How to handle a Query String used in parameterised Query
In this tutorial you will learn how to handle parameters passed from a Query String.
'CORRECT WAY - Parameterized Query with dynamic sql
'--------------------------------------------------
strSQL = "SELECT * FROM users WHERE username=? AND password=?"
Dim cmd1
Set cmd1 = Server.CreateObject("ADODB.Command")
cmd1.ActiveConnection = cnnLogin
cmd1.CommandText = strSQL
cmd1.CommandType = adCmdText
cmd1.Parameters(0) = Request.Form("login")
cmd1.Parameters(1) = Request.Form("password")
Set rstLogin = cmd1.Execute()
'BAD WAY WITH CONCATENTATION DON'T DO IT!!!
'------------------------------------------
strSQL = "SELECT * FROM users WHERE username='" & Request.Form("login") & _
"' AND password='" & Request.Form("password") & "';"
Set rstLogin = cnnLogin.Execute(strSQL)
What if you want a LIKE clause in your Query?
SELECT * FROM tblX WHERE Field LIKE '%' & Name & '%'
Tried this but it didn't work.
SELECT * FROM tblX WHERE Field LIKE '%?%'
Include ADOVBS.inc in your page to use the Constants.