|i need help..|
whats wrong with this code? error details below the code
| 12:50 pm on Jun 16, 2004 (gmt 0)|
if request.querystring("case")="games" then
if isempty(request.form("game_name")) then %>
<form name="delete" action="" method="post">
<table width="100%" cellpadding="0" cellspacing="0" border="2" bordercolor="#fff5ee">
<td>mark to delete</td>
sql="select * from games order by game_name"
do until showall.eof %>
<td><input type="checkbox" name="game_name" value="<%=showall.fields("game_name").value %>"></td>
set oconn=nothing %>
<input type="submit" value="delete">
for each item in request.form("game_name")
sql="select * from games where game_name=" & item & ""
***this is line 176***game.open sql,oconn,2,2
gamefile="C:/Inetpub/wwwroot/dragonball/games/" & game.fields("game_name").value
if del.fileexists(gamefile) then
picfile="C:/Inetpub/wwwroot/dragonball/images/games/" & game.fields("game_pic").value
if del.fileexists(picfile) then
sql2="delete from games where game_name=" & item & ""
response.write("games were deleted!")
end if %>
Microsoft JET Database Engine (0x80040E10)
No value given for one or more required parameters.
/dragonball/delete.asp, line 176
the 176 line is marked above[in the code].
| 12:58 pm on Jun 16, 2004 (gmt 0)|
|sql="select * from games where game_name=" & item & "" |
Assuming a game name of "Doom", this will result in the following literal string being executed as your query command:
select * from games where game_name= Doom
So you need to add in some apostrophes to your query:
sql="select * from games where game_name='" & item & "'"
The error message you are getting is caused when database engine looks for a parameter with the name Doom. None is provided, so the error message makes sense.
| 1:04 pm on Jun 16, 2004 (gmt 0)|
By the way. Your code is leaving you wide open to an SQL Injection attack. Here is an example.
If the following value is provided in the game_name field
abc' having 1=1 ;
An error will occur that will most likely show the name of one or more tables. Suppose one of the table names is "games". The attacker can then use that to cause real problems by entering the following in the game_name field:
abc'; drop table games ;
You should always clean the values presented by users by (at least) escaping any apostrophes.
| 6:03 pm on Jun 16, 2004 (gmt 0)|
10q, and no one can do something to my web, the game_name field is a checkbox so you cant enter any value it gust auto take the value of the game_name which is the key in my table(mdb) + only admins can see this page and they wont even try to harm the web. =)
| 6:28 pm on Jun 16, 2004 (gmt 0)|
|the game_name field is a checkbox |
Maybe on the form you provide. But a script kiddy can easily make their own form.
But, if it is an admin only page, and the submit page code only executes for someone that is logged in, then there is not much danger.
| 6:31 pm on Jun 16, 2004 (gmt 0)|
You still should get into the habit of practicing good coding habits. No matter where the code is actually showing, you should always make sure it's as secure as you can possibly make it. If you get into the habit of making all your code secure, you won't have to worry about where the code is, it will always be fine.
| 6:34 pm on Jun 16, 2004 (gmt 0)|
That's my favorite reason for insisting that ALL queries in web apps use stored procedures!
Others include performance and code reuse.