Troubleshooting a Parameterized SQL Statement in asp

Question

I\'m trying to secure some legacy code written in what I guess is VB or asp(Not really sure if there is a difference). When I try to execute the statement the page gets an i

Answer 1

To use named parameters you need to enable NamedParameters.

countCmd.NamedParameters = True

But there's a limitation that affects you.

In Adodb.Command, named parameters only work with stored procedures.

For an ordinary query like yours, you need to use question mark placeholders instead of named ones.

Then you can omit or specify a rubbish value for first parameter of the CreateParameter method.

countCmd.NamedParameters = False
countCmd.CommandText = "SELECT COUNT(*) FROM [table1] WHERE FY=?"
countCmd.Parameters.Append countCmd.createparameter(, 200, 1, 255, fy)
'countCmd.Parameters.Append countCmd.createparameter("@blablabla", 200, 1, 255, fy) 'this also works