Getrows
jhd1967 | Posted 2:31pm 23. September 2008 Server Time |
I have this code but not sure how i can use querystring from another search form page to define the CAT_ID = ? AND MAKE = ?
Thank you
<%@ Language=VBScript %>
<% Option Explicit %>
<%
Dim objCN ' ADO Connection object
Dim objRS ' ADO Recordset object
Dim strsql ' SQL query string
Dim RecordsArray ' To hold the Array returned by GetRows
Dim i ' A counter variable
' Create a connection object
Set objCN = Server.CreateObject("ADODB.Connection")
' Connect to the data source
objCN.ConnectionString = "DATABASECONNECTION"
objCN.Open
' Prepare a SQL query string
strsql = "SELECT* FROM ADS WHERE CAT_ID = ? AND MAKE = ? ORDER BY CAT_ID DESC"
' Execute the SQL query and set the implicitly created recordset
Set objRS = objCN.Execute(strsql)
' Write out the results using GetRows in a loop
Response.write "<pre>"
Do While Not objRS.EOF
RecordsArray = objRS.GetRows(30)
' Print out the array
For i = 0 To UBound(RecordsArray, 2)
Response.write RecordsArray(0, i)
Response.write vbTab
Response.write RecordsArray(1, i)
Response.write vbTab
Response.write RecordsArray(2, i)
Response.write vbTab
Response.write RecordsArray(3, i)
Response.write vbTab
Response.write vbCrLf
Next
Loop
Response.write "</pre>"
objRS.Close
objCN.Close
Set objCN = Nothing
Set objRS = Nothing
%> |
mp3cdman | Posted 4:17pm 23. September 2008 Server Time |
Just change this line
strsql = "SELECT* FROM ADS WHERE CAT_ID = ? AND MAKE = ? ORDER BY CAT_ID DESC"
to
strsql = "SELECT* FROM ADS WHERE CAT_ID = "& strCatID &" AND MAKE = '"& strMake &"' ORDER BY CAT_ID DESC;"
and then at the start add
strCatID = Request.QueryString("CAT_ID")
strMake = Request.QueryString("MAKE")
mp3cdman ;-P
jhd1967 | Posted 4:57pm 23. September 2008 Server Time |
Thank you for your reply
Is this save to use again sql injection?
And another question if i may
how can i have result dislays horizontal
Thanks again
jhd1967 | Posted 6:22pm 23. September 2008 Server Time |
oops i meant to say
Is this save to Prevent SQL Injection Attacks?
probinu | Posted 10:28am 24. September 2008 Server Time |
No, the above is not safe against SQL injection.
You need to either scrub the values from the query string or add parameters to your query.
jhd1967 | Posted 10:42am 24. September 2008 Server Time |
I usualy use dreamweaver to this!!
any idea how i can do it in this example
Thank you
mp3cdman | Posted 12:37am 24. September 2008 Server Time |
if you didn't know how to get the values into the string then I thought I would make it as simple as possible for you so that you could at least get it working... no point trying to fly before you can walk now is ther?
to make it safe all you need to do is strip out any ' or replace them with '' so do this instead...
strCatID = Replace(Request.QueryString("CAT_ID"), "'", "''")
strMake = Replace(Request.QueryString("MAKE"), "'", "''")
mp3cdman ;-P
jhd1967 | Posted 8:13pm 27. September 2008 Server Time |
I did get it to work. i have one more question
how can i display the record horizontal
Thank you
jhd1967 | Posted 9:47am 30. September 2008 Server Time |
Any one!!!
Reply to Post Getrows
|
|
|
