Access asking for a query parameter unnecessarily? (Access VBA and SQL)

**ChipR** · Nov 17 '09, 05:36 PM

Sorry, I'm not too familiar with querydefs and parameters. The table at http://support.microsoft.com/kb/142938 has Text, but doesn't list CHAR as a variable type, nor does the example use [ ]. Maybe that could be part of the problem?

**NeoPa** · Nov 17 '09, 05:51 PM

Having reformatted your code to be legible, I wonder what you mean by saying you have already specified the value of [lastName] in your PARAMETER(S) statement. Certainly the type has been specified, but no value is passed.

What are you actually trying to do?

Do you have the value of [LastName] (that you want to use) available to the code at the time the SQL is created?

**patjones** · Nov 17 '09, 05:51 PM

Hi Chip -

Thanks for responding. I did change the parameter type to TEXT, but it doesn't seem to matter. I figured CHAR was fine because it does actually open the recordset okay with it written out like that.

The brackets don't matter either, apparently. But thanks for the suggestions!

Pat

**patjones** · Nov 17 '09, 06:05 PM

Hi NeoPa -

Doesn't the line

Code:

qdf("LastName") = Me.txtSearch.Value

assign whatever I type into the text box to the parameter? At least this is how I've done it in the past. And, when I test this out with a last name that does not exist in the database the rst.EOF test catches it. So I'm pretty sure the query is getting the value from txtSearch. Thanks for responding.

Pat

**NeoPa** · Nov 17 '09, 06:43 PM

Very possibly Pat (I overlooked that).

I would consider shoving that value into the SQL directly though :

Code:

     "WHERE  tblBasicInfo.fldNameLast='" & Me.txtSearch & "'"

I cannot say why your code is not working, but I expect this version would avoid the problem.

**patjones** · Nov 17 '09, 06:51 PM

It definitely will avoid the problem, and I must say simplify the code - for then I can eliminate all the parameter stuff. But my concern in doing it the way you're suggesting is SQL injection. So I wanted to use the parameter method because of that.

Is there some way to avoid SQL injection even when inserting the text box value directly into the string like that?

**ADezii** · Nov 17 '09, 07:21 PM

May be a simple oversight/syntax error on your part, replace Line # 12 with:

Code:

qdf.Parameters("LastName").Value = Me.txtSearch.Value

**patjones** · Nov 17 '09, 07:34 PM

Hi ADezii -

I have seen that notation before and tried it here, but to no avail. If there is a way that I can prevent SQL injection while embedding Me.txtSearch.Va lue into the WHERE clause directly, perhaps that is the route I should take. But I will still be bothered as to why the parameter formalism isn't working. Thanks for responding.

Pat

**ADezii** · Nov 17 '09, 07:42 PM

Originally posted by zepphead80

Hi ADezii -

I have seen that notation before and tried it here, but to no avail. If there is a way that I can prevent SQL injection while embedding Me.txtSearch.Va lue into the WHERE clause directly, perhaps that is the route I should take. But I will still be bothered as to why the parameter formalism isn't working. Thanks for responding.

Pat

I have duplicated your functionality and have had no problem with it. If you would like to Upload the Database with some sample data, I pretty sure that I can get the situation resolved one way or another.
If there is a way that I can prevent SQL injection while embedding Me.txtSearch.Va lue into the WHERE clause directly

I think that NeoPa has already suggested this (Post #6), and I feel as though this is an excellent idea.
It's you call.

**patjones** · Nov 17 '09, 08:31 PM

Hi ADezii -

I have attached the file. This is a small, sort of 'test' database for a project. Provided that it gets approval at this point, it will grow considerably - both in number of tables and records. Right now there are just two bogus records in it.

Thanks for your help.

Pat

Attached Files

dbTrackingTest.zip (29.7 KB, 153 views)

**ADezii** · Nov 17 '09, 08:33 PM

Originally posted by zepphead80

Hi ADezii -

I have attached the file. This is a small, sort of 'test' database for a project. Provided that it gets approval at this point, it will grow considerably - both in number of tables and records. Right now there are just two bogus records in it.

Thanks for your help.

Pat

I'll try to look at it this evening. OOPs sorry, I don't have Access 2007. Can you convert it to an earlier Version, say 2002?

**patjones** · Nov 17 '09, 08:57 PM

Here is 2002-2003. Thanks.

Attached Files

dbTrackingTest.zip (44.1 KB, 159 views)

**NeoPa** · Nov 17 '09, 11:33 PM

Originally posted by zepphead80

Is there some way to avoid SQL injection even when inserting the text box value directly into the string like that?

Good thinking.

You can control this on your form with various techniques to ensure there is no quote character in the value. Further info can be found at SQL Injection Attack

**ADezii** · Nov 17 '09, 11:41 PM

Originally posted by zepphead80

Here is 2002-2003. Thanks.

I've made some substantial Revisions to your Code, while at the same time making the Revised DB available as an Attachment to this Post. I intentionally left Comments outs, so should you have any questions, feel free to ask. A couple of the Major Revisions were:

Removed the Code from the context of the Sub-Routine and placed in directly into the Click() Event of cmdLookup.
Removed the Call to the Sub-Routine from the AfterUpdate() Event of txtSearch where I thought it was inappropriate.
Rather than dealing with the more complex PARAMETERS Collection, I incorporated the Criteria into the WHERE Clause of the SQL Statement. If you remember correctly, this was NeoPa's suggestion.

I'll post the Code for reference purposes, but download the Revised Attachment to really see what is going on:

Code:

Private Sub cmdLookup_Click()
On Error Resume Next
Dim strGetPersonSQL As String
Dim qdf As DAO.QueryDef
Dim rst As DAO.Recordset

strGetPersonSQL = "SELECT tblBasicInfo.*, tblReferral.*, tblCountryNames.fldCountry " & _
                  "FROM tblCountryNames INNER JOIN (tblBasicInfo LEFT JOIN tblReferral ON tblBasicInfo.fldCaseID = " & _
                  "tblReferral.fldCaseID) ON tblBasicInfo.fldCountryID = tblCountryNames.fldCountryID WHERE " & _
                  "tblBasicInfo.fldNameLast = '" & Forms!frmMain![txtSearch] & "';"

If IsNull(Me![txtSearch]) Then
  MsgBox "No Last Name to search on!", vbExclamation, "Criteria Missing"
    Exit Sub
End If

CurrentDb.QueryDefs.Delete ("qryGetPersonFromSearch")

On Error GoTo Err_cmdLookup_Click

Set qdf = CurrentDb.CreateQueryDef("qryGetPersonFromSearch", strGetPersonSQL)

Set rst = qdf.OpenRecordset(dbOpenSnapshot)

If rst.EOF Then
  MsgBox "No Record(s) found for Last Name of [" & Me![txtSearch] & "]." & _
          vbCrLf & vbCrLf & "Try again...", vbExclamation + vbOKOnly, "Last Name Lookup"
Else
  Me.RecordSource = "qryGetPersonFromSearch"
End If

Exit_cmdLookup_Click:
  If Not qdf Is Nothing Then
    qdf.Close
    Set qdf = Nothing
  End If
  If Not rst Is Nothing Then
    rst.Close
    Set rst = Nothing
  End If
    Exit Sub

Err_cmdLookup_Click:
  MsgBox Err.Description, vbExclamation, "Error in cmdLookup_Click()"
  Resume Exit_cmdLookup_Click
End Sub