I am trying to use a variable as the column field in the SQL. However when I run the code I get the following error:
Microsoft VBScript compilation error '800a0408'
Invalid character
/junk/dbresults.htm, line 25
DECLARE #cat char(20)
--------^
The code is below:
<%
Dim connectString, connect, conDB, con
connectString = "Driver={Microsoft Text Driver (*.txt; *.csv)}; DBQ=" & Server.MapPath("data")
src_abn = Request.QueryString("abn")
src_cat = Request.QueryString("cat")
set connect = Server.CreateObject("ADODB.connection")
connect.open connectString
DECLARE #cat char(20)
DECLARE #dynamicsql char(1000)
SET #cat = src_cat;
SET #dynamicsql = "SELECT * FROM cont.csv WHERE #cat='Yes'"
if src_abn = "all" then
conDB = EXEC (#DynamicSQL)
else
conDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+src_abn+"%')"
end if
set con = connect.execute(conDB)
%>
I'm not positive what you're trying to do, but you can't run SQL Syntax (i.e. DECLARE #cat...) with classic ASP. Are you trying to do something like this?
<%
//Request your variables
src_abn = Request.QueryString("abn")
src_cat = Request.QueryString("cat")
Dim connectionString, dbConn, rsResults, strSQL
//Setup your connection
connectionString = "Driver={Microsoft Text Driver (*.txt; *.csv)}; DBQ=" & Server.MapPath("data")
set dbConn= Server.CreateObject("ADODB.Connection")
dbConn.open connectionString
//Create your sql statement
if src_abn = "all" then
strSQL = "SELECT * FROM cont.csv WHERE " & src_cat & "='Yes'"
else
strSQL = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%" & src_abn & "%')"
end if
//Create your results
set rsResults = Server.CreateObject("ADODB.Recordset")
rsResults.open strSQL, dbConn
//Loop through your results
While Not rsResults.EOF
rsResults.MoveNext
Wend
//Closes results and connection
rsResults.Close
dbConn.Close
%>
Related
I have a database and MSSQL code in vbscript:
Dim conn, SQL, rs
Const DB_CONNECT_STRING = "Provider=SQLOLEDB.1;Data Source=DJ-PC;Initial Catalog=Baza_NC;user id ='user_baza_nc';password='Password1'"
Set myConn = CreateObject("ADODB.Connection")
Set myCommand = CreateObject("ADODB.Command" )
myConn.Open DB_CONNECT_STRING
Set myCommand.ActiveConnection = myConn
myCommand.CommandText = "UPDATE Klienci_NC SET Klienci_NC.Klient = '" & Klient_niceform & "' WHERE Klienci_NC.ID = '" & ID_zmienna & "'"
myCommand.Execute
myConn.Close
When I use the ID with the participation of a txt file as a counter to work well.
The problem appeared when I wanted to use the MSSQL database autoincremant.
I need a string variable to the variable & ID_zmienna &
How to get a string variable with the ID field from the database?
Not sure why you are trying to call an INT data type in SQL as a VARCHAR.
The query should be
myCommand.CommandText = "UPDATE Klienci_NC SET Klienci_NC.Klient = '" & Klient_niceform & "' WHERE Klienci_NC.ID = " & ID_zmienna
you only pass ' for string data types in SQL Server, integers are just
[column] = int_value
Having said all that you should be passing the parameters in the .Parameters collection of the ADODB.Command object rather than specifying them directly in the SQL query string. As it stands the page is open to SQL Injection attack and also means you have to handle not passing ' when dealing with INT and escaping extra ' in strings etc., which just isn't necessary.
Dim SQL, myCommand
Const DB_CONNECT_STRING = "Provider=SQLOLEDB.1;Data Source=DJ-PC;Initial Catalog=Baza_NC;user id=user_baza_nc;password=Password1"
'Most ADO providers expect a `?` to denote where a parameter is expected.
SQL = "UPDATE Klienci_NC SET Klienci_NC.Klient = ? WHERE Klienci_NC.ID = ?"
Set myCommand = CreateObject("ADODB.Command" )
With myCommand
'No need for ADODB.Connection object ADODB.Command can create one from the
'Connection String.
.ActiveConnection = DB_CONNECT_STRING
.CommandType = adCmdText
.CommandText = SQL
'Define parameters in order they appear in the query.
Call .Parameters.Append(.CreateParameter("#klient", adVarWChar, adParamInput, 50))
Call .Parameters.Append(.CreateParameter("#id", adInteger, adParamInput, 4))
'Only running an update statement so no need to return a
'ADODB.Recordset.
