Troubleshooting a Parameterized SQL Statement in asp

Question

I\'m trying to secure some legacy code written in what I guess is VB or asp(Not really sure if there is a difference). When I try to execute the statement the page gets an i

Answer 1

To use named parameters you need to enable NamedParameters.

countCmd.NamedParameters = True

But there's a limitation that affects you.

In Adodb.Command, named parameters only work with stored procedures.

For an ordinary query like yours, you need to use question mark placeholders instead of named ones.

Then you can omit or specify a rubbish value for first parameter of the CreateParameter method.

countCmd.NamedParameters = False
countCmd.CommandText = "SELECT COUNT(*) FROM [table1] WHERE FY=?"
countCmd.Parameters.Append countCmd.createparameter(, 200, 1, 255, fy)
'countCmd.Parameters.Append countCmd.createparameter("@blablabla", 200, 1, 255, fy) 'this also works

Answer 2

When using a CommandType of adCmdText the placeholder expected by ADODB is ? and trying to passed named parameters like @fy in the CommandText will fail. It is an unfortunate failing in ADODB that

countCmd.NamedParameters = True

only works with a CommandType of adCmdStoredProc and only with certain providers.

However there is a simple workaround for SQL Server (and possibly other providers depending on what they support) which is to build the named parameters in the CommandText like so;

countCmd.commandText = _
    "DECLARE @fy AS VARCHAR(255);" & vbCrLf & _
    "SET @fy = ?;" & vbCrLf & _
    "SELECT COUNT(*) FROM [table1] WHERE FY=@fy;"

---

Useful Links

• ADO parameterised query not returning any result

• ADODB.Parameters error '800a0e7c' Parameter object is improperly defined. Inconsistent or incomplete information was provided