ansaurus

Question

Answer 1

+3 A:

You can use an INSERT SELECT instead of an INSERT VALUES. such as.

INSERT INTO MyTable (ColumnA, ColumnB, ColumnC) SELECT 'A', 'B', MAX(ColumnC) FROM MyOtherTable

On another note though, you should NOT build up your SQL as you are. This is prone to SQL Injection. Someone could quite easily enter "; DROP TABLE tblContract" into one of your text boxes!

Robin Day 2009-07-13 14:20:24

Er, Access won't execute multiple statements with the DoCmd.RunSQL command -- it will give you an "invalid characters after end of SQL statement" error message.

David-W-Fenton 2009-07-13 21:57:39

BTW, that doesn't mean you shouldn't validate user input, just that the cited example of SQL injection can't possibly happen within Access (or any form of Jet/ACE, neither of which support batched SQL statements).

David-W-Fenton 2009-07-13 21:58:43

Answer 2

+1 A:

First you will need to grab the value from the other table and then used that to insert into this table, you can also use a trigger to do that. Be aware that you can have the same value twice if 2 users execute the same query at the same time...you will need lock the other table in that case...max() is problematic

why not use identity and then the scope_identity() function to grab after you insert into the other table?

you also understand that what you doing is a sql injection attack waiting to happen

SQLMenace 2009-07-13 14:21:20

SQL injection on a VBA application can't be that big of a concern.

mgroves 2009-07-13 14:23:33

Yeah but how long will it be a VBA application? These things often get a life of thier own and get ported

n8wrl 2009-07-13 14:30:30

mgroves, some people do use Access as a web interface. Also, don't you think you should protect your data from disgruntled employees as well as outsiders? SQl Injection doesn't have to come from outside the company. Besides, learning to think about such things as "Is this open to attack" will help this person's career when he moves away from Access.

HLGEM 2009-07-13 14:34:10

Please cite an example of someone using Access as a "web interface." It's a nonsensical assertion, actually, if you use a proper definition of both "Access" and "web interface."

David-W-Fenton 2009-07-13 21:59:57

BTW, in regard to Access SQL Injection, this thread http://stackoverflow.com/questions/512174/non-web-sql-injection hashes it out and shows that in general, there's only a very limited set of vulnerabities, and none involve DDL or updates to data -- they are limited to faking WHERE clauses in SELECT statements that will then return all rows.

David-W-Fenton 2009-07-13 22:19:26

Answer 3

A:

If I read your question correctly you want

INSERT INTO tblContract(col1..., testId) values
    ('value1',..., (SELECT MAX(testID) FROM tblOther));

Be warned this may lead to concurrency issues

Nathan Koop 2009-07-13 14:21:21

This is how I was thinking it needed to be done.

R. Bemrose 2009-07-13 14:22:07

And then some! This is not a good practice to follow and should be stamped out now! Either know the foreign key value in advance and insert the value with it, or insert both tables in the same transaction.

Randolpho 2009-07-13 14:23:16

ansaurus

tags:

views:

answers:

Insert statement with where clause

related questions