Tuesday, 13 May 2008

ADO parameterised queries and return values

Back before ADO.NET, we used good old ADO to do our data access in our ASP pages. To improve performance and avoid SQL injection attacks, it is good practice to use parameterised queries or stored procedures. Usually these are interchangeable but I've noticed today that ADO throws up the following error if you try and set up a return value parameter:

Microsoft OLE DB Provider for SQL Server error '80040e21'

Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done.

For example, the following code gives that error:

Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.ActiveConnection = conn

Dim ParamReturn
Set ParamReturn = Cmd.CreateParameter("Return", adInteger, adParamReturnValue)
Cmd.Parameters.Append ParamReturn
Cmd.CommandText = "INSERT INTO table (col1) VALUES (?); RETURN SCOPE_IDENTITY()"
Cmd.CommandType = adCmdText

Cmd.Parameters.Append Cmd.CreateParameter("p1", adInteger, adParamInput, , "value")

Cmd.Execute 

I haven't found any solution, other than to use a stored procedure instead. Presumably return values aren't supported for plain parameterised queries, though I haven't seen that documented anywhere (yet).

No comments: