To avoid this, a web developer must
With ASP, you use ADODB and either an OLEDB or OBDC data connection to interact with MS Access databases. As the OLEDB driver is much, much faster it is the most common method.
Fortunately, ADODB and OLEDB allow you to use parameterized SQL statement with MS Access database files.
The answer is demonstrated in the code. Note the lack of error handling. Better examples use the Parameterized SQL Library, which reduces the amount of code necessary while also providing robust error handling. [Using MS ADODB Parameterized Queries With PHP]
| Number of Records: 31 | ||||||
| ID | FIRST | LAST | DOB | DESCRIPTION | AGE | SALARY |
| 1 | Rod | Divilbiss | 10/31/1957 | Director of IT services, CIO, and all around nice guy. | 49 | 123456.78 |
| 2 | Joe | Johnson | 10/10/1957 | Joe is a great guy and a fine worker. | 49 | 42000.99 |
| 3 | Fred | Flintstone | 4/1/1974 | Fred's a swell guy. He is a crane operator in the limestone mine. | 33 | 22333.44 |
| 4 | Ian | O'Brian | 10/31/1957 | Ian's a swell fellow. He writes good ASP. He knows how to write parameterized SQL for MS-Access | 49 | 123.22 |
| 5 | Maria | Gonzolez-O'Malley | 2/12/1970 | Maria is director of H.R. She is married to Jason O'Malley a former shortstop with the Baltimore Oriel's. Her favorite quote is "It is a miracle that curiosity survives formal education." | 37 | 33000.01 |
| 6 | sdsdf | sdfg | 1/1/1955 | test | 34 | 1 |
| 7 | Fay | King | 1/1/1919 | qwefas | 23 | 123456.34 |
| 8 | Fay | King | 1/1/1919 | qwefas | 23 | 123456.34 |
| 9 | agus | hjhj | 9/9/2007 | gffggh | 43 | 55565 |
| 10 | fgsdfg | sdfg | 4/1/1974 | sdfg | 12 | 12 |
| 11 | fgsdfg | sdfg | 4/1/1974 | sdfg | 12 | 12 |
| 12 | dfd | f'jjjj | 9/8/2008 | jklkj | 8 | 678678 |
| 13 | hjfghjfghj | gsdfg | 4/1/1974 | ghjfghj | 456 | 456 |
| 14 | hjfghjfghj | gsdfg | 4/1/1974 | ghjfghj | 456 | 456 |
| 15 | julian | simons | 2/23/1973 | sssss | 35 | 45000 |
| 16 | vikas | panwar | 1/1/2008 | rtretggdfg | 27 | 4000 |
| 17 | abc | abcd | 11/25/2001 | asdasdadad | 9 | 10 |
| 18 | abc | abcd | 11/25/2001 | asdasdadad | 9 | 10 |
| 19 | abc | abcd | 11/25/2001 | asdasdadad | 9 | 10 |
| 20 | edu | souza | 1/1/2008 | testando... | 12 | 2 |
| 21 | Jim | Nehf | 7/21/1962 | testing | 46 | 87654.32 |
| 22 | w | w | 12/12/1990 | qwewqeq | 12 | 12312 |
| 23 | ghfgh | hgfhfgh | 12/12/2000 | yrthfghfghfgh | 545 | 45454 |
| 24 | zz | zz | 10/1/1980 | www | 18 | 1000 |
| 25 | ss | sss | 1/1/2008 | ww | 1 | 22 |
| 26 | Jack | Simpson | 5/3/1975 | Broke guy | 26 | 28000 |
| 27 | Jack | Simpson | 5/3/1975 | Broke guy | 26 | 28000 |
| 28 | test | test | 11/5/1975 | test | 23 | 3434343 |
| 29 | Chai | Jianbing | 11/11/1983 | js | 26 | 2500 |
| 30 | Jeremy | Douglas | 2/2/1980 | A worthy DBA. | 29 | 80000 |
| 31 | Harry | Henderson | 11/1/1957 | Terminated due to being smelly, hairy, and too tall. | 52 | 0 |
Other Examples
Parameterized SQL With Numeric Parameter From Drop Down List
Parameterized SQL Multiple Parameters
Parameterized SQL With Select From A Drop Down List Text Parameter
<!--METADATA TYPE="typelib" uuid="00000205-0000-0010-8000-00AA006D2EA4" -->
<%
Dim conn, cmd, rs, command, param, companyType, item, htmlOut
' Did we POST the form?
if LCase(Request.ServerVariables("HTTP_METHOD")) = "post" then
companyType = Request.Form("companyType")
else
companyType = "construction"
end if
' a string with which we will create the HTML for a table to hold the results
htmlOut = ""
' Note the use of @companyType, that's a text parameter
command = "SELECT id as ID, company as Company, address as Address, city as City, state as ST, postalCode as ZipCode,"
command = command & " phoneNumber as Phone FROM companys WHERE ([type] = @companyType);"
Set cmd = Server.CreateObject("ADODB.Command")
Set conn = Server.CreateObject("ADODB.Connection")
Set rs = Server.CreateObject("ADODB.Recordset")
conn.open Application("examples")
Set cmd.ActiveConnection = conn
' This is where we tell ADODB what our parameter is, (an Integer), it's maximum allowed length
' and it's value, from out variable companyID
'
' Doing this means our value is only used as variable to compare against the ID column
' and can not be executed as in-line SQL
Set param = cmd.CreateParameter("@companyType",adVarChar,adParamInput,CLng(Len(companyType)),companyType)
' We must add our parameter to the command objects Parameters collection
cmd.Parameters.Append param
' We also must assign our SQL command to the ADODB command object.
cmd.CommandText = command
' Now we open a record set using the command object we prepared.
rs.Open cmd,,adOpenStatic
' From here down it is similar as any other data access method.
if NOT (rs.eof AND rs.eof) then
htmlOut = "<table><thead><tr><td colspan="""& rs.fields.count &""">"
htmlOut = htmlOut & "Number of Records: "& rs.recordcount
htmlOut = htmlOut & "</td></tr></thead><tbody><tr>"
for each item in rs.fields
htmlOut = htmlOut & "<td>"& item.name &"</td>"
next
htmlOut = htmlOut & "</tr><tr>"
for each item in rs.fields
htmlOut = htmlOut & "<td>"& item &"</td>"
next
htmlOut = htmlOut & "</tr></tbody></table>"
end if
' clean up
rs.close
Set rs=nothing
conn.close
Set conn=nothing
Set param = nothing
Set cmd = nothing
Date Validation Using JavaScript .
Cross-Browser Clipboard Copy .
Loading Images With Remote Scripting .
Why JavaScript In Hyperlinks Is Bad .
Change The Submit Button To Show Waiting For AJAX Response .
European Date Validation Using JavaScript .
Database Results To Client Side Array .
Reading Files With JavaScript .
AJAX For Plain Text And HTML .
