ASP / SQL Question

Dthmtlgod · Dec 2, 2004

I can't remember how to send values to my Access DB through an SQL statement

Conn.execute ("INSERT INTO MISSING_IMAGES (SubmitterID, UserFullName, PCN,
ClaimNumber) VALUES ('SubmitterID','UserFullName', 'PCN', 'ClaimNumber')")

Please help.

Ray Costanzo [MVP] · Dec 2, 2004

What do you need help with? Is that not working for you? Do you get an
error of some sort? What seems to be the problem.

Ray at work

Bob Barrows [MVP] · Dec 2, 2004

Dthmtlgod said:
I can't remember how to send values to my Access DB through an SQL
statement

Conn.execute ("INSERT INTO MISSING_IMAGES (SubmitterID, UserFullName,
PCN, ClaimNumber) VALUES ('SubmitterID','UserFullName', 'PCN',
'ClaimNumber')")

Please help.

Are 'SubmitterID','UserFullName', 'PCN',etc. the actual values you want to
insert? Or are they variable names?

Veign · Dec 2, 2004

I would recommend against using the Execute method as this opens you up for
SQL Injection. Better method is to use a Command Object and the Parameters
collection.

Helper Links:

SQL Injection
www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

SQL Injection Attacks - Are You Safe?
http://www.sitepoint.com/article/sql-injection-attacks-safe

Protecting Yourself from SQL Injection Attacks:
http://www.4guysfromrolla.com/webtech/061902-1.shtml

Bob Barrows [MVP] · Dec 2, 2004

Veign said:
I would recommend against using the Execute method as this opens you
up for SQL Injection. Better method is to use a Command Object and
the Parameters collection.

Good advice, but I would go a little further to mention that parameters can
be passed without using a Command object, by using the
"procedure-as-connection-method" technique. Same outcome: parameters passed
with no danger of SQL Injection, but much simpler than using the explicit
Command.

Here are some links for this technique as it applies to Access:

http://groups.google.com/groups?hl=...=1&[email protected]

http://groups.google.com/groups?hl=...=1&[email protected]

http://www.google.com/[email protected]&oe=UTF-8&output=gplain

Bob Barrows

Dthmtlgod · Dec 2, 2004

I need to submit the variable not the field name again, my mistake. I
looked at some of my old code.

One question, one of my fields is a Date field, can this be added using the
INSERT command?

Bob Barrows [MVP] · Dec 2, 2004

Yes, but if you use dynamic sql, you will have to remember to delimit the
value properly. For Jet (Access) you need to use # delimiters.

http://groups.google.com/groups?hl=...=1&[email protected]

http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&[email protected]

Bob Barrows

Veign · Dec 3, 2004

Good catch....

I was just passing through and caught this thread. More people need to be
aware of SQL Injections. There are so many websites around that I can get
through the username and password with some SQL Injection techniques...

--
Chris Hanscom - Microsoft MVP (VB)
Veign's Resource Center
http://www.veign.com/vrc_main.asp

ASP / SQL Problem	8	Feb 2, 2006
SQL Problem Using Extract Command	0	Apr 8, 2022
Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples.	2	May 5, 2023
I wan't your help in Inserting and selecting image from DB	1	May 1, 2006
General questions about SQL db connection using ASP pages.	2	Apr 21, 2006
Registration Form	7	Aug 30, 2023
Trailing commas when entering data into SQL using ASP	3	Feb 9, 2009
Survey details won't go through using php, ajax, Mysql	2	Oct 26, 2023

ASP / SQL Question

Dthmtlgod

Ray Costanzo [MVP]

Bob Barrows [MVP]

Veign

Bob Barrows [MVP]

Dthmtlgod

Bob Barrows [MVP]

Veign

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads