I'm working in ACCESS VBA. I have a sub, which inserting the given collection into different tables, which depends on the current element. I just met and would like to work with this ADO parameter thing, because I have problem with the simple docmd.runsql "insert into...". The problem is that some strings contain "'" character, so I got error at these records. I searched and found ADO parameters, but no good tutorials and now I'm tired from the error codes which are not helpful either (coming from java).
My code snippet:
Dim adoCMD As Object
Set adoCMD = CreateObject("ADODB.Command")
With adoCMD
.ActiveConnection = CurrentProject.Connection
.CommandType = adCmdText
.parameters.Append .CreateParameter("pKey", adInteger)
.parameters.Append .CreateParameter("pTitle", adVarChar, 100)
.parameters.Append .CreateParameter("pid", adInteger)
.parameters.Append .CreateParameter("pAired", adDate)
.parameters.Append .CreateParameter("pmtype", adInteger)
.parameters.Append .CreateParameter("pSyear", adSmallInt)
.parameters.Append .CreateParameter("pSeason", adInteger)
If addDate Then
.parameters.Append .CreateParameter("pAdded", adDate)
End If
For Each elem In ac
If elem.aired >= seasonStart And elem.aired <= seasonEnd Then
key = Nz(DMax("table_Akey", "table_A"), 0) + 1
.parameters("pKey").Value = key
.parameters("pTitle").Value = elem.title
.parameters("pid").Value = elem.id
.parameters("pAired").Value = elem.aired
.parameters("pmtype").Value = elem.mtype
.parameters("pSyear").Value = syear
.parameters("pSeason").Value = season
If addDate Then
.parameters("pAdded").Value = Date
.CommandText = "INSERT INTO table_A(table_Akey,title,id,aired,media,seasonyear,season,added) VALUES(pKey,pTitle,pid,pAired,pmtype,pSyear,pSeason,pAdded);"
Else
.CommandText = "INSERT INTO table_A(table_Akey,title,id,aired,media,seasonyear,season) VALUES(pKey,pTitle,pid,pAired,pmtype,pSyear,pSeason);"
End If
Else
wCounter = wCounter + 1
key = Nz(DMax("wskey", "ws"), 0) + 1
.parameters("pKey").Value = key
.parameters("pTitle").Value = elem.title
.parameters("pid").Value = elem.id
.parameters("pAired").Value = elem.aired
.parameters("pmtype").Value = elem.mtype
.parameters("pSyear").Value = syear
.parameters("pSeason").Value = season
.CommandText = "INSERT INTO ws(wskey,title,id,aired,media,wsyear,season) VALUES(pKey,pTitle,pid,pAired,pmtype,pSyear,pSeason);"
End If
.Execute
Next elem
End With
I get the error: Runtime Error '3001' Arguments are of the wrong type, are out of acceptable range or are in conflict with one another
at the line
.parameters.Append .CreateParameter("pTitle", adVarChar, 100)
Maybe the whole code is wrong, I don't know how to do properly with ADO parameters, but you can see what I want to do. I give a collection to the function. I loop through the elements and place them the right table and I have one switch as well (addDae).
Please help me.
You could also write a function that escapes the DB single quote. Generally, a single quote is "escaped" by doubling it. It would be something like:
Function escapeDBquote(s As String) As String
Dim sOut As String
Dim i As Integer
i = 1
While (i <= len(s))
If (Mid(s, i, 1) = "'") Then sOut = sOut +"'"
sOut = sOut + Mid(s, i, 1)
i = i + 1
Wend
escapeDBquote = sOut
End Function
and call it like:
Dim szSQL As String
szSQL = "insert into myTable (sfield1, ..) values ('" + escapeDBquote(myString) + "');"
(Note: haven't compiled this code; there could be some typos.)
Related
OK, I'm missing something obvious here - I have an SP that takes in an integer ID and returns a string. I've used this SP for quite a while with DAO. Now I need to switch to ADO so I can run it under and existing connection (another question I'll post elsewhere).
So my code follows. It returns no errors but it also returns no results. The output parameter is null. What am I missing?
