Remove From My Forums

Bad insert command?

Question
0

Sign in to vote

User-911157248 posted

My insert statment is crying foul when I use a variable, is this allowed?

zfinal has a value, I have even tested it with a response.write.

SqlDataSource2.InsertCommand = "insert into bills1 (job,bpac,rek) values ('New ',' ',zfinal)"

Variable 'ZFINAL' is not found.

Thursday, October 28, 2010 10:11 AM

Answers

0

Sign in to vote
User1014708013 posted

Since the zfinal is a string, you need to wrap its value in single quotes like this:

"insert into bills1 (job,bpac,rek) values ('New ',' ','" & zfinal & "')"

Hope this helps,

Imar
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Thursday, October 28, 2010 1:12 PM

All replies

0

Sign in to vote

User1014708013 posted

And where is zfinal defined? In your ASP.NET code or in SQL Server somewhere?

Imar

Thursday, October 28, 2010 10:13 AM
0

Sign in to vote

User-911157248 posted

For purposes of testing, I defined it immediately before defing the insertcommand

zfinal ="gorp"

Thursday, October 28, 2010 10:20 AM
0

Sign in to vote

User1014708013 posted

So it's a VB variable, right? If so, it doesn't autmatically transition to SQL Server. With your current code, the variable is looked for within the context of the SQL statement in SQL Server.

One way is to concatenate the value to the SQL statement in your VB code

InsertCommand = "..... " & zfinal

However, this is a *very* bad practice as it opens your code for SQL injection if the value of zfinal comes from an untrusted source (e.g. the user). Instead, you should use parameterized queries:

http://www.google.com/search?hl=en&source=hp&q=.NEt+parameterized+queries+parameters&btnG=Google+Search&aq=f&aqi=&aql=&oq=&gs_rfai=

Hope this helps,

Imar

Thursday, October 28, 2010 10:35 AM
0

Sign in to vote

User-911157248 posted

Well it's actually a Foxpro table using vfpoledb . For this project I decided to insert a blank record, let the user edit it, then in the update I use paramters. For some reason, it won't take the variable which IS defined!

Thursday, October 28, 2010 10:51 AM
0

Sign in to vote

User1014708013 posted

In that case, can you show more code where you declare and assign the variable, and assign the variable's value to the SQL command?

Imar

Thursday, October 28, 2010 10:53 AM
0

Sign in to vote

User-1632285901 posted

hi

its the right syntax if zfinal is a variable

"INSERT INTO bills1 (job,bpac,rek) VALUES('New','','" & zfinal & "')"

paste it in your code and try

it always worked for me

Thursday, October 28, 2010 11:02 AM
0

Sign in to vote

User-1199946673 posted

"INSERT INTO bills1 (job,bpac,rek) VALUES('New','','" & zfinal & "')"

paste it in your code and try

it always worked for me

Really? try this

zfinal = "let's try this"

And then

"INSERT INTO bills1 (job,bpac,rek) VALUES('New','','" & zfinal & "')"

That's one of the reasons you should parameterized queries

http://www.mikesdotnetting.com/Article/26/Parameter-Queries-in-ASP.NET-with-MS-Access

Thursday, October 28, 2010 11:19 AM
0

Sign in to vote

User-911157248 posted

not quite, still getting syntax error.

Thursday, October 28, 2010 11:29 AM
0

Sign in to vote

User1014708013 posted

Again, please post your relevant code so we can take a look.....

Thursday, October 28, 2010 11:34 AM
0

Sign in to vote

User-1632285901 posted

give us how you get your variable zfinal to help u

Thursday, October 28, 2010 11:36 AM
0

Sign in to vote

User-911157248 posted

Here's relevant code, :

Dim zfinal As String

zfinal = "gorp"

SqlDataSource2.InsertCommand = "insert into bills1 (jon,bpac,rek) values ('New ','bpac', zfinal)"

Variable 'ZFINAL' is not found.

Thursday, October 28, 2010 12:56 PM
0

Sign in to vote

User1014708013 posted

Looks like you haven't seen or understood all the previous posts....

With the code you just posted, you pass the literal text zfinal to the database as it just a part of th SQL string. In your database, zfinal has no meaning and ths you get an error.

Instead, as explained earlier, you need to concatenate the .NET variable's value to your SQL statement (dangerous) or use parameters.

Regards,

Thursday, October 28, 2010 1:03 PM
0

Sign in to vote

User154448021 posted

for vb.net:

"insert into bills1 (job,bpac,rek) values ('New ',' '," & zfinal & ")"

Thursday, October 28, 2010 1:06 PM
0

Sign in to vote

User-911157248 posted

right, I understand that, but I was getting syntax errors in the suggestions given.

This is an exercise project so not using parameters for the insert(update yes) but still hope to make it work.

Thursday, October 28, 2010 1:08 PM
0

Sign in to vote
User1014708013 posted

Since the zfinal is a string, you need to wrap its value in single quotes like this:

"insert into bills1 (job,bpac,rek) values ('New ',' ','" & zfinal & "')"

Hope this helps,

Imar
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Thursday, October 28, 2010 1:12 PM
0

Sign in to vote

User-911157248 posted

Actually, I figured it at last, quotes were needed.

values ('New ',' '," & "'" & zfinal & "'" & ")"

ugh!

Thursday, October 28, 2010 1:26 PM
0

Sign in to vote

User-1199946673 posted

This is an exercise project so not using parameters for the insert

I really don't understand why for an exercise project you're not using parameters. What's the point in exercising bad practices, which hopefully you'll not use in real projects?

Thursday, October 28, 2010 2:06 PM
0

Sign in to vote

User-911157248 posted

your point is valid, I use all parameters in the real world, but just not this exercise.

Thursday, October 28, 2010 2:13 PM
0

Sign in to vote

User1014708013 posted

>> Actually, I figured it at last, quotes were needed.

Wasn't that exactly what I showed in my post (albeit with slightly different syntax)?

Imar

Friday, October 29, 2010 3:37 AM

Answered by:

Bad insert command?

Question

Variable 'ZFINAL' is not found.

Answers

All replies