Too few parameters. Expected 1.

Too few parameters. Expected 1.

am 18.01.2007 21:34:10 von bobojones

I am getting the following error in my code "Too few parameters. Expected
1." I am getting it on the following line

set rs = conn.Execute(SQLStatement)

When I put in response.write (SQLstatement) I get
SELECT * FROM QPR WHERE Status= Closed
If I change it to set rs = conn.Execute("SELECT * FROM QPR")
it will work.
I need ot be able to use the where clause. This is how I am setting
SQLstatement.
SQLStatement = "SELECT * FROM QPR WHERE Status= " &
Request.QueryString("Status")

Thanks
Bob

Re: Too few parameters. Expected 1.

am 18.01.2007 22:17:19 von reb01501

bobojones wrote:
> I am getting the following error in my code "Too few parameters.
> Expected
> 1." I am getting it on the following line
>
> set rs = conn.Execute(SQLStatement)
>
> When I put in response.write (SQLstatement) I get
> SELECT * FROM QPR WHERE Status= Closed

String literals need to be quote-delimited. Try running this statement
in the query execution tool of whatever database you are using and see
for yourself.


> If I change it to set rs = conn.Execute("SELECT * FROM QPR")
> it will work.
> I need ot be able to use the where clause. This is how I am setting
> SQLstatement.
> SQLStatement = "SELECT * FROM QPR WHERE Status= " &
> Request.QueryString("Status")

See below for an alternative to using dynamic sql. To fix this
statement, you would do this:

SQLStatement = "SELECT * FROM QPR WHERE Status= '" & _
Request.QueryString("Status") & "'"

Of course, this will fail if Request.QueryString("Status") contains an
apostrophe. You can eliminate all these problems with delimiters by
using parameters.

Further points to consider:
Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as they are known in Access:




--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Re: Too few parameters. Expected 1.

am 18.01.2007 22:27:07 von bobojones

Thanks,

I will look in to the pages you suggested.


"Bob Barrows [MVP]" wrote in message
news:eAuuKY0OHHA.3872@TK2MSFTNGP06.phx.gbl...
> bobojones wrote:
>> I am getting the following error in my code "Too few parameters.
>> Expected
>> 1." I am getting it on the following line
>>
>> set rs = conn.Execute(SQLStatement)
>>
>> When I put in response.write (SQLstatement) I get
>> SELECT * FROM QPR WHERE Status= Closed
>
> String literals need to be quote-delimited. Try running this statement
> in the query execution tool of whatever database you are using and see
> for yourself.
>
>
>> If I change it to set rs = conn.Execute("SELECT * FROM QPR")
>> it will work.
>> I need ot be able to use the where clause. This is how I am setting
>> SQLstatement.
>> SQLStatement = "SELECT * FROM QPR WHERE Status= " &
>> Request.QueryString("Status")
>
> See below for an alternative to using dynamic sql. To fix this
> statement, you would do this:
>
> SQLStatement = "SELECT * FROM QPR WHERE Status= '" & _
> Request.QueryString("Status") & "'"
>
> Of course, this will fail if Request.QueryString("Status") contains an
> apostrophe. You can eliminate all these problems with delimiters by
> using parameters.
>
> Further points to consider:
> Your use of dynamic sql is leaving you vulnerable to hackers using sql
> injection:
> http://mvp.unixwiz.net/techtips/sql-injection.html
> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
>
> See here for a better, more secure way to execute your queries by using
> parameter markers:
> http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e
>
> Personally, I prefer using stored procedures, or saved parameter queries
> as they are known in Access:
>
>
>
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
>
>