0

Imagine that I have a database with Name and age and i want to insert a person to that database so I'll do:

SQL="INSERT INTO Person(Name,Age) VALUES ('" & Name & "'," & Age &")"

And in my interface I Insert the Name: Nick and age:25.

How can I see in my interface what SQL is doing for example: 

INSERT INTO Person(Nick,25)

PS: Programming this in classic asp. I've seen it done through a simple Response.Write, but I don't remember how it was done.

Hope it was clear to understand, and thank you for all the help

ollie
  • 1,009
  • 1
  • 8
  • 11
Nicolas Sousa
  • 1
  • 1
  • 3
    Side note - for most uses, it's more useful to capture/retain Date of Birth rather than Age - especially if this data is about real living people. `Age` is guaranteed to become incorrect within the next 366 days - but when, we don't know. DOB should only be incorrect due to entry error, and Age can always be derived from it. – Damien_The_Unbeliever Jun 05 '17 at 14:28
  • You desperately need to read about, understand and start using parameterized queries. What you have here is wide open to sql injection. My friend bobby tables loves this kind of thing. http://bobby-tables.com/ – Sean Lange Jun 05 '17 at 14:51

2 Answers2

4

It is just simply this Response.Write(SQL).

On the other hand I strongly suggest you to read about SQL Parameters. Like in here ASP Classic Named Parameter in Paramaterized Query: Must declare the scalar variable

hardkoded
  • 18,915
  • 3
  • 52
  • 64
0

More to compliment @kblok's answer than to undermine it:

I strongly advise that you download Microsoft SQL Server Management Studio Express, if you haven't done so already, and test your statements there, or, even better, use it to write parameterised stored procedures.

When using stored procedures you can simply call it by using the appropriate settings in your Connection object...

Set conn = Server.CreateObject("ADODB.Connection")
conn.ConnectionString = myConn
Set comm = Server.CreateObject("ADODB.Command")
comm.ActiveConnection  = conn
comm.CommandText = "prc_get_data"
comm.CommandType = 4 'Stored procedure

Though the documentation is a little flaky now, I would recommend you take a look at the Microsoft Documentation for this.

Paul
  • 4,160
  • 3
  • 30
  • 56