SQL statement to insert into database table not working - "Invalid column name"

Question

I am creating a website with classic ASP on the backend. The form on the frontend submits to the Classic ASP page on the backend just fine. I am also able to connect to the database just fine. (I have tested both of these.)

The problem occurs when I try and add the form inputs into the database table. (form method is POST).

Here is what I am trying to do -

conn.Execute "insert into table1(firstn, lastn, dato, scene) values (fn, ln, sd, sce)"

table1 exists with firstn, lastn, dato, and scene as its columns. conn and the fn, sd, ln, sd, and sce variables have been declared and initialized correctly.

However, I am still getting an "Invalid column name fn" error. Why is that?

How can I fix this error?

Each string value must be surrounded with single quote - or better yet, use a prepared statement. Voting to close this as a typo. — GMB, Jun 17 '20 at 23:47
`fn` refers to a column with the way you've expressed it here. Do you mean the variable `fn`? — tadman, Jun 17 '20 at 23:48
Do this with prepared statements and placeholder values, then bind the data when executing. — tadman, Jun 17 '20 at 23:48
@GMB they are string variables. Do I still need to do "... VALUES('fn', 'ln', ...)"? — codergod, Jun 17 '20 at 23:49
@tadman YES, the variable fn. not a column. i want to insert a new set of results in the table. — codergod, Jun 17 '20 at 23:49
Use [placeholder values](https://stackoverflow.com/questions/8538979/how-can-i-make-a-prepared-statement-in-classic-asp-that-prevents-sql-injection) to specify where the data goes. These look like `?` or perhaps even `?fn`. — tadman, Jun 17 '20 at 23:51
As another tip, try and use variable names that match the column names. There's no reason to refer to it as both `fn` and `firstn`. Pick one and stick to it. — tadman, Jun 17 '20 at 23:51
Either concatenate the variables or if SQL injection is a concern, use parameters, which may be what GMB means by 'prepared statement'. I've never had concern about SQL injection in my local db so haven't used. I just concatenate. But since this is a web app, recommend parameterization. — June7, Jun 17 '20 at 23:53
You won't be able to add your form values like that, instead use an [`ADODB.Command` object to execute a parameterised query](https://stackoverflow.com/a/40014534/692942). — user692942, Jun 18 '20 at 00:23
@June7 *"if SQL injection **is a concern**, use parameters"*?? There's no "if" just don't do it. There is no scenario where suggesting there is an alternative is viable. — user692942, Jun 18 '20 at 00:26

score 0 · Answer 1 · edited Jun 19 '20 at 20:58

0

Try to use:

conn.Execute "insert into table1(firstn, lastn, dato, scene) values (" &fn& ", " &ln& ", " &sd& ", " &sce& ")"

So you will input fn, ln, sd and sce as variables and not content into your query.

edited Jun 19 '20 at 20:58

answered Jun 19 '20 at 20:49

Eduardo Felipe de Souza

17
4

firstn, lastn are most likely strings i.e. your example will give an error as strings should be enclosed with a single quote ' – user2316116 Jun 21 '20 at 20:09
No user2316116, he do not specified the type of the variable or column. – Eduardo Felipe de Souza Jun 23 '20 at 15:42
it doesn't mean it makes your answer correct. 1) you suggested a way to make the code vulnerable for sql injections 2) it will not work for values other than numeric values – user2316116 Jun 24 '20 at 16:20
The question is not about how to prevent slq injections and about why isn’t working – Eduardo Felipe de Souza Jun 24 '20 at 16:26

SQL statement to insert into database table not working - "Invalid column name"

1 Answers1