|
I've been given the task of fixing potential (and exploited) SQL-injection errors in an existing ASP (not ASP.NET) project.
I can get the following code to execute (no parameters, no concatenation):
<br />
connString = "Driver={SQL Native Client};Server=server;Database=ACCT;Trusted_Connection=yes;"<br />
Set objConn = Server.CreateObject("ADODB.Connection")<br />
objConn.Open connString<br />
<br />
query = "SELECT SystemCode, SystemName FROM tblSystem WHERE Year = 5"<br />
Set cmd = Server.CreateObject("ADODB.Command")<br />
cmd.CommandText = query<br />
cmd.ActiveConnection = objConn<br />
Set rs = cmd.Execute<br />
However, when I try to convert it to use a parameter, I get an error on the cmd.CreateParameter line of
"ADODB.Command (0x800A0BB9) Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another."
<br />
query = "SELECT SystemCode, SystemName FROM tblSystem WHERE Year = @YEAR"<br />
Set cmd = Server.CreateObject("ADODB.Command")<br />
cmd.CommandText = query<br />
<br />
cmd.Parameters.Append cmd.CreateParameter("@YEAR", adInteger, adParamInput, ,5)<br />
cmd.ActiveConnection = objConn<br />
Set rs = cmd.Execute<br />
Any idea how I can make this work, preferably quickly and easily?
Thanks.
--G
|
|
|
|
|
Hi Glen
What data-type is the Year column? If it is "smallint" then you should use adSmallint.
Regards
Andy
|
|
|
|
|
I think the type is wrong on your parameter, you should be using dbtype.int or SQLdbType.int32
|
|
|
|
|
I am using SQL server 2k, can any one please tell me the length param of data type binary. I have checked it from MSDN http://msdn2.microsoft.com/en-us/library/ms188362.aspx[^]
binary [ ( n ) ]
Fixed-length binary data with a length of n bytes, where n is a value from 1 through 8,000. The storage size is n bytes.
Does that mean that SQL server doesn't store data/image larger than 8 kb.
Best Regards,
Mushq
Mushtaque Ahmed Nizamani
Software Engineer
Ultimus Pakistan
|
|
|
|
|
|
Thanks a bunch for clearing my confusion. 
Best Regards,
Mushq
Mushtaque Ahmed Nizamani
Software Engineer
Ultimus Pakistan
|
|
|
|
|
SQL Server 2000 divides the database's storage into 8KB pages. A single row cannot span pages, it must fit within a single page. The exception is that text, ntext and image columns (referred to as LOBs, Large [or Long] OBjects) are (typically) stored off-page, although you can enable on-page storage with the 'text in row' table option for values that are smaller than 8000 bytes.
Because of this limit, it won't allow you to create a column whose size is bigger than this (8000 bytes for varbinary, 8000 characters for varchar, 4000 characters for nvarchar). If you create multiple large variable-length columns but the actual values you insert exceed 8000 bytes in total, you will get an error.
SQL Server 2005 adds new varchar(max) etc types. These can be used in identical ways to the limited variable-length types but are still stored off-row, unlike text and image columns which had some limitations. This is now the preferred way of storing LOB data. The old way will be removed in a future version of SQL Server (although I think still present in the upcoming SQL Server 2008).
DoEvents: Generating unexpected recursion since 1991
|
|
|
|
|
|
You mean like select * from mytable ?
Christian Graus - Microsoft MVP - C++
"also I don't think "TranslateOneToTwoBillion OneHundredAndFortySevenMillion FourHundredAndEightyThreeThousand SixHundredAndFortySeven()" is a very good choice for a function name" - SpacixOne ( offering help to someone who really needed it ) ( spaces added for the benefit of people running at < 1280x1024 )
|
|
|
|
|
|
Nope. At some point, you need column names.
|
|
|
|
|
There's the really bad practice of select *. You really should use column names though.
|
|
|
|
|
Given the other replies - what is it that you are trying to do - maybe we can provide some other advice?
|
|
|
|
|
Hi all,
I've been trying to find a similar question but couldn't find one so forgive me if this has already been dealt with.
Is there a way that I can immediately obtain the value of an auto incrementing identity field in SQL if I insert a new record?
Let's say I run the following command:
SqlCommand myCommand = new SqlCommand("INSERT INTO Users (UserName, Age) VALUES ('Joe Bloggs', 30)", myConnection);
but the Users table has an auto incrementing identity field called UserID. Is there a way I can obtain the new value of UserID without having to run a subsequent SELECT UserID FROM Users WHERE... query?
Thanks
|
|
|
|
|
After the INSERT do: SELECT SCOPE_IDENTITY();
This is all in one command. So you then do a ExecuteScalar() to get the value back to your application.
|
|
|
|
|
You could also use a SELECT @@identity;. But I think that it's better to use the Scope_Identity()-function, because @@identity returns the last identity value set in the current connection, while Scope_Identity() returns the last identity value that was set in the current scope (e.g. in a stored procedure).
|
|
|
|
|
Tobias Schoenig wrote: You could also use a SELECT @@identity;. But I think that it's better to use the Scope_Identity()-function, because @@identity returns the last identity value set in the current connection, while Scope_Identity() returns the last identity value that was set in the current scope (e.g. in a stored procedure).
Yes, so if there there are triggers involved then SCOPE_IDENTITY() will ensure the correct identity is returned.
|
|
|
|
|
Brilliant! Thanks guys, much appreciated.
|
|
|
|
|
Hi friends..I am using SQL 2005..
I have table field id and bid_amount
id bid_amount
1 2000
1 2500
1 2200
2 2000
2 1500
here how get the rank for individual id...I want to display like
id bid_amount Rank
1 2500 1
1 2200 2
1 2000 3
2 2000 1
2 1500 2
plz help me urgent.....
|
|
|
|
|
Google is a wonderful tool. I searched for 2 seconds and found this[^].
Paul Marfleet
"No, his mind is not for rent
To any God or government"
Tom Sawyer - Rush
|
|
|
|
|
|
gubba wrote: my question is that is there any method that we can retreive the values not using the colmn names but the column numbers.
I don't think so. You can define aliases for the columns though, e.g. SELECT Option_1 AS [1], Select Option_2 AS [2] etc...
Paul Marfleet
"No, his mind is not for rent
To any God or government"
Tom Sawyer - Rush
|
|
|
|
|
Hi,
i insert new row in sql server with this syntax
Dim insert_transaction As SqlCommand
insert_transaction = New SqlCommand("insert into Transaction (Transaction_Id,Account_Id,Type,Amount,Date,Time) values ('30','" & account & "','Account Transfer','" & money.Text & "','" & Today & "','" & time & "')", myConnection)
insert_transaction.ExecuteNonQuery()
the error appear in ExecuteNonQuery()
the question is
how i insert new row in vb.net connect with sql server ?
|
|
|
|
|
|
the error "Icorrect synyax near the keyword 'Transaction'" and i have table transaction in database
and anther question : how can insert primary key ( Transaction_Id) automatic without i insert it manual
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
