Solved

Arguments are of the wrong type .CreateParameter

Posted on 2009-07-10
34
1,342 Views
Last Modified: 2012-05-11
Hello All; (About 2 weeks into using SQL Server)

Using this code
=======================================================
Set sqlGal = Server.CreateObject("ADODB.Command")
sqlGal.ActiveConnection=objConn
sqlGal.Prepared = true
sqlGal.CommandText = "SELECT GalID, MemID, GalName, GalPath, GalDate FROM Gal WHERE MemID=@MemID"
sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", ad_Int, adParamInput, , sqlID)
Set rsGal = CreateObject("ADODB.Recordset")
set rsGal = sqlGal.execute
=======================================================

I get this error:
==============================================================
ADODB.Command error '800a0bb9'
Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another.
/wl/Data/test.asp, line 8
==============================================================
On this line
sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", ad_Int, adParamInput, , sqlID)

This is the type of error that I can usually figure out in about 2 seconds.
But this is not my average coding.
Can someone please assist me?

Thank You
Carrzkiss
0
Comment
Question by:Wayne Barron
  • 17
  • 7
  • 4
  • +4
34 Comments
 
LVL 3

Expert Comment

by:tcsaddul9
ID: 24824555
Instead of using the @ symbol, try using ? for example:

instead of @MemID, use ?MemID
0
 
LVL 7

Expert Comment

by:jkdt0077
ID: 24824588
Where is sqlID being set? Is it definitely an integer?

Also you could add the size in:
sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", adInteger, adParamInput,4, sqlID)
0
 
LVL 9

Expert Comment

by:rg20
ID: 24824595
Set param = sqlGal.CreateParameter("@MemID", adInt, adParamInput, , sqlID)
cmd.Parameters.Append param

try that
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24824876
Tried all of the suggestions and nothing worked
>>Where is sqlID being set? Is it definitely an integer?
Please look at the code below.
I am now really sure if this is done properly for a QueryString or not.


<%
Set sqlGal = Server.CreateObject("ADODB.Command")
sqlGal.ActiveConnection=objConn
sqlGal.Prepared = true
Set rsGal = CreateObject("ADODB.Recordset")
sqlID = Int(request.QueryString("id"))
sqlGal.CommandText = "SELECT GalID, MemID, GalName, GalPath, GalDate FROM Gal WHERE MemID=@MemID"
'sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", ad_Int, adParamInput, 4, sqlID)
set Param = sqlGal.CreateParameter("?MemID", ad_Int, adParamInput, 4, sqlID)
sqlGal.Parameters.Append param

set rsGal = sqlGal.execute
%>
0
 
LVL 9

Expert Comment

by:rg20
ID: 24824957
is ad_Int correct, I thought it was adInt or adInteger?
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24824995
I tried it with everything.
And it did not work, still the same issue.

I was informed that someone could do something like this
SELECT GalID, MemID, GalName, GalPath, GalDate FROM Gal WHERE MemID=3 DROP TABLE Gal

And dump the table.
So, I am trying my best to get this site tightened up.
If someone can think of a better way of doing this with a working example.
That would be great.

Thanks All;
Carrzkiss
0
 
LVL 9

Expert Comment

by:rg20
ID: 24825046
Why not create a read only account for querying, that way nobody can drop the table.  For updates, you don't need to grant the drop privilege either
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24826870
how do you Not-Grant the drop privilege?
Also, would that be all that would be needed along with the code that I am already using to
Keep me secure from SQL Injections?
That is also a main concern as well, as that is the reason why I am doing all this.
Is to make sure that no one can do anything illegal or harmful to the site.

