Re: Too few parameters. Expected 1.

bobojones wrote:
I am getting the following error in my code "Too few parameters.
Expected
1." I am getting it on the following line

set rs = conn.Execute(SQLStatement)

When I put in response.write (SQLstatement) I get
SELECT * FROM QPR WHERE Status= Closed

String literals need to be quote-delimited. Try running this statement
in the query execution tool of whatever database you are using and see
for yourself.


If I change it to set rs = conn.Execute("SELECT * FROM QPR")
it will work.
I need ot be able to use the where clause. This is how I am setting
SQLstatement.
SQLStatement = "SELECT * FROM QPR WHERE Status= " &
Request.QueryString("Status")

See below for an alternative to using dynamic sql. To fix this
statement, you would do this:

SQLStatement = "SELECT * FROM QPR WHERE Status= '" & _
Request.QueryString("Status") & "'"

Of course, this will fail if Request.QueryString("Status") contains an
apostrophe. You can eliminate all these problems with delimiters by
using parameters.

Further points to consider:
Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as they are known in Access:




--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


.

Relevant Pages

  • Re: Something wrong with my INSERT INTO
    ... error but the data is not getting recorded in the database. ... You use of dynamic sql is leaving you vulnerable to hackers using sql ... Personally, I prefer using stored procedures, or saved parameter queries as ... Please reply to the newsgroup. ...
    (microsoft.public.scripting.vbscript)
  • Re: Form login
    ... dont u think? ... If you are using dynamic sql then yes, ... Personally, I prefer using stored procedures, or saved parameter queries ... Please reply to the newsgroup. ...
    (microsoft.public.inetserver.asp.db)
  • Re: Too few parameters. Expected 1.
    ... in the query execution tool of whatever database you are using and see ... See below for an alternative to using dynamic sql. ... Personally, I prefer using stored procedures, or saved parameter queries ... Please reply to the newsgroup. ...
    (microsoft.public.inetserver.asp.db)
  • Re: dates
    ... you need to stop trying to use dynamic sql and use parameters ... If you'd rather not use saved parameter queries, ... format: ... Please reply to the newsgroup. ...
    (microsoft.public.inetserver.asp.db)
  • Re: MailMerge using SQLServer stored proceedure
    ... I suggest asking this in the word.mailmerge.fields newsgroup. ... > and getting the MailMerge object I call OpenDataSource passing the connection ... > information and an SQLStatement. ... > queries on tables and views but it doesn't like stored proceedures. ...
    (microsoft.public.office.developer.automation)
Loading