"No value given for one or more required parameters" Error

Discussion in 'ASP General' started by Grayscale, Apr 5, 2006.

  1. Grayscale

    Grayscale Guest

    Hello,

    When I execute the code below, I get:

    "Microsoft JET Database Engine (0x80040E10)
    No value given for one or more required parameters." error message in
    the first line.

    Rs.Open "SELECT * From Unvanlar WHERE Unvan = " & kayit8, Con, 3,3
    If rs.EOF Then
    Con.Execute ("INSERT INTO Unvanlar (Unvan) VALUES
    ('"&kayit8&"')"),,129
    End If
    Rs.Close

    The variable is string and the field in access table is text. I'm sure
    that field names in the code and table are correct as well.

    What can I do to solve that?
     
    Grayscale, Apr 5, 2006
    #1
    1. Advertisements

  2. Grayscale

    Mike Brind Guest

    If Unvan is a text field, the variable should be delimited as text:

    WHERE Unvan = '" & kayit9 & "'"

    You would have found that out if you response.write your sql

    sql = "SELECT * From Unvanlar WHERE Unvan = '" & kayit9 & "'"
    'response.write sql
    rs.open sql con,3,3

    But why are you selecting * from the table when you are only checking
    to see if one value exists?

    sql = "SELECT Unvan From Unvanlar WHERE Unvan = '" & kayit9 & "'"
    'response.write sql
    rs.open sql con,3,3

    The cursor you are using is this context is expensive and unnecessary.
    The default one would be better.

    sql = "SELECT Unvan From Unvanlar WHERE Unvan = '" & kayit9 & "'"
    'response.write sql
    rs.open sql con,,1

    I'd mention to you the dangers of using dynamic SQL, but I notice that
    Bob Barrows has already done so in a previous post.
     
    Mike Brind, Apr 5, 2006
    #2
    1. Advertisements

  3. the syntax here is incorrect - see below:
    You cannot solve ssql syntax issues without seeing the actual sql statements
    being executed by the database. That means you need to see the result of
    your concatenations:

    sql="SELECT * From Unvanlar WHERE Unvan = " & kayit8
    response.write sql
    rs.open sql, Con, 3,3
    ....
    sql="INSERT INTO Unvanlar (Unvan) VALUES ('" & kayit8 & "')"
    response.write sql
    Con.Execute (sql,,129)

    You will, of course, comment out the response.write statements when
    everything is running correctly.
    I believe fixing the syntax of your Execute call should solve your problem
    so I will leave you with this:

    Further points to consider:
    You use of dynamic sql is leaving you vulnerable to hackers using sql
    injection:
    http://mvp.unixwiz.net/techtips/sql-injection.html
    http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

    See here for a better, more secure way to execute your queries by using
    parameter markers:
    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

    Personally, I prefer using stored procedures, or saved parameter queries as
    they are known in Access:

    Access:
    http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=

    http://groups.google.com/groups?hl=...=1&selm=

    Bob barrows
     
    Bob Barrows [MVP], Apr 5, 2006
    #3
  4. Grayscale

    Mike Brind Guest

    Oops. Missed out the comma after sql in the above:

    rs.open sql, con,,1
     
    Mike Brind, Apr 5, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.