I'm kinda "fresh" in classic ASP and I have the following insert SQL query in classic ASP and i can't make it insert comma separated value from a CSV file in MS Access database, but instead it will convert it in dot separated thousand value.
E.g.:
price = "49,55"
insert_sql = "INSERT INTO table (price) VALUES ('" & price & "')
DataConn.execute(insert_sql)
I tried to convert it like:
CDbl(price) or FormatNumber(price)
but what i get after all is 4.955,00.
I've tried changing localization, but i still have the same problem.
P.S.: I am aware of the fact that the above code is SQL Injection vulnerable, but for now i'm trying to understand what's wrong, or what do i forget.
Thanks.
Use Str to force a dot as the decimal separator:
insert_sql = "INSERT INTO table (price) VALUES (" & Str(price) & ")"
Then, for display of the price, apply any format you prefer.
Related
I've built a function that creates a comma delimited string from multiple selections in my list box. When I try to use this as the Where clause in my sql (in VBA) I get a 'type mismatch' error - because the field I'm using with the criteria is numeric. How do I resolve this?
example:
sql = "INSERT INTO tblItemsLibrary ( Constr, Description) ...
"WHERE (((tblItemsLibrary1.ItemsLibID) In (" & strSelectedRecords & ")));"
In the above example strSelectedRecords is coming in as "17,11,28" where the field is a long.
You can use LIKE:
INSERT INTO tblItemsLibrary ( Constr, Description)
...
WHERE "," & tblItemsLibrary1.ItemsLibID) & "," LIKE "*," & strSelectedRecords & ",*"
Actually you might want to adjust strSelectedRecords to start and end with *, and ,*.
If you are using SQL Server 2016 or above, the function string_split can be used:
SELECT *
FROM tblItemsLibrary
WHERE tblItemsLibrary1.ItemsLibID IN (select * from STRING_SPLIT(#numlist, ','))
Replace #numlist with your string 17,11,28
Another method is to construct dynamic sql and pass that on top of base sql statement:
EXECUTE('SELECT * FROM tblItemsLibrary1 WHERE ItemsLibID IN
('+#numlist+')')
Your SQL expression will result in:
INSERT INTO tblItemsLibrary ( Constr, Description)
...
WHERE (((tblItemsLibrary1.ItemsLibID) In (17,11,28)));
which is correct if ItemsLibID is numeric.
Thus, your error is probably caused by the values you try to insert.
I am using MS Access 1997 version (.mdb file). On a daily basis, I need to insert values manually. In that file, there's a column Logical (Boolean data type). I am automate this template using SQL query instead of direct entry.
Below is my insert query:
Insert Into Data_CustomerTransmit_Tbl (Logical)
Values (" & Logicalnme & ")
Values:
Logicalnme - True
When I run this query in VBA in Excel, I get this error message
Syntax Error in Insert into Statement
Kindly confirm shall I use "Logical" as column name or this is the reserved keyword?
Thanks in advance.
There isn't a problem with your field name, you just need to enclose your INSERT column name in square brackets. You also need to choose a valid value in the VALUES clause:
INSERT INTO Data_CustomerTransmit_Tbl ( [Logical] )
VALUES (TRUE);
If you want to be prompted for the value to insert, you can use a parameter:
PARAMETERS [Please enter a Boolean value] YesNo;
INSERT INTO Data_CustomerTransmit_Tbl ( [Logical] )
VALUES ([Please enter a Boolean value]);
I presume you are trying to do this insert using VBA? If so, your syntax in building the SQL statement is correct, except you have some punctuation missing: double-quotes on each end.
"INSERT INTO Data_CustomerTransmit_Tbl (Logical) VALUES (" & Logicalnme & ")"
Further, as you have split the string over two lines (breaking before VALUES), you must also terminate the first line of the string with: ' " & _' (space,double-quote,space, ampersand, space, underscore) in order to indicate that the string continues to the next line. Then you begin the next line with double-quotes:
"INSERT INTO Data_CustomerTransmit_Tbl (Logical) " & _
"VALUES (" & Logicalnme & ")"
In VBA the code should look like this:
Docmd.RunSQL("INSERT INTO Data_CustomerTransmit_Tbl (Logical) VALUES (" & Logicalnme & ");"
The SQL query you alluded to - have you tried to execute it manually in the query editor using the same value(s) you are trying to pass from Excel? That would immediately provide more verbose feedback if there is an issue with the query or the data.
Regarding the Boolean field, make sure you are receiving a True/False that you are expecting, not a bit field, 0 and 1. I like to make quick log entries in a table or a file when troubleshooting to see the raw data.
Use Cbool function:
Insert Into Data_CustomerTransmit_Tbl (Logical)
Values (" & Cbool(Logicalnme) & ")
Add single quotes around values?
sql = "INSERT INTO Data_CustomerTransmit_Tbl (Logical) " & _
"VALUES ('" & Logicalnme & "')"
docmd.runsql sql
What do all these characters do in this insert statement defining values?
"&""&"'"&N4&"',"&""&"'"&"Mapping"&"',
I am trying to understand what each one does? I know N4 is a cell location and Mapping is a hard coded value. It works but, what going on here?
