select query data type mismatch

eyoung1 · Jul 1, 2008

this works

sSQL = "SELECT *" & _
" FROM Expenses2008" & _
" WHERE Amount Like '%" & Request.Form("searchItem") & "%'"
set rs = Connect.Execute(sSQL)

however if I enter an amount of 99 it not only gives me all entries
with 99.00 in the Amount collum but 199.00, 1991.72...anything with
two 9s together.

So I tried

sSQL = "SELECT *" & _
" FROM Expenses2008" & _
" WHERE Amount = '" & Request.Form("searchItem") & "'"
set rs = Connect.Execute(sSQL)

But I get an error message

Microsoft JET Database Engine error '80040e07'
Data type mismatch in criteria expression.
/eforms/shiprec/search.asp, line 201

Can someone help me with this?

Bob Barrows [MVP] · Jul 1, 2008

this works

sSQL = "SELECT *" & _
" FROM Expenses2008" & _
" WHERE Amount Like '%" & Request.Form("searchItem") & "%'"
set rs = Connect.Execute(sSQL)

however if I enter an amount of 99 it not only gives me all entries
with 99.00 in the Amount collum but 199.00, 1991.72...anything with
two 9s together.

So I tried

sSQL = "SELECT *" & _
" FROM Expenses2008" & _
" WHERE Amount = '" & Request.Form("searchItem") & "'"
set rs = Connect.Execute(sSQL)

But I get an error message

Microsoft JET Database Engine error '80040e07'
Data type mismatch in criteria expression.
/eforms/shiprec/search.asp, line 201

Can someone help me with this?

When you use Like, Jet converts the numeric data in your Number field to
strings in order to do the comparison.
When you use = no implicit conversion is performed. Since you are
comparing data contained in a column whose datatype is number to a
literal value contained in quotes (a string) a data type mismatch
occurs. You need to remove the quotes from this line:
" WHERE Amount = '" & Request.Form("searchItem") & "'"
so that it reads:
" WHERE Amount = " & Request.Form("searchItem")

Further points to consider:
Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers (tokens):
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as they are known in Access:

Access:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&[email protected]

http://groups.google.com/groups?hl=...=1&[email protected]

eyoung1 · Jul 1, 2008

wow...that was too easy.

" WHERE Amount = '" & Request.Form("searchItem") & "'"
so that it reads:
" WHERE Amount = " & Request.Form("searchItem")

Not a problem...internal server used by only 15 people.

Further points to consider:
Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:http://mvp.unixwiz.net/techtips/sql....sqlsecurity.com/DesktopDefault.aspx?tabid=23

Thanks!

Daniel Crichton · Jul 2, 2008

wow...that was too easy.

Not a problem...internal server used by only 15 people.

What happens when one of those people decides they're going to leave the
company and aren't happy and puts something in the searchItem field of the
form that results in a SQL injection that does something to your data?

mismatch error	2	Feb 22, 2006
type mismatch	5	Apr 23, 2009
Data Type Mismatch	1	Feb 24, 2007
error if db search finds nothing	25	Feb 22, 2006
System.Data.OleDb.OleDbException: Data type mismatch in criteria expression.	2	Apr 10, 2007
Object required? tring to set varible to use with query	1	Jul 28, 2004
Loop results almost right...help.	11	Feb 8, 2006
SELECT Query in ASP	4	Dec 3, 2007

select query data type mismatch

eyoung1

Bob Barrows [MVP]

eyoung1

Daniel Crichton

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads