Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Parameterized Queries 1

Status
Not open for further replies.
cjpettie

cjpettie

Programmer
Nov 1, 2010
2
0
0
CA
I just inherited a legacy asp app that the client wants to make more secure. I'm having issues changing all the dynamic queries to parameterized queries. The app uses an oracle backend.

So far...
***********
Dim strSql, dcConnection, rsApplications, objCommand,

strSql = "SELECT DISTINCT [field1] FROM [table1] WHERE [field1] = :ID"

Set dcConnection = GetConnection()
Set rsApplications = Server.CreateObject("ADODB.Recordset")
Set objCommand = Server.CreateObject("ADODB.Command")
objCommand.ActiveConnection = dcConnection
objCommand.CommandText = strSql
objCommand.Parameters.Append (objCommand.CreateParameter(":ID", adVarChar, adParamInput, 4, "ABCD"))
Set rsApplications = objCommand.Execute()
***********

When I include the value "ABCD" in the WHERE clause it works as expected within a second. When I use the code above the query times out.

While grasping at straws I tried to swap out the : with @ and ? to no avail.

Any support would be appreciated.
 
Sort by date Sort by votes
1) use ? in the strSQL
2) use the fieldname in the createparameter

Code: 
<%
set objCommand = server.CreateObject("adodb.command")
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = "SELECT DISTINCT [field1] FROM [table1] WHERE field1 = ?"

objCommand.CommandType = 1
Set param1 = objCommand.CreateParameter ( "field1", 129,1,4)
param1.value = "ABCD"
objCommand.Parameters.Append param1
Set objRS = objCommand.Execute()
%>

(129 = adChar, 1 = adParamInput)
 
Upvote 0 Downvote
Thanks for the solution foxbox! Now I have a ton of work ahead of me but at least I can stop spinning my wheels.
 
Upvote 0 Downvote
>objCommand.Parameters.Append (objCommand.CreateParameter(":ID", adVarChar, adParamInput, 4, "ABCD"))
The main thing is to have those named constants defined explicit in your script if it is not already. Also the value 4 is not to be take as some magic number, it is the dynamic size to be inputted according to the parameter's value. The naming agreement between the use of ":ID" at two places is of no generic importance, you can name it as such or you can name it differently in the parameter object. Those are the main points to note.
[tt]
const adVarChar=200
const adParamInput=1
dim s
s="ABCD" 'or anything as the application intends to do
objCommand.Parameters.Append objCommand.CreateParameter(":ID", adVarChar, adParamInput, [red]len(s), s[/red])[/tt]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
How to combine 2 Select queries in 1
Replies
2
Views
59
Ed Mozley
Ed Mozley
Swi
  • Locked
  • Question
Parameterized Update Query 1
Replies
10
Views
68
Swi
Swi
SuperComputing
  • Locked
  • Question
Compare sql queries locally, display results
Replies
3
Views
10
SuperComputing
SuperComputing
tyutghf
  • Locked
  • Question
Multiple queries into one 1
Replies
3
Views
9
gmmastros
gmmastros
gregarican
  • Locked
  • Question
ASP Parameterized Update
Replies
9
Views
10
gregarican
gregarican

Part and Inventory Search

Sponsor

Back
Top