(This is basically the way that I have all my Selects done, And the proper code for all my Updates and Insert, deletes are done this way as well.(With there own version of the code))

===================================
<%
Set sqlGal = Server.CreateObject("ADODB.Command")
sqlGal.ActiveConnection=objConn
sqlGal.Prepared = true
Set rsGal = CreateObject("ADODB.Recordset")
sqlID = Int(request.QueryString("id"))
sqlGal.CommandText = "SELECT GalID, MemID, GalName, GalPath, GalDate FROM Gal WHERE MemID="&MemID&""
set rsGal = sqlGal.execute
%>
===================================
0
 
LVL 9

Expert Comment

by:rg20
ID: 24827047
My apologies, they don't have a restriction for dropping tables, but you could use a read_only accocunt to call querys which only read data, would not stop an update attack or anything like that.

If anyone has anything else please chime in.  Sorry for the confusion
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24827178
OK.
Does anyone know what is wrong with the original issue, and what I should do to resolve it?
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828376
To sum it up.
This is what I have tried, and I get the same error no matter what [Column] that I call from SQL.
So. Is there a problem with this code and SQL Server 2005?

Anyone have any idea's? I would love to one day release this site.
BUT I also want this site to be as secure as I can possibly get it.

Thanks all.
Carrzkiss

<%

'This is the [Error] that I am receiving.

'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 ADODB.Command error '800a0bb9'

Arguments are of the wrong type, are out of acceptable range, or are in 

conflict with one another.

test.asp, line 22

'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 

'This is the code(s) that I have tried.

'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Set sqlGal = Server.CreateObject("ADODB.Command")

sqlGal.ActiveConnection=objConn

sqlGal.Prepared = true

sqlGal.CommandText = "SELECT GalID, MemID, GalName, GalPath, GalDate FROM 

Gal WHERE MemID=@MemID"

sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", ad_Int, 

adParamInput, , sqlID) ' This line gets the error

Set rsGal = CreateObject("ADODB.Recordset")

set rsGal = sqlGal.execute

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 

'This is the other code that I have tried as well. (This was just a test 

script)
 

'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 

Set objCommand = Server.CreateObject("ADODB.Command")

objCommand.ActiveConnection=objConn

objCommand.Prepared = true

With objCommand

   .CommandText = "usp_RecordsetAndOutputParams"

   .Parameters.Append .CreateParameter("@GalName", advarchar, adParamOutput, 

255) ' this line gets the same error.

   .Parameters.Append .CreateParameter("@GalPath", advarchar, adParamOutput, 

255)

End With
 

'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

%>

Open in new window

0
 
LVL 32

Expert Comment

by:Daniel Wilson
ID: 24828403
carrzkiss, I'm just picking up on this from your last post ... pardon me if I've missed something.

But please try this slight alteration.

Set sqlGal = Server.CreateObject("ADODB.Command")

Set sqlGal.ActiveConnection=objConn

sqlGal.Prepared = true

sqlGal.CommandText = "SELECT GalID, MemID, GalName, GalPath, GalDate FROM Gal WHERE MemID=@MemID"

sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", ad_Int, adParamInput, , sqlID) ' This line gets the error

Set rsGal = CreateObject("ADODB.Recordset")

set rsGal = sqlGal.execute

Open in new window

0
 
LVL 32

Assisted Solution

by:Daniel Wilson
Daniel Wilson earned 150 total points
ID: 24828410
Also, is Option Explicit set?  It's possible that one of your constants (e.g. ad_Int) isn't defined.
0
 
LVL 14

Accepted Solution

by:
rob_farley earned 350 total points
ID: 24828482
Since 3 is adInteger and 1 is adParamInput, try:

sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", 3, 1, , sqlID)

Rob
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828529
@Daniel
I tried what you provided, and added the <% OPTION EXPLICIT %> to the top of the page.
And still the same error.
(No problem on the delay in replying)

@Rob
=============This worked===========
sqlGal.CommandText = "SELECT GalID, MemID, GalName, GalPath, GalDate FROM Gal WHERE MemID=?"
sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", 3,1, , sqlID)
==================================

Please explain to me what the
3, 1
Means.
(Found it= http://www.w3schools.com/ado/met_comm_createparameter.asp )
OK, I think that I understand what is going on now, and have looked at other resources
During the last 24hrs trying to figure this aggrivation out, so I am going to give my best shot
As to at least knocking out the Simple queries right now, and will post back within the next few hours
On what I find, and if I run into any other issues.