Dim adoCon As ADODB.Connection
Dim adoCMD As ADODB.Command
Dim SQLstr As String
Dim ConStr As String
'--- get connection string from existing object, but strip leading odbc; piece
ConStr = Replace(CurrentDb.TableDefs("[TableName]").Connect, "ODBC;", "")
Set adoCon = New ADODB.Connection
adoCon.ConnectionString = ConStr
adoCon.Open
Set adoCMD = New ADODB.Command
With adoCMD
.ActiveConnection = adoCon
.CommandType = adCmdStoredProc
.Parameters.Append .CreateParameter(, adInteger, adParamReturnValue, , Null) ' return value
.Parameters.Append .CreateParameter("Path", adVarChar, adParamOutput, 500, Null)
.Parameters.Append .CreateParameter("AsyID", adInteger, adParamInput)
.Parameters.Item("AsyID").Value = AsyID
.CommandText = "dbo.spGetAncestry"
.Execute
End With
GetHeritage = adoCMD.Parameters(1).Value 'parm(0) = 0; parm(1) = NULL; parm(2) = AsyID
adoCon.Close
Although your code should work. Please remove the optional expressions in the parameter definition and try the following:
Dim rv as Integer
Set adoCMD = New ADODB.Command
With adoCMD
.ActiveConnection = adoCon
.CommandType = adCmdStoredProc
.Parameters.Append .CreateParameter("RETURN_VALUE", adInteger, adParamReturnValue)
.Parameters.Append .CreateParameter("Path", adVarChar, adParamOutput, 500)
.Parameters.Append .CreateParameter("AsyID", adInteger, adParamInput, , AsyID)
.CommandText = "dbo.spGetAncestry"
.Execute
End With
rv = adoCMD.Parameters("RETURN_VALUE").Value
GetHeritage = adoCMD.Parameters("Path").Value
also make sure your SP is returning the correct data type and size for your output parameter and adjust the code accordingly. If you're returning VARCHAR(MAX), then that is treated as a "BLOB" in ADO, see this related question What are the limits for ADO data types?.
In this case you can try returning varchar(8000) from the SP and updating the code accordingly.
Found it.
Apparently, in the ADO call, it doesn't matter what you set the return value to (I was trying to use "" or even " " before I set it to null) when it executes in SQL batch, it is simply set to NULL as it shows in this trace form. For this run, the Output was initialized as " ", but the batch passed in NULL.
[!SQL trace of the above query being executed with " " in the initialization of the Output variable1]1
Normally, a null wouldn't be a problem as the typical SP assignment would be:
SET #Path = [SELECT value from table]
or, if it was a concatenation, you would initialize the variable:
SET #Path = ''
before stringing together the input.
In this particular case, though, the SP is recursive. It calls itself passing an input and the output values to the new copy. Because of this, you can't initialize the value and you can't use a straight assignment. To get around this, I needed to use:
#path = COALESCE(#path, '') + [SELECT value from table]
to trap any NULL passed in.
When I update record through update statement with some empty fields using parametrized query and VBScript in Classic ASP page, its showing error and not updating.
error is:
ADODB.Parameters (0x800A0E7C)
Parameter object is improperly defined. Inconsistent or incomplete
information was provided.
but when I fill all field and update its updating. my code is blew given:
<%
Dim objRS, objCmd, str
Set objCmd = Server.CreateObject("ADODB.Command")
Set Objrs = Server.CreateObject("ADODB.Recordset")
'#lankymart i have edited code as below
'=========================
str = "update admin set Astate=?, Acity=?, Acenterid=?, Aname=?, gender=?, Acontact=?, Aemail=?, ACreatedBy=? where Aid=?"
If Len(dt) > 0 Then
strU = strU & ", Acdate=? "
else
strU = strU & ""
end if
strU = strU & "where Aid=?"
