|
|
Posted by Erland Sommarskog on 06/07/06 22:06
cemal (cemenc@gmail.com) writes:
> I have this sql lines but somehow they are not working.
What does "not working" mean? Do you get unexpected results? Do you
get an error message? Are we supposed to guess?
> Now I am not sure if it is correct. Could you please read the line and
> tell me if it is correct?
Without knowing the business rules or anything? I'm afraid that that will
be difficult.
> sqlup="update products set visited=visited+1 where pid="&intValue
> set rs=cn.execute(sqlup)
Anyway, you need to learn to use parameterised commands:
cmd = new ADODB.Command
cmd.CommandType = adCommandText
cmd.CommandText = "update dbo.products set visited=visited+1 where pid=?"
md.Parameters.Append cmd.CreateParameter("@pid", _
adInteger, adParamInput, , intValue)
cmd.execute sqlup, adExecuteNoRecords
There is no need for record sets in this case, and add adExecuteNoRecords
to tell you don't expect data back.
You should always use parameterised statements and never interpolate
parameter values into your SQL strings. This so that the SQL Server
cache can be used effeciently. (To this end you should also specify
the table owner/schema in the query, as I have done above.) Another
very important reason is that parameterised statements protects you
against SQL injection - that a way for hackers to get into your site.
--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
Navigation:
[Reply to this message]
|