I have a SQL query in C# ASP.NET MVC, it works well without WHERE condition, but with a WHERE condition, it doesn't work.
Here is SQL statement:
string strSQL = "SELECT u.USERID, u.NAME, io.CHECKTIME, io.CHECKTYPE, io.SENSORID
FROM USERINFO u
INNER JOIN CHECKINOUT io ON u.USERID = io.USERID
WHERE u.NAME = " + conditionSearch.NAME;
With conditionSearch.NAME is a variable from a view, I checked it, it's OK with a value need to search.
Could you please show me what is wrong in this WHERE condition? Thanks you!
The immediate fix here would be to put the name in the WHERE clause inside single quotes, to make a string literal:
string strSQL = "SELECT u.USERID, u.NAME, io.CHECKTIME, io.CHECKTYPE, io.SENSORID
FROM USERINFO u INNER JOIN CHECKINOUT io ON u.USERID = io.USERID
WHERE u.NAME = '" + conditionSearch.NAME + "'";
However, doing a direct concatenation to form a SQL query string is usually seriously bad practice. A much better approach would be to use a prepared statement, with a placeholder for the name. That is, use a query looking something like:
SELECT u.USERID, u.NAME, io.CHECKTIME, io.CHECKTYPE, io.SENSORID
FROM USERINFO u
INNER JOIN CHECKINOUT io
ON u.USERID = io.USERID
WHERE u.NAME = ?;
Then, let your database worry about how to bind the name parameter correctly.
The immediate fix here would be to put the name in the WHERE clause inside single quotes, to make a string literal:
Hi Tim, Thank for reply. I tried with a exact a name have in db with single quotes, but the result still return null.
oh, but I tried with your solution ('" + conditionSearch.NAME + "'") and it work perfectly.
Thanks you so much!
Related
I have this SQL:
SELECT
dbo.ARTRNTBL.Item_code, dbo.ARTRNTBL.Item_name, dbo.FAFPHTBL.rate_value,
dbo.FAFPHTBL.quantity, dbo.FAFPHTBL.total, dbo.FAFPHTBL.TIN, dbo.EGRDGTBL.return_type
FROM
dbo.FAFPHTBL
INNER JOIN
dbo.ARTRNTBL
INNER JOIN
dbo.EGRDGTBL ON dbo.FAFPHTBL.Item_code = dbo.ARTRNTBL.Item_code
ON dbo.ARTRNTBL.Item_code = dbo.EGRDGTBL.Item_code
WHERE
dbo.FAFPHTBL.invoice_no = '" & TextBox39.Text & "'"
I keep getting this error:
The multi-part identifier "dbo.FAFPHTBL.Item_code" could not be bound.
How can I fix this?
The problem is the way the join expressions are nested. At the time dbo.FAFPHTBL.Item_code is used, it's part of this expression:
dbo.ARTRNTBL INNER JOIN dbo.EGRDGTBL ON dbo.FAFPHTBL.Item_code = dbo.ARTRNTBL.Item_code
Notice the dbo.FAFPHTBL object is not included with this expression.
You probably want this instead:
SELECT dbo.ARTRNTBL.Item_code, dbo.ARTRNTBL.Item_name, dbo.FAFPHTBL.rate_value,
dbo.FAFPHTBL.quantity, dbo.FAFPHTBL.total, dbo.FAFPHTBL.TIN, dbo.EGRDGTBL.return_type
FROM dbo.FAFPHTBL
INNER JOIN dbo.ARTRNTBL ON dbo.FAFPHTBL.Item_code = dbo.ARTRNTBL.Item_code
INNER JOIN dbo.EGRDGTBL ON dbo.ARTRNTBL.Item_code = dbo.EGRDGTBL.Item_code
WHERE dbo.FAFPHTBL.invoice_no = #InvoiceNumber
While I'm here:
DO NOT USE STRING CONCATENATION LIKE THAT TO INCLUDE A TEXTBOX IN THE QUERY!
And yes, I know I'm shouting, because it's that important. If you're not using parameterized queries, you're practically begging for problems with your app, some of them pretty serious security issues. If you set me down in front of your app, I could easily delete all your data or elevate my permission to admin level.
I'm a long time follower of Stack overflow but this is my first post. I'm hoping the community can help.
I have a successful Access Query that returns the required results - Perfect!