'==========================
'above code is working fine as its escaping when i pass null value but i want to update null value in record too. null value is not updating in record. please help me
With objCmd
.ActiveConnection = MM_connDUdirectory_STRING
.CommandText = str
.CommandType = adCmdText
.Parameters.Append(.CreateParameter("#paramg1", adInteger, adParamInput, ,StrStateID))
.Parameters.Append(.CreateParameter("#paramg2", adInteger, adParamInput, ,StrCityID))
.Parameters.Append(.CreateParameter("#paramg3", adInteger, adParamInput, ,StrCenterID))
.Parameters.Append(.CreateParameter("#paramg4", adVarChar, adParamInput, len(StrName)))
.Parameters.Append(.CreateParameter("#paramg5", adVarChar, adParamInput, 6))
.Parameters.Append(.CreateParameter("#paramg6", adVarChar, adParamInput, len(StrContno)))
.Parameters.Append(.CreateParameter("#paramg7", adVarChar, adParamInput, len(StrMail)))
.Parameters.Append(.CreateParameter("#paramg8", adVarChar, adParamInput, len(a_name)))
If Len(dt) > 0 Then
.Parameters.Append(.CreateParameter("#paramg9", adVarChar, adParamInput, len(dt)))
end if
.Parameters.Append(.CreateParameter("#paramg10", adInteger, adParamInput, ,StaffId))
.Parameters("#paramg1").Value = StrStateID
.Parameters("#paramg2").Value = StrCityID
.Parameters("#paramg3").Value = StrCenterID
.Parameters("#paramg4").Value = StrName
.Parameters("#paramg5").Value = StrGender
.Parameters("#paramg6").Value = StrContno
.Parameters("#paramg7").Value = StrMail
.Parameters("#paramg8").Value = a_name
If Len(dt) > 0 Then
.Parameters("#paramg9").Value = dt
end if
.Parameters("#paramg10").Value = StaffId
end with
Set objRS = objCmd.Execute()
%>
When I submit all values, then its updating but when I submit some fields than its showing me error as above written but it should update without any error. please help me.
If you have an UPDATE statement that expects 10 parameters then you have to pass 10 parameters. This means populating the Parameters .Value or specifying the value during the CreateParameter() method, failing to do this will give you the error you experienced.
If you need the UPDATE to be dynamic build the query along with the parameters as you check the value is being passed.
IMPORTANT:
This code snippet is not a complete solution, it just demonstrates how to structure building your Query String and Parameters in a dynamic fashion.
str = "update admin set "
'Further down while defining parameters
If Len(StrStateID & "") > 0 Then
str = str & "Astate=?, "
.Parameters.Append(.CreateParameter("#paramg1", adInteger, adParamInput, ,StrStateID))
End If
'Repeat for Parameters 2 - 8
'...
'Then on your last parameter (in the SET statement)
If Len(dt & "") > 0 Then
str = str & "Acdate=? " 'Notice no comma
.Parameters.Append(.CreateParameter("#paramg9", adVarChar, adParamInput, len(dt)))
.Parameters("#paramg9").Value = dt
End If
str = str & "where Aid=?"
'Don't forgot the remaining Parameter for the WHERE clause
'This should always be passed or the code will fail.
.Parameters.Append(.CreateParameter("#paramg10", adInteger, adParamInput, ,StaffId))
Note:
There are more efficient ways of producing this like using an Array to build your expected parameter fields and values then dynamically building up the query and the Parameter objects using a For loop.
In the vb script I have a select statement I am trying to pass a string value with an undetermined length to a SQL in operator the below code works but allows for SQL injection.
I am looking for a way to use the ADO createParameter method. I believe the different ways I have tried are getting caught up in my data type (adVarChar, adLongChar, adLongWChar)
Dim studentid
studentid = GetRequestParam("studentid")
Dim rsGetData, dbCommand
Set dbCommand = Server.CreateObject("ADODB.Command")
Set rsGetData = Server.CreateObject("ADODB.Recordset")
dbCommand.CommandType = adCmdText
dbCommand.ActiveConnection = dbConn
dbCommand.CommandText = "SELECT * FROM students WHERE studentID in (" & studentid & ")"
Set rsGetData = dbCommand.Execute()
I have tried
Call addParameter(dbCommand, "studentID", adVarChar, adParamInput, Nothing, studentid)
which gives me this error
ADODB.Parameters error '800a0e7c'
Problems adding parameter (studentID)=('SID0001','SID0010') :Parameter object is improperly defined. Inconsistent or incomplete information was provided.
