I'm designing some VB based ASP.NET 2.0, and I am trying to make more use of the various ASP tags that visual studio provides, rather than hand writing everything in the code-behind.  I want to pass in an outside variable from the Session to identify who the user is for the query.
<asp:sqldatasource id="DataStores" runat="server" connectionstring="<%$ ConnectionStrings:MY_CONNECTION %>"
          providername="<%$ ConnectionStrings:MY_CONNECTION.ProviderName %>"
          selectcommand="SELECT THING1, THING2 FROM DATA_TABLE WHERE (THING2 IN (SELECT THING2 FROM RELATED_DATA_TABLE WHERE (USERNAME = @user)))"
          onselecting="Data_Stores_Selecting">
          <SelectParameters>
          <asp:parameter name="user" defaultvalue ="" />
          </SelectParameters>
          </asp:sqldatasource>
And on my code behind I have:
Protected Sub Data_Stores_Selecting(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.SqlDataSourceSelectingEventArgs) Handles Data_Stores.Selecting
    e.Command.Parameters("user").Value = Session("userid")
End Sub
Oracle squaks at me with ORA-01036, illegal variable name.  Am I declaring the variable wrong in the query?  I thought external variables share the same name with a @ prefixed.  from what I understand, this should be placing the value I want into the query when it executes the select.
EDIT: Okay, thanks for the advice so far, first error was corrected, I need to use : and not @ for the variable declaration in the query.  Now it generates an ORA-01745 invalid host/bind variable name.
EDIT AGAIN: Okay, looks like user was a reserved word.  It works now!  Thanks for other points of view on this one.  I hadn't thought of that approach.