November 29, 2011 at 1:10 am
i have problem ?
<%@language=vbscript%>
<html>
<!--#include file="include/header.asp"-->
<%
set dbdepartment=server.createobject("adodb.connection")
set rsdepartment= server.createobject("adodb.recordset")
dbdepartment.open("filedsn=ahadhoneyshop")
sql = "execute sp_retrievedept" & request ("iddept")
set rsdepartment = dbdepartment.execute(sql) //
chrdeptname=rsdepartment("chrdeptname")
chrdeptimages=rsdepartment("chrdeptimage")
txtdescription=rsdepartment("txtdeptdesc")
session("lastiddept")=request("iddept")
%>
<center>
<img src="images/<%=chrdeptimage%>" align= "middle">
<font size="4"> <B><%=chrdeptname%></b></font>
</center>
<%=txtdescription%> select aproduct
<%
set dbproducts=server.createobject("adodb.connection")
set rsproducts= server.createobject("adodb.recordset")
dbproducts=.open("filedsn=ahadhoneyshop")
sql= "execute sp_retrievedeptproducts" & request("iddept")
set rsproducts= dbproducts.execute(sql)
flag=0
do until rsproducts.eof
chrproductname=rsproducts("chrproductname")
chrproductimage=rsproducts("chrproductimage")
idproduct=rsproducts("idproduct")
if flag =0 then
flag =1
%>
<a href="product.asp?idproduct=<%=idproduct%>">
<img src"images/products/sm_<%=chrproductimage%>"
align="middle" border="0"
<%chrproductname%></a>
<%else%>
<a href="product.asp?idproduct=<%=idproduct%>">
<%=chrproductname%>
<img src"images/products/sm_<%=chrproductimage%>"
align="middle" border="0"
<%
flag=0
end if
rsproducts.movenext
loop
%>
<!--#include file="include/footer.asp"-->
</body>
</html>
-----------------------------------------------------
create procedure sp_retrievedept
@iddepartment int
as
select * from department
where iddepartment= @iddepartment
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][SQL Native Client][SQL Server]Procedure 'sp_retrievedept' expects parameter '@iddepartment', which was not supplied.
/ahad-honey-shop/products.asp, line 10
i use windows web server 2003 sql 7.0
November 29, 2011 at 1:24 am
sql = "execute sp_retrievedept" & request ("iddept")
set rsdepartment = dbdepartment.execute(sql) //
can you post the value that the variable "sql" is being set to. Are you missing a space after sp_retrievedept?
Also, you appear to be concatenating user provided input to your query string and executing it. That's a very bad thing to do as you're vulnerable to sql injection attacks.
November 29, 2011 at 1:35 am
SpringTownDBA (11/29/2011)
sql = "execute sp_retrievedept" & request ("iddept")
set rsdepartment = dbdepartment.execute(sql) //
can you post the value that the variable "sql" is being set to. Are you missing a space after sp_retrievedept?
Also, you appear to be concatenating user provided input to your query string and executing it. That's a very bad thing to do as you're vulnerable to sql injection attacks.
The correct way to do this is to create a command object for the stored procedure and populate the parameter with the value of request("iddept"). See the examples here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675869(v=vs.85).aspx
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply