Help with update

[sthmpsn1]

I am getting a timeout error on an update command for the database and have no clue why I am getting it. considering a page that has pretty much the same code works. Here is my code

dbrs3.open ("Select * From employeeinfo where loginID = '" & request.form("employee1&quot & "'&quot, dbconn, 2, 3


Dim vacation
Dim overtime
Dim personal
Dim medical
Dim volunteer
Dim extended
vacation = (request.form("vacation&quot - request.form("vacationtime&quot)
overtime = (request.form("over_time&quot * 0 + request.form("overtime&quot)
personal = (request.form("personal&quot - request.form("personaltime&quot)
volunteer = (request.form("volunteer&quot - request.form("volunteertime&quot)
medical = (request.form("medical&quot - request.form("medicalleave&quot)
if request.Form(&quot;medical&quot <= &quot;0&quot; Then
extended = (request.form(&quot;extended&quot - request.form(&quot;extendedtime&quot)
end if

dbrs3.movefirst
do while NOT dbrs3.EOF
dbrs3(&quot;vacationtime&quot= vacation
dbrs3(&quot;overtime&quot= overtime
dbrs3(&quot;personalTime&quot= personal
dbrs3(&quot;volunteertime&quot = volunteer
dbrs3(&quot;medicalleave&quot = medical
if request.Form(&quot;medical&quot <= &quot;0&quot; Then
dbrs3(&quot;extendedtime&quot = extended
End if
dbrs3.update ' Error on this line.
dbrs3.movenext
loop

 

[denoxis]

Try to use single UPDATE statement

UPDATE employeeinfo SET vacationtime = &quot; & vacation & &quot;, overtime = &quot; & overtime & &quot; ... etc ...
where loginID = '&quot; & request.form(&quot;employee1&quot & &quot;'&quot,

 

[sthmpsn1]

I get a timeout error when I switch to this

dbrs3.open (&quot;UPDATE employeeinfo SET vacationtime = &quot; & vacation & &quot;, overtime = &quot; & overtime & &quot; where loginID = '&quot; & request.form(&quot;employee1&quot & &quot;'&quot, dbconn, 2, 3

 

[denoxis]

Don't open a recordset, try dbconn.execute(sql)

where sql = &quot;UPDATE...&quot;

 

[Funka]

the first thing that screams out at me is the dangerous way in which you construct your dynamic SQL statement. NEVER trust user data to be submitted in the format you expect.

dbrs3.open (&quot;Select * From employeeinfo where loginID = '&quot; & request.form(&quot;employee1&quot & &quot;'&quot, dbconn, 2, 3

if someone were to submit a bogus form with &quot;employee1&quot; containing something like &quot;' DELETE FROM employeeinfo;&quot; then your code would construct a very bad SQL statement. ALWAYS validate user input, never trust that it has not been tampered with. at the very least, create a function to &quot;double-quote&quot; any user input...

Function makeSqlSafe(strInput)
makeSqlSafe = Replace(strInput,&quot;'&quot;,&quot;''&quot
End Function

then use makeSqlSafe(Request.Form(&quot;employee1&quot) and you are minimally covered.

good luck!

 

[sthmpsn1]

I still get a timeout when I use this

dbconn.execute(&quot;UPDATE employeeinfo SET vacationtime = &quot; & vacation & &quot;, overtime = &quot; & overtime & &quot; where loginID = '&quot; & request.form(&quot;employee1&quot & &quot;'&quot
dbrs3(&quot;vacationtime&quot= vacation

 

[roy29]

Try to execute the SQL statement directly against the database (not in the ASP) with the same data and see if you get any errors on the statement.