I figure I must be doing something really dumb! No errors, checked my strings and they are correct (I think), table does not update, any ideas?

Code:

 
<%
RespStr= "The item has been updated! Your cart will reflect changes."
CustID=Request.QueryString("CustID")
Qty=Request.QueryString("Qty")
ProdID=Request.QueryString("ProdID")
Set conn=Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open ("c:/inetpub/wwwroot/HawksWeb/Data/WebData.mdb")
SQL = "Update Cart Set Qty='"&Qty&"' Where ProdID='"&ProdID&"' and CustID='"&CustID&"'"
if Qty=0 then
SQL = "Delete From Cart Where ProdID='"&ProdID&"' and CustID='"&CustID&"'" 
conn.Execute SQL 
End If
Set conn=nothing
Response.Write(RespStr)
%>

I am inserting to the database just fine this script makes changes to existing data.

Move the "conn.Execute SQL" to be BELOW the End If. Right now it's inside the If statement so it is ONLY executing when qty=0.

Yeah, that is because I want to delete the record if the Quantity is "0", otherwise I want to update the record with a new quantity. This is weird, I cannot even get an error to work with. Thanks for the interest.

Quote:

Yeah, that is because I want to delete the record if the Quantity is "0", otherwise I want to update the record with a new quantity

Yep, sure, BUT you have to execute the SQL statement in BOTH cases! In your code it will only execute in the one case!

DOH! Thx guys, my site is done!... for now.

Also I might point out that the code you presented here is highly vulnerable to a SQL injection attack.

I could go to the page that uses that code, and change the url so instead of ProdId=15, I could enter the url:

Code:

yourdomain.com/updatecart.asp?qty=0&custid=0&ProdId=';delete from User;//

Guess what would happen?

With ProdId equal to:

Code:

';delete from User;//

The code that gets executed is:

Code:

Delete From Cart Where ProdID=0 and CustID='';delete from User;//'

That's right, it deletes from Cart where CustId='',
then it deletes EVERYTHING FROM THE USER TABLE
then a comment afterwards to prevent any errors.

Of course, you might not have a User table, but it would be a simple matter to instead of deleting the user table, executing some other code to determine what tables you have, THEN deleting those tables, or altering data, or doing whatever I felt like to royally screw over your database.

Whenever you have user input that goes into a sql statement,
you MUST replace apostrophes with double apostrophes,
or strip them out completely,
otherwise hackers WILL eventually find your site and have happy time with your database.
This is called a SQL injection attack and is one of the most widely used attacks on the internet.

I second that nyef, Just had my site hacked with sql injection. I found a nice simple page that explains how to fix your asp code: http://www.cheergallery.com/SQLInjectionHelp.html

Better to fix it now that later, trust me on this.

Thx guys, I was aware of the threat and the database is just a temp holder for customer order as is the ID just a temp until checkout, I was still going to have to protect them to some extent though and thought I was looking at another day or to of punching this keyboard... The script looks good and simple, will save me a ton of trouble sandbox!