I have also tried
Call addParameter(dbCommand, "studentID", adLongVarChar, adParamInput, Nothing, studentid)
and
Dim studentid
studentid = GetRequestParam("studentid")
Dim slength
slength = Len(studentid)
response.write(slength)
Dim rsGetData, dbCommand
Set dbCommand = Server.CreateObject("ADODB.Command")
Set rsGetData = Server.CreateObject("ADODB.Recordset")
dbCommand.CommandType = adCmdText
dbCommand.ActiveConnection = dbConn
dbCommand.CommandText = "SELECT * FROM students WHERE studentID in (?)"
Call addParameter(dbCommand, "studentID", adVarChar, adParamInput, slength, studentid)
Set rsGetData = dbCommand.Execute()
both of these options don't do anything... no error message and the SQL is not executed.
Additional information:
studentid is being inputted through a HTML form textarea. the design is to be able to have a user input a list of student id's (up to 1000 lines) and perform actions on these student profiles. in my javascript on the previous asp I have a function that takes the list and changes it into a comma delimited list with '' around each element in that list.
Classic ASP does not have good support for this. You need to fall back to one of the alternatives discussed here:
http://www.sommarskog.se/arrays-in-sql-2005.html
That article is kind of long, but in a good way: it's considered by many to be the standard work on this subject.
It also just so happens that my preferred option is not included in that article. What I like to do is use a holding table for each individual item in the list, such that each item uses an ajax request to insert or remove it from the holding table the moment the user selects or de-selects it. Then I join to that table for my list, so that you end up with something like this:
SELECT s.*
FROM students s
INNER JOIN studentSelections ss on s.StudentID = ss.StudentID
WHERE ss.SessionKey = ?
What does your addParameter() function do? I don't see that anywhere in your code.
You should be able to create and add your string param like so:
With dbCommand
.Parameters.Append .CreateParameter(, vbString, , Len(studentid), studentid)
End With
(Small hack here. vbString has the same value as adBSTR. You'll find that the VarType of all VB "types" have matching ADO counterparts.)
Type VarType (VBScript) DataTypeEnum (ADO) Value
--------- ------------------ ------------------ -----
Integer vbInteger adSmallInt, 2-byte 2
Long vbLong adInteger, 4-byte 3
Single vbSingle adSingle 4
Double vbDouble adDouble 5
Currency vbCurrency adCurrency 6
Date vbDate adDate 7
String vbString adBSTR 8
Object vbObject adIDispatch 9
Error vbError adError 10
Boolean vbBoolean adBoolean 11
Variant vbVariant adVariant 12
Byte vbByte adUnsignedTinyInt 17
Edit: Looks like Joel has a good solution for you. I didn't realize IN isn't compatible with ADO parameterized queries. I think something like the following would work, but you probably wouldn't want to do it with (potentially) 1000 ID's.
' Create array from student IDs entered...
a = Split(studentid, ",")
' Construct string containing proper number of param placeholders. Remove final comma.
strParams = Replace(String(UBound(a) - 1, "?"), "?", "?,")
strParams = Left(strParams, Len(strParams) - 1)
With dbCommand
.CommandText = "select * from students where studentID in (" & strParams & ")"
Set rsGetData = .Execute(, a)
End With
Using IN with a Parameterised Query isn't Hard
Posting this here in relation to another question that was marked as a duplicate of this one.
This isn't as difficult as you think, the adCmdText query just needs to the placeholders in the query to match the number of parameters and their ordinal position and it will work with any number of parameters you pass into an IN statement.
Here is a quick example using the AdventureWorks example database in SQL Server. We use an Array to store the id of each Person.Contact record we wish to filter out using IN than build the parameters dynamically based on that array before executing the ADODB.Command.
Note: The source of the array is not important it could be a string list which is Split() into an Array or just an Array() call (like the one used in this example).
<%
Option explicit
%>
<!-- #include virtual = "/config/data.asp" -->
<%
Dim cmd, rs, sql, data, rows, row
'Our example parameters as an Array for the IN statement.
Dim ids: ids = Array(2, 5, 10)
Dim id
sql = ""
sql = sql & "SELECT [FirstName], [LastName] " & vbCrLf
sql = sql & "FROM Person.Contact " & vbCrLf
sql = sql & "WHERE [ContactId] IN (?, ?, ?) " & vbCrLf
sql = sql & "ORDER BY [LastName], [FirstName]" & vbCrLf
Set cmd = Server.CreateObject("ADODB.Command")
With cmd
.ActiveConnection = conn_string
.CommandType = adCmdText
.CommandText = SQL
'Loop through the Array and append the required parameters.
