Home|Sitemap|Contact

How can you use parameterized SQL with ASP and MS Access?

Number of Records: 27
IDFIRSTLASTDOBDESCRIPTIONAGESALARY
1RodDivilbiss10/31/1957Director of IT services, CIO, and all around nice guy.49123456.78
2JoeJohnson10/10/1957Joe is a great guy and a fine worker.4942000.99
3FredFlintstone4/1/1974Fred's a swell guy. He is a crane operator in the limestone mine.3322333.44
4IanO'Brian10/31/1957Ian's a swell fellow. He writes good ASP. He knows how to write parameterized SQL for MS-Access49123.22
5MariaGonzolez-O'Malley2/12/1970Maria is director of H.R. She is married to Jason O'Malley a former shortstop with the Baltimore Oriel's. Her favorite quote is "It is a miracle that curiosity survives formal education."3733000.01
6sdsdfsdfg1/1/1955test341
7FayKing1/1/1919qwefas23123456.34
8FayKing1/1/1919qwefas23123456.34
9agushjhj9/9/2007gffggh4355565
10fgsdfgsdfg4/1/1974sdfg1212
11fgsdfgsdfg4/1/1974sdfg1212
12dfdf'jjjj9/8/2008jklkj8678678
13hjfghjfghjgsdfg4/1/1974ghjfghj456456
14hjfghjfghjgsdfg4/1/1974ghjfghj456456
15juliansimons2/23/1973sssss3545000
16vikaspanwar1/1/2008rtretggdfg274000
17abcabcd11/25/2001asdasdadad910
18abcabcd11/25/2001asdasdadad910
19abcabcd11/25/2001asdasdadad910
20edusouza1/1/2008testando...122
21JimNehf7/21/1962testing4687654.32
22ww12/12/1990qwewqeq1212312
23ghfghhgfhfgh12/12/2000yrthfghfghfgh54545454
24zzzz10/1/1980www181000
25sssss1/1/2008ww122
26JackSimpson5/3/1975Broke guy2628000
27JackSimpson5/3/1975Broke guy2628000


<!--METADATA TYPE="typelib" uuid="00000205-0000-0010-8000-00AA006D2EA4" -->
<%
Dim conn, cmd, rs, command, param, companyType, item, htmlOut

' Did we POST the form?
if LCase(Request.ServerVariables("HTTP_METHOD")) = "post" then
    companyType = Request.Form("companyType")
else 
    companyType = "construction"
end if

' a string with which we will create the HTML for a table to hold the results
htmlOut = ""

' Note the use of @companyType, that's a text parameter
command = "SELECT id as ID, company as Company, address as Address, city as City, state as ST, postalCode as ZipCode,"
command = command & " phoneNumber as Phone FROM companys WHERE ([type] = @companyType);"

Set cmd = Server.CreateObject("ADODB.Command")
Set conn = Server.CreateObject("ADODB.Connection")
Set rs = Server.CreateObject("ADODB.Recordset")

conn.open Application("examples")
Set cmd.ActiveConnection = conn

' This is where we tell ADODB what our parameter is, (an Integer), it's maximum allowed length
' and it's value, from out variable companyID
'
' Doing this means our value is only used as variable to compare against the ID column
' and can not be executed as in-line SQL
Set param = cmd.CreateParameter("@companyType",adVarChar,adParamInput,CLng(Len(companyType)),companyType)

' We must add our parameter to the command objects Parameters collection
cmd.Parameters.Append param

' We also must assign our SQL command to the ADODB command object.
cmd.CommandText = command

' Now we open a record set using the command object we prepared.
rs.Open cmd,,adOpenStatic

' From here down it is similar as any other data access method.
if NOT (rs.eof AND rs.eof) then
    htmlOut = "<table><thead><tr><td colspan="""& rs.fields.count &""">"
    htmlOut = htmlOut & "Number of Records:&nbsp;"& rs.recordcount 
    htmlOut = htmlOut & "</td></tr></thead><tbody><tr>"

    for each item in rs.fields
        htmlOut = htmlOut & "<td>"& item.name &"</td>"
    next
    htmlOut = htmlOut & "</tr><tr>"
    for each item in rs.fields
        htmlOut = htmlOut & "<td>"& item &"</td>"
    next
    htmlOut = htmlOut & "</tr></tbody></table>" 
end if

' clean up
rs.close
Set rs=nothing
conn.close
Set conn=nothing
Set param = nothing
Set cmd = nothing