Thanks guys.
Carrzkiss
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828548
Do have 1 question.

using >>sqlGal.Parameters.Append sqlGal.CreateParameter("@MemID", 3,1, , sqlID)

Do I only use this on Columns that are Specifically Queried?
Example ----->  FROM Gal WHERE MemID=?"
(or)
Do I use it for all Columns within the Query that are going to be Displaying Data to the page?
0
 
LVL 14

Expert Comment

by:rob_farley
ID: 24828556
Cool, sounds like you're getting there, with a much safer application and more reusable queries. Eventually you could look at stored procs, but these static queries are the next best thing because they don't change (only the parameter values do)

Rob
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828565
@ Daniel
Thank you, I just caught onto what you stated, to bad it was not told earlier.

Const ad_ParamInput = 1 ' goes at the top
Const ad_Int = 3

This fixed it to that it will work.

Thanks you.
0
 
LVL 14

Expert Comment

by:rob_farley
ID: 24828566
You only use parameters for the variable parts of the queries, the question marks that you want to hook into values from your web app.

Rob
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828668
OK.
So, only when the Select Statement is:
where field1 = ? and field2 = ? and field3 = ?
I create for them, but not the other Columns.
Even though they are displayed to the page.

Basically, I create for the ones that are accessible for a Hacker to trigger easily.
It is hard for them to trigger say [field4, field5] From the below, as there is no in-door to it. (So to speak)
field4, field5 from table1 where field1 = ? and field2 = ? and field3 = ?

What that assumption be accurate?

Carrzkiss
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828675
Also.
For anyone that comes in here that needs a list of the Const Names (Parameters)
Here they are.

(I love using Copy, Paste into Notepad and opening up in Excel. So sweet, I copied from the link above (as supplied by Rob) all of what you see below, and worked it up in Excel. 2 minutes top)

Hope others will find it handy.
Carrzkiss
<%

Const  adEmpty  =  0

Const  adSmallInt  =  2

Const  adInteger  =  3

Const  adSingle  =  4

Const  adDouble  =  5

Const  adCurrency  =  6

Const  adDate  =  7

Const  adBSTR  =  8

Const  adIDispatch  =  9

Const  adError  =  10

Const  adBoolean  =  11

Const  adVariant  =  12

Const  adIUnknown  =  13

Const  adDecimal  =  14

Const  adTinyInt  =  16

Const  adUnsignedTinyInt  =  17

Const  adUnsignedSmallInt  =  18

Const  adUnsignedInt  =  19

Const  adBigInt  =  20

Const  adUnsignedBigInt  =  21

Const  adFileTime  =  64

Const  adGUID  =  72

Const  adBinary  =  128

Const  adChar  =  129

Const  adWChar  =  130

Const  adNumeric  =  131

Const  adUserDefined  =  132

Const  adDBDate  =  133

Const  adDBTime  =  134

Const  adDBTimeStamp  =  135

Const  adChapter  =  136

Const  adPropVariant  =  138

Const  adVarNumeric  =  139

Const  adVarChar  =  200

Const  adLongVarChar  =  201

Const  adVarWChar  =  202

Const  adLongVarWChar  =  203

Const  adVarBinary  =  204

Const  adLongVarBinary  =  205

Const  AdArray  =  0x2000

Const  adParamUnknown  =  0

Const  adParamInput  =  1

Const  adParamOutput  =  2

Const  adParamInputOutput  =  3

Const  adParamReturnValue  =  4

%>

Open in new window

0
 
LVL 14

Expert Comment

by:rob_farley
ID: 24828719
Yes, that's correct - only the question mark bits.

Rob
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828731
Good deal.