For Each id in ids
Call .Parameters.Append(.CreateParameter("#id" & id, adInteger, adParamInput, 4))
.Parameters("#id" & id).Value = id
Next
Set rs = .Execute()
'Output the Recordset to a 2-Dimensional Array
If Not rs.EOF Then data = rs.GetRows()
Call rs.Close()
End With
Set cmd = Nothing
If IsArray(data) Then
rows = UBound(data, 2)
For row = 0 To rows
Call Response.Write("<p>" & data(0, row) & " " & data(1, row) & "</p>" & vbCrLf)
Next
End If
%>
Output:
<p>Catherine Abel</p>
<p>Pilar Ackerman</p>
<p>Ronald Adina</p>
Worth noting this example shows the explicit way of writing the parameter code for an elegant approach to the problem see the second solution in #Bond's answer.
After reading through the article that was provided by Joel and the answer that All Blond provided this is the solution that ended up working for me.
Dim studentid
studentid = GetRequestParam("studentid")
Dim splitStudentid, x
splitStudentid = Split(studentid,",")
for x=0 to Ubound(splitStudentid)
Dim rsGetData, dbCommand, originSID
Set dbCommand = Server.CreateObject("ADODB.Command")
Set rsGetData = Server.CreateObject("ADODB.Recordset")
dbCommand.CommandType = adCmdText
dbCommand.ActiveConnection = dbConn
dbCommand.CommandText = "SELECT * FROM students WHERE studentID=?"
Call addParameter(dbCommand, "studentID", adVarChar, adParamInput, 35, splitStudentid(x))
Set rsGetData = dbCommand.Execute()
If (NOT rsGetData.EOF) Then
originSID = rsGetData.Fields(0)
//additional code
End If
next
I found that there was no elegant way to use the "in" operator in my code.
I also decided against a Stored Procedure as it is a simple query though I agree
ALSO I realize that addParameter is a Function my company uses internally so below is an additional solution that works also works but is not my companies preference.
Dim studentid
studentid = GetRequestParam("studentid")
Dim splitStudentid, x
splitStudentid = Split(studentid,",")
for x=0 to Ubound(splitStudentid)
Dim rsGetData, dbCommand, originSID
Set dbCommand = Server.CreateObject("ADODB.Command")
Set rsGetData = Server.CreateObject("ADODB.Recordset")
dbCommand.CommandType = adCmdText
dbCommand.ActiveConnection = dbConn
dbCommand.CommandText = "SELECT * FROM students WHERE studentID=?"
Set rsGetData = dbCommand.Execute(, Array(splitStudentid(x)))
If (NOT rsGetData.EOF) Then
originSID = rsGetData.Fields(0)
//additional code
End If
next
Try to add to your code following(assuming that StudentID is numeric)
dim outputArray,x,compareArray
outputArray=split(inputText,",")
for each x in outputArray
If IsNumeric(x) Then
if len(compareArray)>1 and cInt(x)>0 then
compareArray=compareArray&"," & cInt(x)
else
compareArray=cInt(x)
end if
else
' throw some log entry or do something for you to know that someone try
end if
next
and then do all your Db connection set etc up to this point where you use this new string of integers:
dbCommand.CommandText = "SELECT * FROM students WHERE studentID in (" & compareArray &")"
and this will safeguard you from anyone use your StudentId list for SQL injection. I would rather use Store procedure and user-defined table types but ...
In any case if it is not numeric then it must have some parameter like length or complexity which you can use to verify that value has not been compromised using regular expression for example for limiting what can be in that value; but idea of the looping through and verifying values remain the same.
I need to insert some data into DB, there is a problem..it gives me an error :
Source line:
SET sql ="Insert Into Products (ProductName,SupID,CatID,Price,Pic,Description) Values( '"&pName&"','"&pbId&"','"&pcId&"','"&price&"','"&pic&"','"&desc&"')"
Description: Object required: '[string: "Insert Into Products"]'
I dont understand what he wants..
