"Bob Barrows [MVP]" <reb01501@NOyahoo.SPAMcom> wrote in message
news:eAuuKY0OHHA.3872@TK2MSFTNGP06.phx.gbl...
> bobojones wrote:
>> I am getting the following error in my code "Too few parameters.
>> Expected
>> 1." I am getting it on the following line
>>
>> set rs = conn.Execute(SQLStatement)
>>
>> When I put in response.write (SQLstatement) I get
>> SELECT * FROM QPR WHERE Status= Closed
>
> String literals need to be quote-delimited. Try running this statement
> in the query execution tool of whatever database you are using and see
> for yourself.
>
>
>> If I change it to set rs = conn.Execute("SELECT * FROM QPR")
>> it will work.
>> I need ot be able to use the where clause. This is how I am setting
>> SQLstatement.
>> SQLStatement = "SELECT * FROM QPR WHERE Status= " &
>> Request.QueryString("Status")
>
> See below for an alternative to using dynamic sql. To fix this
> statement, you would do this:
>
> SQLStatement = "SELECT * FROM QPR WHERE Status= '" & _
> Request.QueryString("Status") & "'"
>
> Of course, this will fail if Request.QueryString("Status") contains an
> apostrophe. You can eliminate all these problems with delimiters by
> using parameters.
>
> Further points to consider:
> Your use of dynamic sql is leaving you vulnerable to hackers using sql
> injection:
>
http://mvp.unixwiz.net/techtips/sql-injection.html >
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 >
> See here for a better, more secure way to execute your queries by using
> parameter markers:
>
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e
>
> Personally, I prefer using stored procedures, or saved parameter queries
> as they are known in Access:
>
>
>
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
>
>
