locked
Want to insert w/ paramters RRS feed

  • Question

  • User-771576004 posted
    I have a legacy app , classic asp, and the insert statment does NOT use parametrs, I am having difficulty with with required statements, where would parameters go and how to create them with the below scenario? this is for SQL Server and hope to guard against injection. Any help?
    Dim sql_insert set Global_DBConnection=Server.CreateObject("ADODB.Connection")
    DSN="Driver={SQL Server};Server=server99;Database=finance-DB;UID=alpha;PWD=beta"
    Global_DBConnection.Open(DSN)
    Dim title, name
    sql_insert = "insert into table1 (title, name) values ('" & _ title & "', '" & name & "')"
    Global_DBConnection.Execute sql_insert
    Global_DBConnection.Close
    Set Global_DBConnection = Nothing
    Thursday, January 26, 2012 3:30 PM

Answers

  • User3866881 posted

    Hello vagabond:)

    This is a forum for .net,but your problem looks like pure asp……Well,in fact I suggest you using SqlCommand to deal with your problem,code sample looks like this:

    using (SqlCommand cmd = new SqlCommand("insert into table1 (title,name) values(@title,@name)"))
    {
       cmd.Parameters.AddWithValue("@title",your value1);
       cmd.Parameters.AddWithValue("@name",your value2);
       cmd.ExecuteNonQuery();
    }

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 27, 2012 9:26 PM

All replies

  • User-1831219222 posted

    do something like this:

    sql_insert = "insert into table1 (title) values (" & title & ")"
    Global_DBConnection.Execute sql_insert 

    use SP or parameterized query to avoid injection.

    Thursday, January 26, 2012 4:01 PM
  • User-771576004 posted
    • I am not using stored procedures, but I want to know how to invoke  adodb using parameters along the setup I have already. Can it be done?
    Thursday, January 26, 2012 5:32 PM
  • User-771576004 posted
    Any example for me to follow on this?
    Friday, January 27, 2012 10:19 AM
  • Friday, January 27, 2012 4:54 PM
  • User3866881 posted

    Hello vagabond:)

    This is a forum for .net,but your problem looks like pure asp……Well,in fact I suggest you using SqlCommand to deal with your problem,code sample looks like this:

    using (SqlCommand cmd = new SqlCommand("insert into table1 (title,name) values(@title,@name)"))
    {
       cmd.Parameters.AddWithValue("@title",your value1);
       cmd.Parameters.AddWithValue("@name",your value2);
       cmd.ExecuteNonQuery();
    }

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 27, 2012 9:26 PM