IIS ASP - SQL WHERE command and IF

Author

SQL WHERE command and IF

gjoneshtfc@volcanomail.com

2006-06-24, 7:26 am

Hello

I have a two menus where the user chooses the make and model of a car.
After submitting, a results page shows depending on their inputs. My
SQL is currently:

SELECT *
FROM MainTable
WHERE [model] = '" & chosenmodel & "'
ORDER BY Price DESC

I now want to introduce an option where they can search for any model
of a selected make, whilst still giving the option of searching by a
specific model. What i need is something like:

IF chosenmodel = "Any"
SELECT *
FROM MainTable
WHERE [make] = '" & chosenmake & "'
ORDER BY Price DESC

ELSE
SELECT *
FROM MainTable
WHERE [model] = '" & chosenmodel & "'
ORDER BY Price DESC

Unfortunately I have no idea how i can put this into SQL code as i am
new to the language. My searching for an answer so far has only lead to
me to using AND and OR as part of the WHERE command. However, this will
not work for what i want to do. Please can anyone help me?!

Thanks for your time,
Gareth

Bob Barrows [MVP]

2006-06-24, 7:26 am

gjoneshtfc@volcanomail.com wrote:
> Hello
>
> I have a two menus where the user chooses the make and model of a car.
> After submitting, a results page shows depending on their inputs. My
> SQL is currently:
>
> SELECT *

Nothing to do with your problem, but:
http://www.aspfaq.com/show.asp?id=2096

> FROM MainTable
> WHERE [model] = '" & chosenmodel & "'
> ORDER BY Price DESC

Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group...2e36562fee7804e

>
> I now want to introduce an option where they can search for any model
> of a selected make, whilst still giving the option of searching by a
> specific model. What i need is something like:
>
> IF chosenmodel = "Any"
> SELECT *
> FROM MainTable
> WHERE [make] = '" & chosenmake & "'
> ORDER BY Price DESC
>
> ELSE
> SELECT *
> FROM MainTable
> WHERE [model] = '" & chosenmodel & "'
> ORDER BY Price DESC
>
> Unfortunately I have no idea how i can put this into SQL code as i am
> new to the language. My searching for an answer so far has only lead
> to me to using AND and OR as part of the WHERE command. However, this
> will not work for what i want to do. Please can anyone help me?!
>
What database (type and version, please) are you using? In the future,
please provide this information upfront: it is almost always relevant.

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

gjoneshtfc@volcanomail.com

2006-06-24, 7:26 am

Thanks Bob,

Whilst waiting for a reply i have been messing around and have managed
to solve my problem using ASP IF and Else to set the recordset. Thanks
for the reply and i will be sure to look into your suggestions to make
my coding more secure.

Thanks again,
Gareth

Bob Barrows [MVP] wrote:

> gjoneshtfc@volcanomail.com wrote:
>
> Nothing to do with your problem, but:
> http://www.aspfaq.com/show.asp?id=2096
>
>
> Your use of dynamic sql is leaving you vulnerable to hackers using sql
> injection:
> http://mvp.unixwiz.net/techtips/sql-injection.html
> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
>
> See here for a better, more secure way to execute your queries by using
> parameter markers:
> http://groups-beta.google.com/group...2e36562fee7804e
>
>
>
> What database (type and version, please) are you using? In the future,
> please provide this information upfront: it is almost always relevant.
>
> Bob Barrows
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"