"Jack" <Ja**@discussio ns.microsoft.co m> wrote in message
news:FB******** *************** ***********@mic rosoft.com...
Hi,
I am trying to test a sql statement in Access which gives me
the error as stated in the heading.
The sql statement is built as a part of asp login verification,
where the userid and password are input in login screen.
The password in the database is a number field.
I am writing the dynamic sql statement as follows below. I believe
I am going wrong in the password section of the code. I
appreciate any help. Thanks. Regards.
Set CN=server.creat eobject("ADODB. Connection")
CN.Open myDSN
Set RS = Server.CreateOb ject("ADODB.Rec ordset")
RS.ActiveConnec tion=CN
strSQL = "select qrySubGrantComb o.ComboID, qrySubGrantComb o.Password
from
qrySubGrantComb o where " & _
"qrySubGrantCom bo.ComboID ='" & Request.Form("t xt_UserName") & "' AND " &
_
"qrySubGrantCom bo.Password ='" & Request.Form("t xt_Password") & "'"
Response.Write strSQL
Here are the rules for delimiting data in dynamic sql strings, particularly
in the WHERE clause:
To decide whether or not to delimit the data, look at the datatype of the
FIELD BEING COMPARED TO - NOT THE DATA.
1. If it's a numeric field, you must supply it with numeric data, which
means you MUST NOT delimit the data by putting quotes around it.
2. If it's a character/text field, then you must supply string data by
delimiting the data either with single or double quotes. If the data
contains literal quotes, you must escape them by doubling them. This means
that if you use single quotes (apostrophes) for your string delimiters, and
the data contains an apostrophe, then you must replace the apostrophe with
two apostrophes, like this:
Update tbl set textfield = 'O''Malley'
In Access, you can use double quotes for your delimiters, so this will work
as well:
Update tbl set textfield = "O'Malley"
Note: you don't have to escape the apostrophe in O'Malley when you use
double quotes as the delimiter. However, you will need to escape the double
quotes when assigning this statement to a variable:
sSQL = "Update tbl set textfield = ""O'Malley" ""
So most people will use the single quotes and escape the apostrophe:
sName = "O'Malley"
sSQL = "Update tbl set textfield = '" & Replace(sName," '","''") & "'"
response.write sSQL
3. If it's a date/Time field, then the delimiters depend on the type of
database. Since you are using Access, then you must delimit the data with
hash marks (#). Additionally, you must supply the data in US format
(m/d/yyyy) or in ISO (yyyy-mm-dd), with the latter being the more
recommended.
4.Lastly, if you are using LIKE, you need to be aware that you must use %
and _ as the wildcards, not * and ?. This is true no matter what database
you are using
And then, when you think you have it right and it still does not work,
response.write it to see the result of your concatenation. If you've done it
correctly, you will have a statement that you can copy and paste from the
browser window into the SQL View of an Access Query Builder and run without
modification (unless you need to replace the wildcards with the Jet
wildcards).
This all seems rather difficult, doesn't it? Add to this the fact that a
dynamic sql query will not perform as well as a saved query/stored
procedure, and you have two strikes against it. Add the lack of security due
to leaving yourself open to a SQL Injection attack and you have three
strikes. Why did you say you wanted to do it this way ...?
Let me show you how easy this can be using a saved parameter query. let's go
back to your statement and parameterize it* :
UPDATE tblListingspric eChanges SET NewPrice = [P1],
ChangeDate = [P2], [Name]=[P3], Original_Price=[P4]
WHERE PriceChangeID = [P5]
Do you notice ANY delimiters in the above sql statement? :-)
Test this statement in the Access Query Builder by running it: you will be
prompted to supply values for each of the parameters. Supply some values and
make sure it works as intended. When you've finished debugging it, save it
as qUpdPriceChange . Notice that you've created and debugged your query in
the environment where debugging and testing of queries should be done: in
the database environment.
Now to run it in ASP:
'create and open a connection object, cn, populate and
'validate your data variables, then:
cn.qUpdPriceCha nge NewPrice, ChangeDate, Name, _
Original_Price, PriceChangeI
If you are running a query that returns records, you can still use this
syntax, by supplying a recordset variable as an extra argument:
set rs = server.createob ject("adodb.rec ordset")
cn.QueryName parm1,...parmN, rs
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I don't
check it very often. If you must reply off-line, then remove the "NO SPAM"
