Thread: Syntax error (missing operator) in query expression 'MESSAGES.CAT_ID ='.
View Single Post
  #3 (permalink)  
Old 10-20-09, 01:31 PM
Dwagar's Avatar
Dwagar Dwagar is offline
Newbie Coder
  
Join Date: Sep 2008
Location: Ohio
Posts: 35
Thanks: 0
Thanked 0 Times in 0 Posts
Syntax Error
Your code can be attacked using a SQL Injection.

I would change this code

rsForums.Source = " SELECT * FROM (SELECT *, (SELECT COUNT (*) FROM REPLIES WHERE REPLIES.MSG_ID = MESSAGES.MSG_ID) AS REP_COUNT FROM MESSAGES, CATEGORIES WHERE CATEGORIES.CAT_ID = MESSAGES.CAT_ID) WHERE MESSAGES.CAT_ID = '" & fixword(intCat_Id) & "' ORDER BY MSG_LAST_POST DESC"

Then add a function

function fixword(stext)
fixword = replace(stext,"'","''")
end function

Maybeyour querystring is passing a ' and that can cause an error too.
__________________
SepCity Portal Solutions
Reply With Quote