ansaurus

Question

ASP Classic Named Paramater in Paramaterized Query: Must declare the scalar variable

Answer 1

+1 A:

ADO is going to expect question marks instead of actual parameter names in this case. Right now, the SQL "select @something" is not actually parameterized: it sees the "@something" as an (undeclared) SQL variable, not as a parameter. Change your CommandText line to this:

cmd.CommandText = "select ?"

And I think you will get the result you are looking for.

Good luck!

Chris Nielsen 2009-07-07 14:44:50

Yip. I managed to get that right as well. But I'd really like to get the named aspect working, as it'll be harder to keep track of parameter order once the queries or statements get more involved.

My Alter Ego 2009-07-08 06:59:44

After trying a few variations of this, I wasn't able to come up with a solution either. I suspect that using named parameters is only going to work if you are calling a stored procedure, not sending up an SQL command.

Chris Nielsen 2009-07-14 20:11:59

Answer 2

A:

I'm not sure what your query is intended to accomplish. I'm also not sure that parameters are allowed in the select list. MSDN used to have (many years ago, probably) a decent article on where parameters were allowed in a query, but I can't seem to find it now.

OTTOMH, your attempts to supply the parameter values to ADO look correct. Does your query execute if you do something like this?

SELECT 1 FROM sometable WHERE somefield = @something

Chris Farmer 2009-07-07 14:52:01

It works fine with a question mark, so the parameter can be in the select list. The problem is the same if I move the parameter to where clause. The point of the query is to have the shortest example I could come up with for others to tinker with.

My Alter Ego 2009-07-08 06:57:42

Answer 3

+2 A:

Here's some sample code from an MSDN Library article on preventing SQL injection attacks. I cannot find the original URL, but googling the title keywords (Preventing SQL Injections in ASP) should get you there quick enough. Hope this real-world example helps.

strCmd = "select title, description from books where author_name = ?"
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = strCmd
objCommand.CommandType = adCmdText
Set param1 = objCommand.CreateParameter ("author", adWChar, adParamInput, 50)
param1.value = strAuthor
objCommand.Parameters.Append param1
Set objRS = objCommand.Execute()

See the following page on MSDN, near the bottom, referring specifically to named parameters.

http://msdn.microsoft.com/en-us/library/aa496035(SQL.80).aspx

Bork Blatt 2009-07-07 15:07:47

Thanks. Is there any way to do it with named parameters?

My Alter Ego 2009-07-08 07:00:49

See the update I posted to the answer.

Bork Blatt 2009-07-08 13:08:55

Answer 4

+1 A:

with server.createobject("adodb.command")
  .activeConnection = application("connection_string")
  .commandText "update sometable set some_col=? where id=?"
  .execute , array(some_value, the_id)
end with

Joost Moesker 2009-07-07 19:08:34

ansaurus

tags:

views:

answers:

ASP Classic Named Paramater in Paramaterized Query: Must declare the scalar variable

related questions