HOWEVER, I'm trying to return the same using OLEDB connection to the database within an ASP script. This is all legacy stuff however we are allowing web access to this legacy information.
MS Access (2016) shows Query as this... (works)
SELECT [EventName] & ": " & [RoundCaption] AS RoundTitle, ChunkEntryTable.WinPos
FROM ((EventTable INNER JOIN EventRoundTable ON EventTable.EventId = EventRoundTable.EventId) INNER JOIN ((RoundHeatTable INNER JOIN ChunkTable ON RoundHeatTable.RoundHeatId = ChunkTable.RoundHeatId) INNER JOIN (EventEntryTable INNER JOIN ChunkEntryTable ON EventEntryTable.EventEntryId = ChunkEntryTable.EventEntryId) ON ChunkTable.ChunkId = ChunkEntryTable.ChunkId) ON EventRoundTable.RoundKeyId = RoundHeatTable.RoundKeyId) LEFT JOIN EventEntryMemberTable ON EventEntryTable.EventEntryId = EventEntryMemberTable.EventEntryId
WHERE (((EventEntryTable.Entry1Id)=[EntryId])) OR (((EventEntryTable.Entry2Id)=[EntryId])) OR (((EventEntryTable.Entry3Id)=[EntryId])) OR (((EventEntryMemberTable.MemberId)=[EntryId]))
ORDER BY EventTable.SortIdx, EventRoundTable.RoundId DESC , EventRoundTable.IsRepechage DESC;
Doing this in OLEDB. Connection string as follows...
<%
' FileName="Connection_ado_conn_string.htm"
' Type="ADO"
' DesigntimeType="ADO"
' HTTP="true"
' Catalog=""
' Schema=""
Dim MM_csresultdb_STRING
MM_csresultdb_STRING = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=xyz.mde;Jet OLEDB:Database Password=xxxxxxxxx;"
%>
Connection works perfectly but I can't seem to get the SQL command to work. I get "No value given for one or more required parameters".
NOTE: I have replaced [EntryID] in 4 places with a valid value and it works perfectly in Access just not outside of Access using OLEDB. Here's what the SQL is I'm using...
SELECT EventTable.EventName & ": " & EventRoundTable.RoundCaption AS RoundTitle, ChunkEntryTable.WinPos FROM
((EventTable INNER JOIN EventRoundTable ON EventTable.EventId = EventRoundTable.EventId) INNER JOIN
((RoundHeatTable INNER JOIN ChunkTable ON RoundHeatTable.RoundHeatId = ChunkTable.RoundHeatId) INNER JOIN
(EventEntryTable INNER JOIN ChunkEntryTable ON EventEntryTable.EventEntryId = ChunkEntryTable.EventEntryId) ON ChunkTable.ChunkId = ChunkEntryTable.ChunkId) ON ChunkTable.ChunkId = ChunkEntryTable.ChunkId)
ON EventRoundTable.RoundKeyId = RoundHeatTable.RoundKeyId)
WHERE ((EventEntryTable.Entry1Id)=4741) OR ((EventEntryTable.Entry2Id)=4741) OR ((EventEntryTable.Entry3Id)=4741)
ORDER BY EventTable.SortIdx, EventRoundTable.RoundId DESC , EventRoundTable.IsRepechage DESC;
FOUND PROBLEM ** See answer below
FOUND PROBLEM ** It's to do with this part of the SQL...
[EventName] & ": " & [RoundCaption] AS RoundTitle
Changed to
[EventName], [RoundCaption] AS RoundTitle
and it works but gives me two separate fields rather than the one concatenated field called "RoundTitle". So I'll join the two result fields during the display output rather than at the query stage.
Whew! That many days to figure out. Thanks to the comments that kinda steered me in that direction of the AS part of the statement.
I have a query such this (i put it into a string for preparation of the query itself):
select r.id,
r.id_user,
r.date_pubblication,
r.name,
r.description,
r.type,
u.name as Uname
from resources r,
users u
where r.id_user=id_logged
Now all these fields in the select are field of DB tables . Only id_logged is not a field of a table but is a java variable defined by this way:
User user = userService.getUserCurrent();
long id_logged = user.getId();
The error returned after running the query is
ORA-00904: "ID_LOGGED": invalid identifier
Something more to say is that when I define id_logged by giving the value user.getId(), there is a warning
- The value of the local variable id_logged is not used
Can you explain what is my mistake? I can I run this query correctly ?
