Home Forums SQL Server 7,2000 T-SQL How Do You Pass input parameters to a Stored Procedure Using an ASP Input Screen? RE: How Do You Pass input parameters to a Stored Procedure Using an ASP Input Screen?

  • February 25, 2004 at 10:24 am

    #495622

    As you've probably already found out, there are a lot of different ways to do things in ASP and ADO.  Somethings to consider when choosing which way to do it is the possibility of SQL injection attacks as well as performance. Using a parameterized ADO Command Object reduces the risk of SQL injection attacks (note: doesn't mitigate the risk completely) much better than executing the command using a dynamic SQL string.  Of course you can use a dynamic SQL string, it just isn't recommended, but a lot of people use them anyways because as you can probably see, its whole lot easier to write.

    You'd want to validate any string variables you're pulling into this code, but I think this would do the trick for you given what you've already said about what your purpose is.  Things change if you need to return records back from the stored procedure, especially if you are using OUTPUT parameters.

    <%

    Dim strConnectionString, cnSQLServer, cmdAddItem

    'Change SERVERNAME, DBNAME, USERID, and PWD

    strConnectionString = "Provider=SQLOLEDB; Data Source=SERVERNAME; Initial Catalog=DBNAME; User ID=USERID; Password=PWD; Network Library=dbmssocn;"

    'Create Connection Object - this is useful if you have multiple recordsets

    ' or commands because you can reuse the same object

    SET cnSQLServer = Server.CreateObject("ADODB.Connection")

    cnSQLServer.Open strConnectionString

    'Create the Command Object

    SET cmdAddItem = Server.CreateObject("ADODB.Command")

    cmdAddItem.ActiveConnection = cnSQLServer ' uses already opened Connection Object

    cmdAddItem.CommandText = "prAddItem" ' this is the name of your SP

    cmdAddItem.CommandType = adCmdStoredProc ' set the type to be a stored procedure

    'this separates creating the parameter from setting the value of the parameter just for clarity

    Dim cmdParam1, cmdParam2

    Set cmdParam1 = cmdAddItem.CreateParameter("@Firstname", adVarChar, adParamInput)

    cmdAddItem.Parameters.Append cmdParam1

    cmdParam1.Value = strFirstName 'this is where you put your variable name you stored your First Name in

    Set cmdParam2 = cmdAddItem.CreateParameter("@Lastname", adVarChar, adParamInput)

    cmdAddItem.Parameters.Append cmdParam2

    cmdParam1.Value = strLastName 'this is where you put your variable name you stored your Last Name in

    'since you aren't returning any records with this SP, this is how you execute the Command Object

    cmdAddItem.Execute, , adExecuteNoRecords

    'then clean stuff up

    SET cmdAddItem = Nothing

    cnSQLServer.Close

    SET cnSQLServer = Nothing

    %>