Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers

Webmaster Forum / ASP / Database Access / January 2007


Tip: Looking for answers? Try searching our database.

Too few parameters. Expected 1.

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
bobojones - 18 Jan 2007 20:34 GMT
I am getting the following error in my code "Too few parameters. Expected
1." I am getting it on the following line

set rs = conn.Execute(SQLStatement)

When I put in response.write (SQLstatement) I get
SELECT * FROM QPR WHERE Status= Closed
If I change it to set rs = conn.Execute("SELECT * FROM QPR")
it will work.
I need ot be able to use the where clause. This is how I am setting
SQLstatement.
SQLStatement = "SELECT * FROM QPR WHERE Status= " &
Request.QueryString("Status")

Thanks
Bob
Reply to this Message
Bob Barrows [MVP] - 18 Jan 2007 21:17 GMT
> I am getting the following error in my code "Too few parameters.
> Expected
[quoted text clipped - 4 lines]
> When I put in response.write (SQLstatement) I get
> SELECT * FROM QPR WHERE Status= Closed

String literals need to be quote-delimited. Try running this statement
in the query execution tool of whatever database you are using and see
for yourself.

> If I change it to set rs = conn.Execute("SELECT * FROM QPR")
> it will work.
> I need ot be able to use the where clause. This is how I am setting
> SQLstatement.
>  SQLStatement = "SELECT * FROM QPR WHERE Status= " &
> Request.QueryString("Status")

See below for an alternative to using dynamic sql. To fix this
statement, you would do this:

SQLStatement = "SELECT * FROM QPR WHERE Status= '" & _
Request.QueryString("Status") & "'"

Of course, this will fail if Request.QueryString("Status") contains an
apostrophe. You can eliminate all these problems with delimiters by
using parameters.

Further points to consider:
Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36
562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as they are known in Access:

Signature

Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Reply to this Message
bobojones - 18 Jan 2007 21:27 GMT
Thanks,

I will look in to the pages you suggested.

>> I am getting the following error in my code "Too few parameters.
>> Expected
[quoted text clipped - 38 lines]
> Personally, I prefer using stored procedures, or saved parameter queries
> as they are known in Access:
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.