I have an older ASP website (uses classic ASP not .NET) and I am adding a new page to it. I want to display a textbox that the user can enter a value and then I will take that value and use as a parameter in my SQL query. I am having a hard time getting the value (strEmail) to pass into the string. Here is my code so far:


Can anyone give me some helpful pointers on this one?

Highlighted in red color is corrected code.

<%@LANGUAGE="VBSCRIPT" %>
<html>
<head>
<title>Outstanding Greeting Cards</title>
<style type="text/css">
#Text1
{
height: 20px;
width: 200px;
}
#txtEmail
{
width: 240px;
height: 20px;
}
</style>

</head>
<!--#include file="Connections/connCards.asp" -->
<body>

<form action="OutstandingGreetingCards.asp" method="post" runat="server" >

<p style="height: 32px">
Enter your e-mail address to view your outstanding cards:
<input id="txtEmail" type="text" value="test@email.ca" />


<%
SET rsOutstanding = Server.CreateObject("ADODB.Recordset")
rsOutstanding.ActiveConnection = MM_connCards_STRING

strEmail = request.Form("txtEmail")

sSql = "SELECT sentto, dateToSend, subject, message FROM greetings WHERE fromname = '" & strEmail &"' ORDER BY greetingid"

response.Write("<br/><br/>")
response.Write(sSql)
response.Write("<br/><br/>")
response.Write(strEmail)
response.End

SET openRS = rsOutstanding.Execute(sSQL)

If openRS.EOF then
'if there are no records display a message and stop
Response.Write "No records available"
Response.End
End If

'Build the table with headers
Response.Write "<Table width=100% align=center border=1>"
Response.Write "<tr>"
Response.Write "<td align=center>Sent To</td>"
Response.Write "<td align=center>Date To Send</td>"
Response.Write "<td align=center>Subject</td>"
Response.Write "<td align=center>Message</td>"
Response.Write "</tr>"

'Populate table from recordset
While not openRS.EOF
Response.Write "<tr>"
Response.Write "<td>" & openRS("sentto") & "</td>"
Response.Write "<td>" & openRS("dateToSend") & "</td>"
Response.Write "<td>" & openRS("subject") & "</td>"
Response.Write "<td>" & openRS("message") & "</td>"
Response.Write "</tr>"
objRec.MoveNext
WEnd
Response.Write "</table>"

openRS.Close
set openRS = nothing

rsOutstanding.close
set rsOutstanding = nothing
%>
<input id="Submit1" type="submit" value="Submit" onclick="return Submit1_onclick()" /></p>

</form>
</Body>
</HTML>

Thanks, I appreciate the help. Actually, there are a few thing I figured out and managed to get it working:

1) Had to give textbox a name tag ie. name="Text1"

2) In order to set the value to my variable I had to declare it first on its own, then set it using request.form("Text1")

3) Had to fix my select statement (Thanks again for pointing that out)

Now I just have to figure out why my rs dosen't work! But the original problem has been solved. Hope this can help someone else in the future if they get stuck doing classic asp like me.

Thanks

Ok, AT THE VERY LEAST SANITIZE THE INPUTS if you are are going to directly create a SQL string.

Why? To avoid sql injection attacks.

I once dealt over an entire weekend with the resultes of an automated sql injection attack which inserted injected javascript script tags in a varchar and text fields; thereby inserting javascript into a whole bunch of pages, potentially doing who the @!#%@$ knows what to the website because nobody before me thought to sanitize their inputs. It was absolutely freaking rediculous.

To sanitize text, this is all you have to do:

strEmail = replace(request.Form("txtEmail"),"'","''")

A better way would be to use SqlParameters, because then the sql statement would be compiled only once...and I'd show it to you this moment, but I admit I hate the way you have to handle them in classic asp: I can't ever remember how to create them with the proper integer codes...