https://www.webmaster-forums.net/crss/node/1039462 en https://www.webmaster-forums.net/serverside-scripting/sql-count#comment-1223599 <p>Greg, that's why you use something to get rid of those characters, assuming you're accepting data from an outside source. Either a homegrown solution, or something like html_entities... converts things to their HTML char value instead of leaving them as they are.</p> <p>If the source is internal, then I agree to your logic.</p> Mon, 27 Aug 2007 15:48:38 +0000 brady.k comment 1223599 at https://www.webmaster-forums.net https://www.webmaster-forums.net/serverside-scripting/sql-count#comment-1223594 <p>This is something I always recommend to people who get errors with a query in PHP:</p> <p>Right before you execute the query, display the sql statement to make sure it looks formatted well. (when mixing in variables while building it, easy to miss a improper quote or missing comma, etc). Also you should validate the Request.Querystring("user") and make sure any quotes are escaped (not sure how to do this in ASP), say that Request.Querystring("user") was set to <strong>o'neil</strong> the single quote would mess you up. (even if your test value doesn't have one, being that it is something that a user can manually change by changing the URL, you wll want to protect against single quotes and semicolons if ASP/MSSQL let you stack multiple statements in one query execution</p> <p>Imaging if I called it with a query string of <strong>bob'; DELETE FROM urlveiws WHERE profilefor = '%</strong> (or whichever character is the wildcard in MSSQL), the executed query would be:</p> <p>SELECT COUNT(*) FROM urlviews WHERE profilefor = 'bob'; DELETE FROM urlveiws WHERE profilefor = '%'</p> <p>As you can see... bye bye data...</p> <p>If the sql statement does look formatted fine and everything, then take it and manually run it on the database (not sure what MS SQL has for manually running a SQL statement. In PHP with mySQL, you can sometimes get a more detailed error when running it directly on the database.</p> Mon, 27 Aug 2007 14:25:24 +0000 Greg K comment 1223594 at https://www.webmaster-forums.net https://www.webmaster-forums.net/serverside-scripting/sql-count#comment-1223593 <p>Are you trying to count the number of results returned? I've never seen "SELECT COUNT" before, but this is how I would structure a 'count results' query (in PHP, but the SQL is the same):</p> <p><div class="codeblock"><code><span style="color: #000000"><span style="color: #0000BB">&lt;?php<br />$sql </span><span style="color: #007700">= </span><span style="color: #0000BB">mysql_query</span><span style="color: #007700">(\</span><span style="color: #DD0000">"SELECT * FROM urlviews WHERE profilefor = '</span><span style="color: #0000BB">$user</span><span style="color: #DD0000">'\");<br /></span><span style="color: #0000BB">$n_rows</span><span style="color: #DD0000"> = mysql_num_rows(</span><span style="color: #0000BB">$sql</span><span style="color: #DD0000">);<br />?&gt;</span></span></code></div></p> <p>The other issue may be, if your syntax is correct/valid, that the database/table/field you are referencing doesn't exist, or is spelled differently...</p> <p>Finally, since I don't know how to do this in ASP and how it handles errors, does this mean that what you happened to be looking for doesn't exist? Meaning if you wanted profilefor = 'KyleBrady' and there is no username of 'KyleBrady'... does it return what you're getting?</p> Mon, 27 Aug 2007 14:05:41 +0000 brady.k comment 1223593 at https://www.webmaster-forums.net