This is my code:
dim sql
dim price
dim desc
dim pName
dim pcId
dim pbId
dim pic
set pic = Request.Form("picUpload")
set desc = Request.Form("tbDescProduct")
set price= Request.Form("tbPriceProduct")
set pcId =Request.Form("ddlCategoryForProd")
set pbId =Request.Form("ddlBrandForProd")
set pName=Request.Form("tbProductName")
IF((bName<>"")AND(desc<>"")AND(price<>"")AND(pcId<>"-1")AND(pbId<>"-1")AND (pic<>"")) THEN
set con = Server.CreateObject("ADODB.Connection")
con.open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("WebData/DB.mdb") & ";"
set rs = con.Execute("Select * FROM Products WHERE ProductName = '"&pName&"' and mode= true")
IF rs.EOF = true then
SET sql ="Insert Into Products (ProductName,SupID,CatID,Price,Pic,Description) Values( '"&pName&"','"&pbId&"','"&pcId&"','"&price&"','"&pic&"','"&desc&"')"
SET rs =con.Execute(sql)
response.write("<script language=""javascript"">alert('Product added succesfully!');</script>")
ELSE
response.write("<script language=""javascript"">alert('Product already exist!');</script>")
END IF
'END IF
In VBScript, VBA and VB5/6, SET is required to assign an object reference; to assign any other sort of data (including a string), just remove it:
sql = "Insert Into Products (ProductName,SupID,CatID,Price,Pic,Description) Values( '"&pName&"','"&pbId&"','"&pcId&"','"&price&"','"&pic&"','"&desc&"')"
(In VBA and VB5/6 you could also use LET here.)
The reason SET works when assigning the result of a Request.Form("foo") call is because the Form collection is a collection of objects - the subsequent tests against "" and "-1" are valid only because the objects returned have a default parameterless property or method that return a string-compatible variant.
If I was to guess I'd say your problem is you're passing the SupID and CatID fields as strings when they are probably integers. The problem with handling INSERT this way is you leave yourself open to SQL Injection plus you encounter data type issues like you seem to be experiencing here.
Whenever possible when interacting with a database you should try to use Parameterised Queries. In Classic ASP the best object to do this is ADODB.Command.
Here is an example using your code;
NOTE: If you have problems with the ADO named constants like adParamInput then look in the links section below to see how to use the METADATA tag in your global.asa file to reference the ADO type library across your application.
Dim cmd, sql, conn_string, rs, data
'Wouldn't recommend storing your database inside your website root, instead
'store it outside in another folder and set up a variable in an include file
'to store the location. That way it is not accessible to everyone.
conn_string = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("WebData/DB.mdb") & ";"
Set cmd = Server.CreateObject("ADODB.Command")
sql = "SELECT * FROM Products WHERE ProductName = ?"
With cmd
.ActiveConnection = conn_string
.CommandType = adCmdText
.CommandText = sql
Call .Parameters.Append(.CreateParameter("#ProductName", adVarWChar, adParamInput, 50))
Set rs = .Execute(, Array(pName))
If Not rs.EOF Then data = rs.GetRows()
Call rs.Close()
Set rs = Nothing
End With
If IsArray(data) Then
sql = ""
sql = sql & "INSERT INTO Products (ProductName, SupID, CatID, Price, Pic, Description) " & vbCrLf
sql = sql & "VALUES (?, ?, ?, ?, ?, ?)"
Set cmd = Server.CreateObject("ADODB.Command")
With cmd
.ActiveConnection = conn_string
.CommandType = adCmdText
.CommandText = sql
'Define Parameters
'Making some assumptions about your data types, but you can modify these to fit
'good guide for this is http://www.carlprothman.net/Technology/DataTypeMapping/tabid/97/Default.aspx
Call .Parameters.Append(.CreateParameter("#ProductName", adVarWChar, adParamInput, 50))
Call .Parameters.Append(.CreateParameter("#SupID", adInteger, adParamInput, 4))
Call .Parameters.Append(.CreateParameter("#CatID", adInteger, adParamInput, 4))
Call .Parameters.Append(.CreateParameter("#Price", adCurrency, adParamInput, 4))
Call .Parameters.Append(.CreateParameter("#Pic", adVarWChar, adParamInput, 255))
Call .Parameters.Append(.CreateParameter("#Description", adLongVarWChar, adParamInput, 1000))
'Some of your variables may require conversion before setting the parameter values.