Complete command:
"insert into partnerrules (name,description,[default],version,doc,[order],active,isComboBox) values("&"'"&P3&"',"&""&"'"&M3&"',"&""&"'"&N3&"',"&""&"'"&"Mapping"&"',"&""&"'"&"856"&"', "&""&"'"&O3&"',"&""&"'"&"1"&"',"&""&"'"&"0"&"'"&")"
By looking at the code, it appears to be done in VB and the "&" character is used to add strings together such as
someVar = "hello " & "world"
would result in
"hello world"
So, what is attempting to be done is adding the value of strings and quotes around them to build out a sql-insert statement. However, it is poorly done as you are open to sql-injection being done this format but parameterizing instead. Do some research on it as there is not enough to adequately respond without more actual source code to show context.
complete command: ="insert into partnerrules (name,description,[default],version,doc,[order],active,isComboBox) values("&"'"&P3&"',"&""&"'"&M3&"',"&""&"'"&N3&"',"&""&"'"&"Mapping"&"',"&""&"'"&"856"&"', "&""&"'"&O3&"',"&""&"'"&"1"&"',"&""&"'"&"0"&"'"&")"
would result in the following
ex: if the following variables have the following values
P3 = "test1"
M3 = "test2"
N3 = "test3"
O3 = "test4"
I am doing explicit line breaks for readability vs too long on one line...
insert into partnerrules (name,description,[default],version,doc,[order],active,isComboBox) values (
now, the area of all your quotes and &
'test','test2','test3','Mapping','856','test4','1','0')
What SHOULD have been done is something more the along the line of... the underscore is continuation line in VB
DIM OleDbCommand myInsert = new OleDbCommand( "", YourConnection )
myInsert.CommandText = "insert into partnerrules ( name, description, " _
& "[default], version, doc, [order], active, isComboBox ) " _
& " values ( ?, ?, ?, 'Mapping', '856', ?, '1','0')
In this case, the "?" characters represent PARAMETER PLACE-HOLDERS for what you want to actually insert into the table. Then, add your parameters in the same order as they would be representative of.
myInsert.Parameters.AddWithValue( "parmForName", P3 )
myInsert.Parameters.AddWithValue( "parmForDescription", M3 )
myInsert.Parameters.AddWithValue( "parmForDefault", N3 )
myInsert.Parameters.AddWithValue( "parmForOrder", O3 )
Unsure of data types due to limited content provided.
This question already has answers here:
ColdFusion adding extra quotes when constructing database queries in strings
(4 answers)
Closed 7 years ago.
Not to get into a discussion about SQL injection and sanitizing and etc...
For various reasons, I am doing the unspeakable and building and executing a dynamic SQL query WITHOUT using query params.
So... I'm building a list of columns and a list of values, and then I have the following code:
insertRecord.setSql("INSERT INTO MyTable(" & columns & ") VALUES(" & values & ")");
This works properly for most records, but for a few records one of the string field values has an apostrophe or single quote:
'SHERIFF'S OFFICE'
This is giving me the SQL error: Incorrect syntax near 'S'.
I have tried using preserve single quotes in several ways and it doesn't help:
insertRecord.setSql("INSERT INTO MyTable(" & columns & ") VALUES(" & preserveSingleQuotes(values) & ")");
OR
insertRecord.setSql(PreserveSingleQuotes("INSERT INTO MyTable(" & columns & ") VALUES(" & values & ")"));
Is there any way to escape all the apostrophes, or otherwise format my sql string properly, other than using a ReplaceNoCase(colValue, "'", "''") on each value individually as I'm building the string (which does work)?
I'm not sure of the syntax for the setSql statement but perhaps you are missing single quotes around your string values. Have you tried adding those?
What I mean is this. Assuming the SQL statement needs to look something like this (notice the quotes around each value):
INSERT INTO MyTable
(column1, column2, column3)
VALUES
('value 1', 'value 2', 'value 3')
Then the setSql statement should look like:
insertRecord.setSql("INSERT INTO MyTable (column1, column2, column3) VALUES ('value 1', 'value 2', 'value 3')");
So you could try something like (notice the single quotes around the values):
insertRecord.setSql("INSERT INTO MyTable(" & columns & ") VALUES('" & preserveSingleQuotes(values) & "')");
You might also need to loop over every values in order to enclose each within the single quotes.
I am trying to add new records to a Access database through VB.NET. The table "Quantities" has three columns:
PartNumber (string), PadsPerStrip (integer), and Verified (boolean)
The format that we use for PartNumber is ###-####-### (ie 901-0656-000). When I run my code everything is added correctly but math is performed on Part number so that the - is treated as a minus sign even though it is a string. Here is my sql command:
cmdInsert.CommandText = "INSERT INTO Quantities (PartNumber, PadsPerStrip, Verified) VALUES ( " & partNum & ", " & updatingPPS.ToString() & ", No);"
When viewing the command in a MsgBox it shows up as:
INSERT INTO Quantities (PartNumber, PadsPerStrip, Verified) VALUES (901-0656-000, 3, No);
Is there a way to make it skip the math operator when exporting the part number?
Make sure to enclose the part number with quotes. Without that, the value is not considered as a string when run in the database.