PDA

Click to See Complete Forum and Search --> : Input from Form

gracenmy
03-27-2004, 01:31 PM
HI there,

I"m having a problem with the SQL statement processing the input from the form so that it will list down the flight detail based on the destination selected from the form.
Is there anythin wrong with the sql queries here, especially the one referring to the form input? I"m using Javascript.
<%@ LANGUAGE="Javascript" %>

<!--#include file="Connections/connAirline.asp" -->
<!--#include file="searchFlight.html" -->

<%
var From = Request.Form("from");
//var strTo = Request("to");

var rsFlight = Server.CreateObject("ADODB.Recordset");
rsFlight.ActiveConnection = MM_connAirline_STRING;
rsFlight.Source = "SELECT FLIGHT_NUM, FLIGHT_DATE, FLIGHT_FROM, FLIGHT_TO, FLIGHT_DEPARTIME, FLIGHT_PRICE FROM FLIGHT WHERE FLIGHT_FROM = '"+ From +"'";
rsFlight.CursorType = 0;
rsFlight.CursorLocation = 2;
rsFlight.LockType = 1;
rsFlight.Open();
var rsFlight_numRows = 0;
%>

<table width="80%" border="1" cellspacing="2" cellpadding="2">
<tr>
<td>FLIGHT NUM</td>
<td>DATE</td>
<td>FROM</td>
<td>TO</td>
<td>DEPARTURE</td>
<td>PRICE</td>
</tr>
<% while ((Repeat1__numRows-- != 0) && (!rsFlight.EOF)) { %>
<tr>
<td><%=(rsFlight.Fields.Item("FLIGHT_NUM").Value)%></td>
<td><%=(rsFlight.Fields.Item("FLIGHT_DATE").Value)%></td>
<td><%=(rsFlight.Fields.Item("FLIGHT_FROM").Value)%></td>
<td><%=(rsFlight.Fields.Item("FLIGHT_TO").Value)%></td>
<td><%=(rsFlight.Fields.Item("FLIGHT_DEPARTIME").Value)%></td>
<td><%=(rsFlight.Fields.Item("FLIGHT_PRICE").Value)%></td>
</tr>
<%
Repeat1__index++;
rsFlight.MoveNext();
}
%>
</table>
<p>&nbsp; </p>
</body>
</html>
<%
rsFlight.Close();
%>

Thanks for your help!
redijedi
03-27-2004, 01:43 PM
I'm not entirely sure if I understand the question, but if you just want to display the results of that SQL statement ordered by the from field, you need to include the ORDER BY sql statement in your select.

I'm more concerned about your code. You have left yourself wide open to sql injection attacks. Unless you're checking elsewhere in your code for this malicious code, you will have left your database wide open to misuse by anyone that cares to try to get in.
gracenmy
03-27-2004, 01:49 PM
Thanks for your help. but actually i wanna know wats the problem with the SQL queries that it can't list down the flight details acccording to the departure point selected from the form?
redijedi
03-27-2004, 11:11 PM
Well, I'm not sure how to execute this in Javascript, but as far as I know javascript is a client side language. That basically bars the ability to connect to a database with it. Here's the vbscript that you would need to use. Maybe you could either use vbscript or find the equivalent javascript code.

The problem is that you are not connecting to a database and your not executing that sequel statement.

The following code won’t work out of box. You need to set up your DSN and such. Plus I’m drunk and this is off the top of my head…sorry.

<%@ LANGUAGE="VBScript" %>

<%
Option Explicit

Dim UID, Source, ActiveConnection, RS

YourDSN = Your Datasource Name

SSN = Request.QueryString("SSN")
Set ActiveConnection = Server.CreateObject("ADODB.Connection")

ActiveConnection.Open "DSN=YourDSN; UID=sa"

Source = "SELECT FLIGHT_NUM, FLIGHT_DATE, FLIGHT_FROM, FLIGHT_TO, FLIGHT_DEPARTIME, FLIGHT_PRICE FROM FLIGHT WHERE FLIGHT_FROM = '"+ From +"'"

Set RS = ActiveConnection.Execute(SQLStmt)

%>

<table width="80%" border="1" cellspacing="2" cellpadding="2">
<tr>
<td>FLIGHT NUM</td>
<td>DATE</td>
<td>FROM</td>
<td>TO</td>
<td>DEPARTURE</td>
<td>PRICE</td>
</tr>
<% Do While Not RS.EOF %>
<tr>
<td><%= RS.Fields("FLIGHT_NUM") %></td>
<td><%= RS.Fields("FLIGHT_DATE") %></td>
<td><%= RS.Fields("FLIGHT_FROM") %></td>
<td><%= RS.Fields("FLIGHT_TO") %></td>
<td><%= RS.Fields("FLIGHT_DEPARTIME") %></td>
<td><%= RS.Fields("FLIGHT_PRICE") %></td>
</tr>

<%
RS.MoveNext
Loop
%>

</table>
<p> </p>
</body>
</html>
<% ActiveConnection.Close() %>