 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers |
Webmaster Forum / ASP / General ASP Topics / July 2008select query data type mismatch
this works sSQL = "SELECT *" & _ " FROM Expenses2008" & _ " WHERE Amount Like '%" & Request.Form("searchItem") & "%'" set rs = Connect.Execute(sSQL) however if I enter an amount of 99 it not only gives me all entries with 99.00 in the Amount collum but 199.00, 1991.72...anything with two 9s together. So I tried sSQL = "SELECT *" & _ " FROM Expenses2008" & _ " WHERE Amount = '" & Request.Form("searchItem") & "'" set rs = Connect.Execute(sSQL) But I get an error message Microsoft JET Database Engine error '80040e07' Data type mismatch in criteria expression. /eforms/shiprec/search.asp, line 201 Can someone help me with this? > this works > [quoted text clipped - 21 lines] > > Can someone help me with this? When you use Like, Jet converts the numeric data in your Number field to strings in order to do the comparison. When you use = no implicit conversion is performed. Since you are comparing data contained in a column whose datatype is number to a literal value contained in quotes (a string) a data type mismatch occurs. You need to remove the quotes from this line: " WHERE Amount = '" & Request.Form("searchItem") & "'" so that it reads: " WHERE Amount = " & Request.Form("searchItem") Further points to consider: Your use of dynamic sql is leaving you vulnerable to hackers using sql injection: http://mvp.unixwiz.net/techtips/sql-injection.html http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 See here for a better, more secure way to execute your queries by using parameter markers (tokens): http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36 562fee7804e Personally, I prefer using stored procedures, or saved parameter queries as they are known in Access: Access: http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=e6lLVvOcDHA.1204%4 0TK2MSFTNGP12.phx.gbl http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.402 0%40tk2msftngp13.phx.gbl  SignatureMicrosoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. wow...that was too easy. > " WHERE Amount = '" & Request.Form("searchItem") & "'" > so that it reads: > " WHERE Amount = " & Request.Form("searchItem") Not a problem...internal server used by only 15 people. > Further points to consider: > Your use of dynamic sql is leaving you vulnerable to hackers using sql > injection:http://mvp.unixwiz.net/techtips/sql-injection.htmlhttp://www.sqlsecurity.com/Des ktopDefault.aspx?tabid=23 Thanks! eyoung1@uiuc.edu wrote on Tue, 1 Jul 2008 13:37:10 -0700 (PDT): > wow...that was too easy. >> " WHERE Amount = '" & Request.Form("searchItem") & "'" >> so that it reads: >> " WHERE Amount = " & Request.Form("searchItem") > Not a problem...internal server used by only 15 people. What happens when one of those people decides they're going to leave the company and aren't happy and puts something in the searchItem field of the form that results in a SQL injection that does something to your data? >> Further points to consider: >> Your use of dynamic sql is leaving you vulnerable to hackers using >> sql >> injection:http://mvp.unixwiz.net/techtips/sql-injection.htmlhttp:// >> www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 > Thanks! SignatureDan |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.