this works sSQL = "SELECT *" & _ " FROM Expenses2008" & _ " WHERE Amount Like '%" & Request.Form("searchItem") & "%'" set rs = Connect.Execute(sSQL) however if I enter an amount of 99 it not only gives me all entries with 99.00 in the Amount collum but 199.00, 1991.72...anything with two 9s together. So I tried sSQL = "SELECT *" & _ " FROM Expenses2008" & _ " WHERE Amount = '" & Request.Form("searchItem") & "'" set rs = Connect.Execute(sSQL) But I get an error message Microsoft JET Database Engine error '80040e07' Data type mismatch in criteria expression. /eforms/shiprec/search.asp, line 201 Can someone help me with this?
eyoung1@uiuc.edu wrote: > this works > > sSQL = "SELECT *" & _ > " FROM Expenses2008" & _ > " WHERE Amount Like '%" & Request.Form("searchItem") & "%'" > set rs = Connect.Execute(sSQL) > > however if I enter an amount of 99 it not only gives me all entries > with 99.00 in the Amount collum but 199.00, 1991.72...anything with > two 9s together. > > So I tried > > sSQL = "SELECT *" & _ > " FROM Expenses2008" & _ > " WHERE Amount = '" & Request.Form("searchItem") & "'" > set rs = Connect.Execute(sSQL) > > But I get an error message > > Microsoft JET Database Engine error '80040e07' > Data type mismatch in criteria expression. > /eforms/shiprec/search.asp, line 201 > > > Can someone help me with this? When you use Like, Jet converts the numeric data in your Number field to strings in order to do the comparison. When you use = no implicit conversion is performed. Since you are comparing data contained in a column whose datatype is number to a literal value contained in quotes (a string) a data type mismatch occurs. You need to remove the quotes from this line: " WHERE Amount = '" & Request.Form("searchItem") & "'" so that it reads: " WHERE Amount = " & Request.Form("searchItem") Further points to consider: Your use of dynamic sql is leaving you vulnerable to hackers using sql injection: http://mvp.unixwiz.net/techtips/sql-injection.html http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 See here for a better, more secure way to execute your queries by using parameter markers (tokens): http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e Personally, I prefer using stored procedures, or saved parameter queries as they are known in Access: Access: http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
wow...that was too easy. > " WHERE Amount = '" & Request.Form("searchItem") & "'" > so that it reads: > " WHERE Amount = " & Request.Form("searchItem") > Not a problem...internal server used by only 15 people. > Further points to consider: > Your use of dynamic sql is leaving you vulnerable to hackers using sql > injection:http://mvp.unixwiz.net/techtips/sql-injection.htmlhttp://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 > Thanks!
eyoung1@uiuc.edu wrote on Tue, 1 Jul 2008 13:37:10 -0700 (PDT): > wow...that was too easy. >> " WHERE Amount = '" & Request.Form("searchItem") & "'" >> so that it reads: >> " WHERE Amount = " & Request.Form("searchItem") > Not a problem...internal server used by only 15 people. What happens when one of those people decides they're going to leave the company and aren't happy and puts something in the searchItem field of the form that results in a SQL injection that does something to your data? >> Further points to consider: >> Your use of dynamic sql is leaving you vulnerable to hackers using >> sql >> injection:http://mvp.unixwiz.net/techtips/sql-injection.htmlhttp:// >> www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 > Thanks! -- Dan
