I was wondering if in ms-access through vb6 (ADODB) i can have the security benefits of parameterized queries
Set Prm = CmdEnn.CreateParameter("pText1", adBSTR, adParamInput)
Prm.Value = pText1
Cmd.Parameters.Append Prm
without using stored procedures. So having something like:
Cmd.CommandText = "select * from ..."
Cmd.CommandType = adCmdText
instead of
Cmd.CommandText = "stored_query_name"
Cmd.CommandType = adCmdStoredProc
#KekuSemau,
Cmd.CommandText = "select * from tablename where column like #pText1"
Cmd.CommandType = adCmdText
Set Prm = CmdEnn.CreateParameter("pText1", adBSTR, adParamInput)
Prm.Value = random_variable
Cmd.Parameters.Append Prm
it worked like this, but in the end of the day, i didn't use it for other reasons. i don't recall if i had to use single quotes around it or not.
Related
In Access VBA, I needed to use parameters for database inserts/updates so I started using a ADODB command.
The database to insert is always the current one, so I use CurrentProject.Connection.
Everything works without using conn.Open if I try to open it it will return error 3705:Operation is not allowed when the object is open.
Am I missing something important that will hit a connections limit? Can someone suggest a better way?
Dim sql As String
sql = "INSERT INTO "
sql = sql + "[table]"
sql = sql + "(field1,field2)"
sql = sql + "VALUES (#field1,#field2)"
Dim conn As ADODB.Connection
Set conn = CurrentProject.Connection
Dim cmd As ADODB.Command
Set cmd = New ADODB.Command
With cmd
.ActiveConnection = conn
.CommandType = adCmdText
.CommandText = sql
.Parameters.Append .CreateParameter("#field1", adVarChar, adParamInput, 255, x)
.Parameters.Append .CreateParameter("#field2", adVarChar, adParamInput, 255, y)
.Execute
End With
Are you open to using DAO? you can use this:
Dim q As DAO.QueryDef
Dim strSQL As String
strSQL = "INSERT INTO table1 " & _
"(City, Province) " & _
"Values([pCity], [pProvince])"
Set q = CurrentDb.CreateQueryDef("", strSQL)
q.Parameters("pCity") = "Edmonton"
q.Parameters("pProvince") = "Alberta"
q.Execute
Using ADO via VB6, i'm having a hard time using the LIKE command on my access file paramaterized query.
Dim strSQL As String
strSQL = "SELECT * FROM [MY_TABLE] WHERE [MY_TEXT_COLUMN_NAME] LIKE %?%"
Dim conn As ADODB.Connection
Set conn = New ADODB.Connection
conn.ConnectionString = _
"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & DATABASE_PATH & ";Persist Security Info=False;"
conn.Open
Dim adoCommand As ADODB.Command
Set adoCommand = New ADODB.Command
With adoCommand
.ActiveConnection = conn
.CommandType = adCmdText
.CommandText = strSQL
.Prepared = True
.Parameters.Append .CreateParameter(, adVarChar, adParamInput, 255, strMYTEXT)
Dim rs As ADODB.Recordset
Set rs = .Execute
End With
returns an empty record set
not sure the wildcards are needed here, but i just couldn't find the right way to place them.
Found it.
strSQL = "SELECT * FROM [MY_TABLE] WHERE [MY_TEXT_COLUMN_NAME] LIKE %?%"
should actually be
strSQL = "SELECT * FROM [MY_TABLE] WHERE [MY_TEXT_COLUMN_NAME] LIKE '%' + ? + '%'"
that solved it.
How do you insert multiple values into a Lookup Field in an Access database using ASP?
(I've tried a few approaches, so I'm not even sure which code to show as an attempt.)
For a sample table named [Agents] with a multi-value Lookup Field named [Languages] ...
the following VBScript code represents one way to add a new Agent named "Maria" who speaks both English and Spanish
Option Explicit
Dim con, cmd, rst, newID
Const adInteger = 3
Const adVarWChar = 202
Const adParamInput = 1
Const adOpenStatic = 3
Const adLockOptimistic = 3
Set con = CreateObject("ADODB.Connection")
con.Open _
"Provider=Microsoft.ACE.OLEDB.12.0;" & _
"Data Source=C:\Users\Public\Database1.accdb"
' insert all fields *except* multi-value Lookup Field
Set cmd = CreateObject("ADODB.Command")
cmd.ActiveConnection = con
cmd.CommandText = "INSERT INTO Agents (AgentName) VALUES (?)"
cmd.Parameters.Append cmd.CreateParameter("?", adVarWChar, adParamInput, 255, "Maria")
cmd.Execute
Set cmd = Nothing
' get AutoNumber ID of newly-inserted record
Set rst = CreateObject("ADODB.Recordset")
rst.Open "SELECT ##IDENTITY", con, adOpenStatic, adLockOptimistic
newID = rst(0).Value
rst.Close
Set rst = Nothing
' insert multi-value Lookup Field values
Set cmd = CreateObject("ADODB.Command")
cmd.ActiveConnection = con
cmd.CommandText = "INSERT INTO Agents (Languages.Value) VALUES (?) WHERE AgentID=?"
