Sql – Passing variables to stored procedure with Classic ASP


Ok so I am trying to pass some string variables from a classic ASP page to an MSSQL2000 db thusly:

strSQL = "exec UpdateEvent " & xID & ",'" & xEventID & "'," & xEventDisplayName & "," & xEventType & "," & xEventStatus & "," & xStartDate & "," & xEndDate & "," & xSurveyTemplateID & ""

Yet I end up with the error (including writing out the strSQL contents):

exec UpdateEvent 1,'1-44KTDL',,,,,,

Microsoft OLE DB Provider for SQL
Server error '80040e14'

Line 1: Incorrect syntax near ','.

/eventedit.asp, line 225

Now I am not sure if it is the dash in the EventID variable that is causing my problems (or why all the other variables are coming up with null values when there is data there…) . I have tried many many combinations of quotes and tics to appease the syntax interpreter but to no avail. What am I doing wrong? Is there a better way to do this simple stored procedure call?

Best Solution

That's very VERY bad; your code is subject to SQL injection attacks and needs to be fixed as soon as possible.

<!--#include virtual="/ASPSAMP/SAMPLES/ADOVBS.INC"-->
Set cmd = Server.CreateObject("ADODB.Command")
' ... open connection and stuff ... '
cmd.CommandText = "UpdateEvent"
cmd.CommandType = adCmdStoredProc

cmd.Parameters(1) = xID 
cmd.Parameters(2) = xEventID 
cmd.Parameters(3) = xEventDisplayName 
cmd.Parameters(4) = xEventType 
cmd.Parameters(5) = xEventStatus 
cmd.Parameters(6) = xStartDate 
cmd.Parameters(7) = xEndDate 
cmd.Parameters(8) = xSurveyTemplateID