _ 
        "VALUES (@email, @user, @firstname, @lastname, @code)"
    With dbCommand.Parameters
        .Add("email", adVarChar, adParamInput, , Request.QueryString("payer_email"))
        .Add("user", adVarChar, adParamInput, , Request.QueryString("payer_email"))
        .Add("firstname", adVarChar, adParamInput, , Request.QueryString("first_name"))
        .Add("lastname", adVarChar, adParamInput, , Request.QueryString("last_name"))
        .Add("code", adVarChar, adParamInput, , Request.QueryString("hash"))
    End With
    
    Set rstSimple = dbCommand.Execute()
    

    Note: make sure to download and include ADOVBS.INC so you don't have to replace the constants adVarChar and adParamInput and such with their numeric equivalents.

    For more info see this SO answer by Jose Basilio, Google on "SQL Injection ASP" or "SQL Prepared Statement Classic ASP", it should find you some hits.

    0 讨论(0)
提交回复
热议问题