Call .Execute(, Array(Klient_niceform, ID_zmienna), adExecuteNoRecords)
End With
'Release the object from memory
Set myCommand = Nothing
Useful Links
Assuming you are using Classic ASP with VBScript
Using METADATA to Import DLL Constants (if you are having problems with the ADO constants like adCmdText, adInteger etc., being undefined this will help)
Otherwise you will need to define the ADO constants yourself like so;
Const adCmdText = 1
Const adInteger = 3
Const adVarWChar = 202
Const adParamInput = 1
Const adExecuteNoRecords = &H00000080
I'm getting this error and I can't really find a solution..
I'm not sql expert, Somebody told me the syntax is not correct, is that right?
ADODB.Recordset error '800a0e7d'
The connection cannot be used to perform this operation. It is either closed or invalid in this context.
/SelectBanner.inc, line 9
SelectBanner.inc inside:
<%
sql5 = "SELECT * " &_
"FROM Banners " &_
"WHERE BannerNum="&thelocation&" AND TheLanguage='hebrew'"
Set BannersRS = Server.CreateObject("ADODB.Recordset")
BannersRS.Open sql5, conn, 3, 1
TotalRecords = 0
DO WHILE not (BannersRS.eof)
TotalRecords=TotalRecords+1
BannersRS.MoveNext
LOOP
If (not(BannersRS.bof)) Then
BannersRS.MoveFirst
End If
rndMax = TotalRecords
x=0
%>
This is the "connection.asp" file:
<!--#include file=security.asp-->
<%
set conn = server.createobject("ADODB.connection") 'the next code needed for times when the connection is included from other places than /httpdocs/
ar = Split(server.mappath("."),"\")
NewPath = ar(0) 'get the c:\
If ar(index) = "httpdocs" Then
index = UBound(ar)
Next
NewPath = NewPath&"\Data\xxxxxx.mdb"
conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source="&NewPath&";Persist Security Info=False"
conn.open()
set rs = conn.execute("select * from siteInfo")
taxValue = rs("tax")
set rs = nothing
%>
i want to update the data using textbox in a database but i get the error message. the error is "Incorrect syntax near '('."
below is the code for update data
hopefully u all can help me to solve the problem. Thanks :)
dbSource = "Data Source=LAILATUL-PC\SERVER;Initial Catalog=HotelManagementSystem;Integrated Security=True"
con = New SqlConnection(dbSource)
con.Open()
Dim sqlUpdate As String = "UPDATE [Room] SET ([Room_Code], [Room_Type], [Room_No], [Room_Price], [Room_Status], [No_of_Occupancy]) VALUES (#RoomCode, #RoomType, #RoomNo, #RoomPrice, #RoomStatus, #NoOfOccupancy WHERE [Room_Code] = " & txtRoomCode.Text & " ) "
cmd = New SqlCommand(sqlUpdate)
cmd.Connection = con
cmd.Parameters.AddWithValue("#RoomCode", txtRoomCode.Text)
cmd.Parameters.AddWithValue("#RoomType", txtRoomType.Text)
cmd.Parameters.AddWithValue("#RoomNo", txtRoomNo.Text)
cmd.Parameters.AddWithValue("#RoomPrice", txtRoomPrice.Text)
cmd.Parameters.AddWithValue("#RoomStatus", txtRoomStatus.Text)
cmd.Parameters.AddWithValue("#NoOfOccupancy", txtNoOfOccupancy.Text)
cmd.ExecuteNonQuery()
MessageBox.Show("Successfully saved", "Record", MessageBoxButtons.OK, MessageBoxIcon.Information)
You are already using parameters don't forget the last one which could open your sql up to injection attacks.
Dim sqlUpdate As String = "UPDATE [Room] SET [Room_Code] = #RoomCode,
[Room_Type] = #RoomType, [Room_No] = #RoomNo, [Room_Price] = #RoomPrice
[Room_Status] = #RoomStatus, [No_of_Occupancy] = #NoOfOccupancy
WHERE [Room_Code] = #RoomCode"
Need to quote the room code text in the WHERE clause
Dim sqlUpdate As String = "UPDATE [Room] SET ([Room_Code], [Room_Type], [Room_No], [Room_Price], [Room_Status], [No_of_Occupancy]) VALUES (#RoomCode, #RoomType, #RoomNo, #RoomPrice, #RoomStatus, #NoOfOccupancy WHERE [Room_Code] = '" & txtRoomCode.Text & "' ) "
Edit
Or better yet make that a parameter too.
