1

I'm having problems uploading a file and inserting data into the database at the same time. It's written in classic ASP

 Set Upload = Server.CreateObject("Persits.Upload")
 Upload.OverwriteFiles = False
 Upload.Save Server.MapPath("files/drawings/")

 sql = "Insert into Name(first,last) values ("'" & Request.form("firstname") & "','" & Request.form("lastname") & "' " )
 ADOConn.Execute sql
user692942
  • 16,398
  • 7
  • 76
  • 175
Sash
  • 315
  • 2
  • 6
  • 23
  • Are you sure, you haven't got a typo in `Server.CreateObject("Persits.Upload")`? And no user named O'Brian or some such too? – VMai Aug 13 '14 at 16:46
  • if i should comment out the upload statements the insert statement works and if i should comment out the insert statement the upload works. But with both together it doesn't work! – Sash Aug 13 '14 at 16:51
  • @VMai The `Persists.Upload` ProgId is correct it refers to the [Persits Software Upload COM Component known as ASPUpload](http://www.aspupload.com/). – user692942 Aug 14 '14 at 07:47

1 Answers1

1

The reason is when you perform the upload your dealing with the request as binary, which invalidates the Request.Form collection (same as if you call Request.BinaryRead(). To counter this the ASPUpload component provides a Form Collection of it's own which contains the posted form values.

Changing the values Request.Form to Upload.Form should fix the problem in this case.

Set Upload = Server.CreateObject("Persits.Upload")
Upload.OverwriteFiles = False
Upload.Save Server.MapPath("files/drawings/")

'Also make sure the string concatenation is correct (had extra " in after "values")
sql = "Insert into Name(first,last) values ('" & Upload.Form("firstname") & "','" & Upload.Form("lastname") & "' " )
ADOConn.Execute sql

WARNING The above code snippet is not sanitized and open to SQL Injection, consider using the ADODB.Command object to parametrise the query before execution (some assumptions about data type and size have been made).

Quick Example

 Dim cmd, conn, sql

 conn = "your connection string"
 'Parametrised query
 sql = "Insert into Name(first,last) values (?, ?)"

 Set cmd = Server.CreateObject("ADODB.Command")
 With cmd
   'No need to pass ADODB.Connection pass connection string and
   'the ADODB.Command will do it for you.
   .ActiveConnection = conn
   .CommandType = adCmdText
   .CommandText = sql
   Call .Parameters.Append(.CreateParameter("first", adVarWChar, adParamInput, 100))
   Call .Parameters.Append(.CreateParameter("last", adVarWChar, adParamInput, 100))
   'Not returning any records just inserting
   Call .Execute(adExecuteNoRecords)
 End With
 'Clean-up
 Set cmd = Nothing

On a side note:

This information isn't hard to find the ASPUpload Object Reference and Online User Manual are very good. In fact if you had looked at the Section 2.2 - FILES and FORM Collections you would have had the answer to your question without posting here.

Personal experience has taught me that when dealing with 3rd Party COM Components 9/10 times the supporting documentation is very good, especially so in the case of Persits Software components.

Community
  • 1
  • 1
user692942
  • 16,398
  • 7
  • 76
  • 175