ora-01036

As part of an effort to stop using dynamic SQL generation and encourage use of bind variables, I am running into some problems. I am querying an Oracle 9i database from an ASP.NET page using Oracle Data Providers for .NET The query is sql = "SELECT somedata FROM sometable WHERE machine = :machineName "; I define the Oracle Parameter as follows OracleParameter parameter = new OracleParameter(); parameter.ParameterName = "machineName"; parameter.OracleDbType = OracleDbType.Varchar2; parameter.Value = machine; //machine is a variable of type string parameterList.Add(parameter); This works fine

I am constructing a search function in a class to be used by several of our asp pages. The idea is simple, take a search term from the user and query the database for the item. Currently I am doing this the wrong way, which is vulnerable to SQL injection attacks (and ELMAH is in there to save the day if something goes wrong): Public Shared Function SearchByName(ByVal searchterm As String) As DataTable SearchByName = New DataTable Dim con As New OracleConnection(System.Configuration.ConfigurationManager.ConnectionStrings("OracleDB").ConnectionString) Try con.Open() Dim SqlStr As String =