Insert into db, Object Required String

Question

I need to insert some data into DB, there is a problem..it gives me an error :

Source line:

SET sql =\"Insert In         


        

Answer 1

If I was to guess I'd say your problem is you're passing the SupID and CatID fields as strings when they are probably integers. The problem with handling INSERT this way is you leave yourself open to SQL Injection plus you encounter data type issues like you seem to be experiencing here.

Whenever possible when interacting with a database you should try to use Parameterised Queries. In Classic ASP the best object to do this is ADODB.Command.

Here is an example using your code;

NOTE: If you have problems with the ADO named constants like adParamInput then look in the links section below to see how to use the METADATA tag in your global.asa file to reference the ADO type library across your application.

Dim cmd, sql, conn_string, rs, data

'Wouldn't recommend storing your database inside your website root, instead
'store it outside in another folder and set up a variable in an include file
'to store the location. That way it is not accessible to everyone.
conn_string = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("WebData/DB.mdb") & ";"

Set cmd = Server.CreateObject("ADODB.Command")

sql = "SELECT * FROM Products WHERE ProductName = ?"
With cmd
  .ActiveConnection = conn_string
  .CommandType = adCmdText
  .CommandText = sql
  Call .Parameters.Append(.CreateParameter("@ProductName", adVarWChar, adParamInput, 50))
  Set rs = .Execute(, Array(pName))
  If Not rs.EOF Then data = rs.GetRows()
  Call rs.Close()
  Set rs = Nothing
End With

If IsArray(data) Then
  sql = ""
  sql = sql & "INSERT INTO Products (ProductName, SupID, CatID, Price, Pic, Description) " & vbCrLf
  sql = sql & "VALUES (?, ?, ?, ?, ?, ?)"

  Set cmd = Server.CreateObject("ADODB.Command")
  With cmd
    .ActiveConnection = conn_string
    .CommandType = adCmdText
    .CommandText = sql
    'Define Parameters
    'Making some assumptions about your data types, but you can modify these to fit
    'good guide for this is http://www.carlprothman.net/Technology/DataTypeMapping/tabid/97/Default.aspx
    Call .Parameters.Append(.CreateParameter("@ProductName", adVarWChar, adParamInput, 50))
    Call .Parameters.Append(.CreateParameter("@SupID", adInteger, adParamInput, 4))
    Call .Parameters.Append(.CreateParameter("@CatID", adInteger, adParamInput, 4))
    Call .Parameters.Append(.CreateParameter("@Price", adCurrency, adParamInput, 4))
    Call .Parameters.Append(.CreateParameter("@Pic", adVarWChar, adParamInput, 255))
    Call .Parameters.Append(.CreateParameter("@Description", adLongVarWChar, adParamInput, 1000))
    'Some of your variables may require conversion before setting the parameter values.
    .Parameters("@ProductName").Value = pName
    .Parameters("@SupID").Value = CLng(pbId)
    .Parameters("@CatID").Value = CLng(pcId)
    .Parameters("@Price").Value = price
    .Parameters("@Pic").Value = pic
    .Parameters("@Description").Value = desc

    'Execute Command
    .Execute()
  End With
  Set cmd = Nothing
  Call Response.write("")
Else
  Call Response.Write("") 
End If

Links

• Data Type Mapping
• Using METADATA to Import DLL Constants
• Answer from SQL insert into database with apostrophe