cmd.Parameters.Append cmd.CreateParameter("?", adVarWChar, adParamInput, 255)
cmd.Parameters.Append cmd.CreateParameter("?", adInteger, adParamInput)
cmd.Prepared = True
cmd.Parameters(1).Value = newID
' first value
cmd.Parameters(0).Value = "English"
cmd.Execute
' second value
cmd.Parameters(0).Value = "Spanish"
cmd.Execute
Set cmd = Nothing
con.Close
Set con = Nothing
While this may answer the immediate requirements of the question, it is important to note that:
Access SQL support for manipulating Lookup Fields is incomplete and can be inconsistent from one development environment to another,
"Microsoft strongly recommends against using Access in web applications" (ref: here), and
Seasoned Access developers recommend against using Lookup Fields (ref: here) except in very specific circumstances (e.g., for integration with SharePoint).
Hi I am fairly new to MySQL and have tried to follow examples to use parameter queries.
if I simply put a ? in the sql statement the code works, but I want to know how to pass multiple
parms so am trying to use a named parameter.
however I get an error
[MySQL][ODBC 5.1 Driver][mysqld-5.1.73-log]Unknown column '56case_id' in 'where clause'
/t3.asp, line 32
you will see commented out several other methods I have tried without success
and help would be great
my code is...
Set connContent = Server.CreateObject("ADODB.Connection")
connContent.ConnectionString=.....
connContent.Open
Set cmdContent = Server.CreateObject("ADODB.Command")
Set cmdContent.ActiveConnection = connContent
Set rs = Server.CreateObject("ADODB.Recordset")
cmdContent.Prepared = True
Const ad_varChar = 200
Const ad_ParamInput = 1
Const ad_Integer = 3
Const ad_DBDate = 133
Const ad_DBTimeStamp = 135
'theNumber = 23
'theText = "Hello there!"
'theDate = "2011-10-15"
case_id=56
SQL = " select * from tbl_cases where case_id > ?case_id; "
Set newParameter = cmdContent.CreateParameter("?case_id", ad_Integer, ad_ParamInput, 50, case_id)
cmdContent.Parameters.Append newParameter
'cmdContent.Parameters.Add(new MySqlParameter("case_id",case_id));
'cmdContent.Parameters.AddWithValue ("#Case_id", 3);
cmdContent.CommandText = SQL
set rs=cmdContent.Execute
do until rs.eof
response.write rs.fields("case_id")
rs.movenext
loop
%>
Named parameters aren't possible but multiple ? parameters work fine. The ?s are used in the order they are created so it really pays to keep the code well organized. Here is a no frills example... you'll see that I put the cmd statement first, immediately followed by the parameters in the order they are needed -- each of which is condensed into one line of code.
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open(connectionString)
Set cmd = Server.CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = "UPDATE metadata SET meta_key=?, meta_value=? WHERE meta_id=?;"
cmd.Parameters.Append cmd.CreateParameter("#meta_key", adVarChar, adParamInput, 255, meta_key)
cmd.Parameters.Append cmd.CreateParameter("#meta_value", adLongVarChar, adParamInput, len(meta_value), meta_value)
cmd.Parameters.Append cmd.CreateParameter("#meta_id", adInteger, adParamInput, 11, meta_id)
cmd.Execute rCount
response.write(rCount & " records affected")
conn.Close
it is not posible to use named Parameters with classic asp/adodb
How to fill up combobox during runtime using stored procedure to get values from database?
here's my code, this should be converted into stored procedure:
Private Sub ComboFill()
Set Rs = New ADODB.Recordset
Set Cmd = New ADODB.Command
With Cmd
.ActiveConnection = Conn
.CommandType = adCmdText
.CommandText = "SELECT suppliername from supplier"
Set Rs = .Execute
End With
If Not (Rs.BOF And Rs.EOF) Then
Rs.MoveFirst
End If
Do Until Rs.EOF
txtsupplier.AddItem Rs.Fields("suppliername").Value
Rs.MoveNext
Loop
End Sub
Try this (not tested):
EDIT: adjusted to return a RS, not a single value
Set Rs = New ADODB.Recordset
Set cn = New ADODB.Connection
cn.ConnectionString = Session.GetConnectionstring
cn.Open
Set cmd = New ADODB.Command
cmd.ActiveConnection = cn
cmd.CommandType = adCmdStoredProc
cmd.CommandText = “MyStoredProcdure”
' Input param, if you need
' cmd.Parameters.Append cmd.CreateParameter(“Param1”, adInteger, adParamInput, , 614)
' Create a recordset by executing the command.
Set Rs = cmd.Execute()
Rs.MoveFirst()
Do Until Rs.EOF
txtsupplier.AddItem Rs.Fields("suppliername").Value
Rs.MoveNext
Set Rs = Nothing
Set cmd = Nothing
Set cn = Nothing