I done figured out how to do the   ad_Integer
How do you do a ad_VarChar
(Cut down part of the code)
====================================
sqlVis.CommandText = "SELECT UserName FROM Members WHERE UserName = ?"
sqlVis.Parameters.Append sqlVis.CreateParameter("@UserName", adVarChar,adParamInput, , strUserName, 25)
====================================
I am getting:
====================================
Microsoft VBScript runtime error '800a01c2'
Wrong number of arguments or invalid property assignment: 'sqlVis.CreateParameter'
====================================
0
 
LVL 14

Expert Comment

by:rob_farley
ID: 24828769
sqlVis.Parameters.Append sqlVis.CreateParameter("@UserName", adVarChar,adParamInput, 25, strUserName)

the length is the one that was missing for an integer (because it's not relevant).
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 24828853
>>For anyone that comes in here that needs a list of the Const Names<<
You may want to Google the use of ADOVBS.inc.   You will find that most experienced developers include this file as it provides all the ADO constants they will ever need.
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828886
Great, that did it.
I was putting my , 25
in the wrong place. Now I know.

----
One more for the night, and hopefully this will take care of them.
I will close this one out and open another one for the next set of questions.

Receiving the following error
=============================================
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the varchar value 'carrzkiss' to data type int.
=============================================
=============================================
sqlFR.CommandText = "SELECT VisID, UserName FROM Members WHERE UserName=? AND VisID=?"
sqlFR.Parameters.Append sqlFR.CreateParameter("@VisID", adInteger,adParamInput, , sqlID)
sqlFR.Parameters.Append sqlFR.CreateParameter("@UserName", adVarChar,adParamInput, 25, strUserName)
set rsFR = sqlFR.execute
=============================================
It is like it is confusing the 2 lines.
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24828924
I have never used that file, never needed anything from it.
Until now.
So.
Thanks for your information AC.
>>most experienced developers
Only comes from learning from someone else's information.

Thanks AC
Carrzkiss
0
 
LVL 14

Assisted Solution

by:rob_farley
rob_farley earned 350 total points
ID: 24829025
Try calling them @P1 and @P2 instead. It's probably sorting them alphabetically.

Rob
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24829281
I put it order, and it worked like a charm.
Good catch, totally did not think of that one.

Thanks to everyone.
I have gained a lot of knowledge here tonight with all of your support and code samples.

Carrzkiss
0
 
LVL 30

Author Closing Comment

by:Wayne Barron
ID: 31602117
Great bunch of people here.
Great thinking and wish you both could have come in earlier.
This would have been tended to and would have been completed by now.

But THANK YOU!!!!

Have a good one.
Carrzkiss
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 24830977
>>It's probably sorting them alphabetically.<<
Actually no, since you are using ? they have to be in the same order as presented in the query.  If you used named parameters and set the NamedParameters property the order does not matter.  From BOL:
<quote>
NamedParameters Property
Indicates whether parameter names should be passed to the provider.

Remarks
When this property is true, ADO passes the value of the Name property of each parameter in the Commands Parameter collection. The provider uses a parameter name to match parameters in the CommandText or CommandStream properties. If this property is false (the default), parameter names are ignored and the provider uses the order of parameters to match values to parameters in the CommandText or CommandStream properties.
<quote>
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24831728
Understand.
The Columns have to be in the same order as their Queries are in.

VisID, UserName FROM Members WHERE VisID=? and UserName=?"

Understand,
Thank you AC,
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 24832296
Hello to Rob & Daniel
If either of you have the time, could you check out this post?
http://www.experts-exchange.com/Q_24561972.html

Using a Paging system with the code that I am using here, generates errors.
AC has informed me that it is due to the [Firehose CursorType]
I have been doing some research into resolving the issue.
And would like to have some more help into resolving this.

Thanks guys.
Have an awesome weekend.

Carrzkiss
0
 
LVL 14

Expert Comment

by:rob_farley
ID: 24832394
Ah yes, I had misread the query on the param order thing.

Rob
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

All XML, All the Time; More Fun MySQL Tidbits – Dynamically Generate XML via Stored Procedure in MySQL Extensible Markup Language (XML) and database systems, a marriage we are seeing more and more of.  So the topics of parsing and manipulating XM…
Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now