I believe that this statement:
Dim sqlUpdate As String = "UPDATE [Room] SET ([Room_Code], [Room_Type], [Room_No], [Room_Price], [Room_Status], [No_of_Occupancy]) VALUES (#RoomCode, #RoomType, #RoomNo, #RoomPrice, #RoomStatus, #NoOfOccupancy WHERE [Room_Code] = " & txtRoomCode.Text & " ) "
needs to be rewritten as follows:
Dim sqlUpdate As String = "UPDATE [Room] SET [Room_Code] = #RoomCode, [Room_Type] = #RoomType, [Room_No] = #RoomNo, [Room_Price] = #RoomPrice, [Room_Status] = #RoomStatus, [No_of_Occupancy] = #NoOfOccupancy WHERE [Room_Code] = '" & txtRoomCode.Text & "' ) "
You have two problems. You didn't quote your txtRoomCode.txt value, and that's not the correct syntax for an UPDATE statement, unless I'm really confused.
I am using sql server and asp classic, and am currently calling queries like this:
newHireSQL = "select * from NewHire where Archived = 0 order by HireID desc"
Set rsGetHireID = Server.CreateObject("ADODB.Recordset")
rsGetHireID.Open newHireSQL,ConnectionString,adOpenStatic
NumOfHireID = rsGetHireID.RecordCount
But instead of having the query statement here, I want to call a stored procedure called dbo.sp_selectNewHireSQL. How can I do that?
Thanks
EDIT:
I tried this
Dim Conn
SET Conn = Server.CreateObject("ADODB.Connection")
SET rsGetHireID = Server.CreateObject("ADODB.RecordSet")
Conn.Open ConnectionString
set rsGetHireID=Conn.Execute("Exec sp_selectNewHireSQL")
NumOfHireID = rsGetHireID.RecordCount
Response.Write (NumOfHireID)
But I am getting a -1 value for the record count.
It's just use exec or execute statement:
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open ConnectionString
Conn.Execute "Exec sp_selectNewHireSQL"
Reference: http://msdn.microsoft.com/en-us/library/ms188332(v=sql.90).aspx
To have the RecordCount working you need to use proper cursor:
Set rsGetHireID = Server.CreateObject("ADODB.RecordSet")
Conn.Open ConnectionString
rsGetHireID.CursorLocation = 3 'adUseClient
rsGetHireID.Open "Exec sp_selectNewHireSQL", Conn
NumOfHireID = rsGetHireID.RecordCount
Instead of using ADODB.Connection, try using ADODB.Command instead like this:
Set objCommand = Server.CreateObject("ADODB.Command")
objCommand.ActiveConnection = ConnectionString
objCommand.CommandText = "dbo.sp_selectNewHireSQL"
objCommand.CommandType = adCmdStoredProc ' you have to include adovbs.inc file or you can use 4
Set rsGetHireID = objCommand.Execute()
NumOfHireID = rsGetHireID.RecordCount
Response.Write (NumOfHireID)
<%
dim db_conn
db_conn = "Provider=SQLOLEDB.1;Server=server name;Database=dbname;Uid=sa; Pwd=123;"
set conn = server.createobject("adodb.connection")
set Cmd = Server.CreateObject("ADODB.Command")
'-------------------------------------------------------
conn.open (db_conn)
'-------------------------------------------------------
set rs = Server.CreateObject("ADODB.RecordSet")
sSQL = "EXEC sp_countrylist #countryname ='" & countryname & "'"
set rs = conn.execute(sSQL)
if (rs.bof and rs.eof) then
response.Write "<span class=""error"">No Record Found</span>"
response.End
end if %>
I'm attempting to use a variable for the column field in the SQL statement however it shoots back the following error at me:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Text Driver] Syntax error (missing operator) in query expression '= 'Yes''.
/junk/dbresults.htm, line 31
THE CODE:
<%
Dim connectString, connect, conDB, con
connectString = "Driver={Microsoft Text Driver (*.txt; *.csv)}; DBQ=" & Server.MapPath("data")
src_abn = Request.QueryString("abn")
src_cat = Request.QueryString("cat")
set connect = Server.CreateObject("ADODB.connection")
connect.open connectString
if src_abn = "all" then
conDB = "SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes'"
else
conDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+src_abn+"%')"
end if
set con = connect.execute(conDB)
%>
Looks like the value of src_cat contains spaces or other characters that create an invalid query. Try changing that line to this (with brackets):
conDB = "SELECT * FROM cont.csv WHERE [" & src_cat & "] = 'Yes'"
Fixed it, the variables were not delcared.