0

Here is the query:

INSERT INTO `users` (username, password, email) VALUES ('testu', 'testp', 'teste')

I am getting this error with the following VB code (ASP):

    username = Request.Form("username")
    password = Request.Form("password")
    email = Request.Form("email")

    Dim conn As OleDbConnection = New OleDbConnection(GetConnectionString())
    Dim comm As OleDbCommand = New OleDbCommand("INSERT INTO users (username, password, email) VALUES ('" & username & "', '" & password & "', '" & email & "')", conn)

    conn.Open()
    comm.ExecuteNonQuery()

What is wrong with this statement? I know the connection string is correct because I have used it throughout the rest of my application.

Improve this question
11
  • 6
    Ah, SQL injection. Commented Dec 6, 2011 at 12:28
  • 2
    Never store passwords in plain text. Commented Dec 6, 2011 at 12:29
  • 1
    Always use parameters for query !! Commented Dec 6, 2011 at 12:29
  • 1
    FYI... your code is open to sql inject... and what is the exact error message your get? Commented Dec 6, 2011 at 12:30
  • 1
    Try this: Dim query as String = "INSERT INTO users (... copying your query. Then edit your question posting query value. As someone said, there could be some strange char in params... Commented Dec 6, 2011 at 12:38

2 Answers 2

Reset to default
2

Agree! Always use Parameter (prepared) query and hash salt your password. Read SO thread - Salting Your Password: Best Practices? .

 Dim conn As OleDbConnection = New OleDbConnection(GetConnectionString())
 Dim comm As OleDbCommand = New OleDbCommand("INSERT INTO users (username, [password], email) VALUES (@username,@password,@email)",conn)
 comm.Parameters.Add("@username",OleDbType.Varchar,30).Value=username
 ....
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Like I said it is for a very small school project. I am aware of prepared queries and salting. The problem here is the query I mentioned not working, and I do not believe using parameters will solve that (but I could be wrong).
@LoganSerman - Password is reserved word of access database engine so you have to escape. See the edited post. office.microsoft.com/en-us/access-help/…
Thank you, AVD. That was indeed the problem.
1

Don't EVER pass parameters to SQL commands with concatenation! This is an open way for SQL injection attack.

You should use placeholders for parameters and add actual values using comm.AddParameter().

As for your error - I'd expect some of your parameter values contains a single quote (').

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.