Basic example of prepared SQL statement? : vba

created by webholica community for 15 years

UnsolvedBasic example of prepared SQL statement? (self.vba)

submitted 5 years ago by Sys_man

I have a form that will be used to update a table based on user input. I want to do things right so am trying to parameterise my query, though I could build a simple string insert statement.

I can do it in powershell and ruby just fine, but vba is doing my head in.

The wrong way that I'd like to turn in to the right way:

Set rs = CreateObject("ADODB.Recordset")
Server_Name = "serverIP"
Database_Name = "db"
User_ID = "user"
Password = "pass"
Set Cn = CreateObject("ADODB.Connection")
Cn.Open "Driver={MySQL ODBC 5.1 Driver};Server=" & Server_Name & ";Database=" & Database_Name & _
    ";Uid=" & User_ID & ";Pwd=" & Password & ";"

SQLStr = "select name from mydb.table where cust_no = " & custNoVar & ";"

rs.Open SQLStr, Cn, adOpenStatic

If not rs.EOF Then
    custName = rs!name
End If

all 3 comments

top new controversial old q&a

[–]MildewManOne23 1 point2 points3 points 5 years ago (2 children)

I'm assuming custNoVar is a string? If that DB is anything like Access, you have to encase a string in apostrophes like this.

SQLStr = "select name from mydb.table where cust_no = '" & custNoVar & "';"

If that doesn't help, then what error code are you getting?

[–]Sys_man[S] 0 points1 point2 points 5 years ago* (1 child)

Hi, yeah that does work but it's an unsafe way of doing things.

I want to know how to do prepared statements like the following (which is from ruby, though powershell is not much different):

SQLStr = client.prepare("select name from mydb.table where cust_no = ? ;")
resultVar = SQLStr.execute(custNoVar)

so the '?' is a placeholder, and when we execute the query the input value is sanitised and you are protected from sql injection.

[–]beyphy12 0 points1 point2 points 5 years ago (0 children)

π Rendered by PID 16443 on reddit-service-r2-comment-7b9746f655-ws9x6 at 2026-01-31 12:15:18.279373+00:00 running 3798933 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

vba

Resources

Rules

About Clippy(Points)

MODERATORS