Ok so I am trying to pass some string variables from a classic ASP page to an MSSQL2000 db thusly:
strSQL = "exec UpdateEvent " & xID & ",'" & xEventID & "'," & xEventDisplayName & "," & xEventType & "," & xEventStatus & "," & xStartDate & "," & xEndDate & "," & xSurveyTemplateID & ""
Yet I end up with the error (including writing out the strSQL contents):
exec UpdateEvent 1,'1-44KTDL',,,,,,
Microsoft OLE DB Provider for SQL
Server error '80040e14'
Line 1: Incorrect syntax near ','.
/eventedit.asp, line 225
Now I am not sure if it is the dash in the EventID variable that is causing my problems (or why all the other variables are coming up with null values when there is data there…) . I have tried many many combinations of quotes and tics to appease the syntax interpreter but to no avail. What am I doing wrong? Is there a better way to do this simple stored procedure call?
That's very VERY bad; your code is subject to SQL injection attacks and needs to be fixed as soon as possible.