.Parameters("#ProductName").Value = pName
.Parameters("#SupID").Value = CLng(pbId)
.Parameters("#CatID").Value = CLng(pcId)
.Parameters("#Price").Value = price
.Parameters("#Pic").Value = pic
.Parameters("#Description").Value = desc
'Execute Command
.Execute()
End With
Set cmd = Nothing
Call Response.write("<script language=""javascript"">alert('Product added succesfully!');</script>")
Else
Call Response.Write("<script language=""javascript"">alert('Product already exist!');</script>")
End If
Links
Data Type Mapping
Using METADATA to Import DLL Constants
Answer from SQL insert into database with apostrophe
I am having trouble when I try to introduce alphanumeric characters into ms-access database. I am able to do it with numerical and date characters, but it seems to be a problem with alphanumerical ones,
Here is the code I use:
Dim adoCon
Dim strSQL
Set adoCon=Server.CreateObject("ADODB.Connection")
adoCon.Open "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("basededades.mdb")
'Here I am getting all the values previously passed by a form.
stringEntrada=Request.Form("stringEntrada")
stringSortida=Request.Form("stringSortida")
valoridHabitaciolliure=Request.Form("valoridHabitaciolliure")
numeropersones=Request.Form("numeroPersones")
nom=Request.Form("nom")
dni=Request.Form("dni")
tlf=Request.Form("tlf")
mail=Request.Form("mail")
ciutat=Request.Form("ciutat")
tipusH=Request.Form("tipusH")
diaReserva=Request.Form("diaReserva")
mail,nom,ciutat,tipusH,dni,valoridHabitaciolliure are alphanumerical characters from a text input form.
diaReserva,stringSortida,stringEntrada, are dates form a text input form.
tlf is a integer variable.
strSQL="INSERT INTO Reserva (dni,tlf,diaReserva,inici,fi,tipusHabitacio) VALUES ("&dni&","&tlf&",'"&diaReserva&"','"&stringEntrada&"','"&stringSortida&"'," "&tipusH&")"
adoCon.Execute(strSQL)
When I see the values inserted into the database I realise that the date variables like "diaReserva" or "stringSortida" and the numerical ones like "tlf" are inserted correctly.
To insert date variables I use a simple ' surrounded by double " in the sql query: '"&stringEntrada&"'
To insert numerical ones I only use the double: "&tlf&"
If I try to use simple ' when I am trying to insert an alphanumerical, like: '"mail"' I do not recieve any error, but the database records a blank value.
If I try to use double ", like: "mail" I am getting an error.
How I could insert alphanumerical variables without having trouble?
Thank you for your time, and sorry for my bad english.
You can avoid your "quoting problem" and also avoid SQL Injection vulnerabilities by using a parameterized query similar to this one:
Dim con '' As ADODB.Connection
Dim cmd '' As ADODB.Command
Dim stringName, longSponsorID, datetimeDateJoined
Const adCmdText = 1
Const adVarWChar = 202, adInteger = 3, adDate = 7
Const adParamInput = 1
'' test data
stringName = "Gord"
longSponsorID = 5
datetimeDateJoined = Now
Set con = CreateObject("ADODB.Connection")
con.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Public\mdbTest.mdb;"
Set cmd = CreateObject("ADODB.Command")
cmd.CommandType = adCmdText
cmd.ActiveConnection = con
cmd.CommandText = _
"INSERT INTO Members " & _
"(memberName, sponsorID, dateJoined) " & _
"VALUES " & _
"(?, ?, ?)"
'' parameter for [memberName]
cmd.Parameters.Append cmd.CreateParameter("?", adVarWChar, adParamInput, 255, stringName)
'' parameter for [sponsorID]
cmd.Parameters.Append cmd.CreateParameter("?", adInteger, adParamInput, , longSponsorID)
'' parameter for [dateJoined]
cmd.Parameters.Append cmd.CreateParameter("?", adDate, adParamInput, , datetimeDateJoined)
cmd.Execute
Set cmd = Nothing
con.Close
Set con = Nothing