So If I understand correctly, you generate somtehing like this:
"select r.id, r.id_user, r.date_pubblication,r.name, r.description, r.type, u.name as Uname from resources r, users u where r.id_user=id_logged"
as a string ?
If so - check the last parameter: r.id_user=id_logged.
It is a string. And you declare the id_logged as a javascript variable.
If so - you have to join the string of your query , with the variable value.
For example in:
javascript:
"query string" + id_logged
php:
"query string" . id_logged
This should help you - IF i understood your question correctly.
If your query is a Java string, you need to do something like this:
String id_logged = //Whatever you do to get the value of id_logged.
String query = "select r.id, "+
"r.id_user, "+
"r.date_pubblication,"+
"r.name,"+
"r.description, "+
"r.type, "+
"u.name as Uname "+
"from resources r, "+
"users u "+
"where r.id_user="+id_logged ;
//Now you can execute the query.
Be aware that this is prone to SQL injection. You really should be doing this sort of thing with prepared statements.
i am using visual stdio 2008 and sql server 2005
dim selectquery = "SELECT Purchase_master.Customer_name, Purchase_details.Item_code, Item_Master.Name,
Purchase_details.Quantity, Purchase_details.Cost, Purchase_master.Date
FROM Item_Master INNER JOIN (Purchase_master INNER JOIN Purchase_details ON
Purchase_master.Bill_id = Purchase_details.Bill_id) ON Item_Master.Item_code = Purchase_details.Item_code
WHERE Purchase_master.Date= " + cboPDate.SelectedValue.ToString()
when this selectquery executed it gives me
error
"ERROR near syntax 12"
my cboPDate is a combobox binded with my database which return's data and time in
"2/18/2011 12:00:00 AM"
please help me out
You need to add quotes around your date.
Try
dim selectquery = "SELECT Purchase_master.Customer_name, Purchase_details.Item_code, Item_Master.Name,
Purchase_details.Quantity, Purchase_details.Cost, Purchase_master.Date
FROM Item_Master INNER JOIN (Purchase_master INNER JOIN Purchase_details ON
Purchase_master.Bill_id = Purchase_details.Bill_id) ON Item_Master.Item_code = Purchase_details.Item_code
WHERE Purchase_master.Date= '" + cboPDate.SelectedValue.ToString() +"'"
Better yet, use SQL parameters.
I suspect it is treating it as a delimiter.It would be better to change it to
WHERE Purchase_master.Date=#Your_date
And then add the date as a parameter, this would prevent SQL injection attacks and also promote plan caching
Try this:
dim selectquery = string.Format("SELECT Purchase_master.Customer_name, Purchase_details.Item_code, Item_Master.Name,
Purchase_details.Quantity, Purchase_details.Cost, Purchase_master.Date
FROM Item_Master INNER JOIN (Purchase_master INNER JOIN Purchase_details ON
Purchase_master.Bill_id = Purchase_details.Bill_id) ON Item_Master.Item_code = Purchase_details.Item_code
WHERE Purchase_master.Date= '{0}'", cboPDate.SelectedValue.ToString());
you have to add quots to the value. :)
I am trying to combine two columns in SQL query but getting the following exception in java.sql.ResultSet's FindColumn method:
JdbcSqlException: The column name
FullName is not valid. Column:
'FullName'
Here is my SQL query
SELECT U.FirstName + ' ' + U.LastName AS FullName FROM User as U
Anyone?
Please note that query runs fine when I run it directly in SQL Server management studio. Also, this query is part of a big query that's why U as alias.
When you put "AS FullName", Fullname is a label now. JDBC gets data by "column name" or "field name". You have to change your code (I dont know your prog. language) accordingly.
You might try putting parentheses around the string concatenation, as in
SELECT (U.FirstName + ' ' + U.LastName) AS FullName FROM User U
Share and enjoy.
Sorry I am answering this late. I am sure someone will need the answer. I have had the same problem and whereas I do not know exactly why and what causes it, I have found a way to fix it (at least for my case).
jahanzeb farooq did not show his code but if you had declared the PreparedStatement and ResultSet variables variables outside the current method and used them in other queries then try declaring them anew inside the current method, that is
PreparedStatement pst=conn.prepareStetement(sql);
ResultSet rs=pst.executeQuery();
The problem will be sorted (or at least fixed)
String sql = "SELECT U.FirstName + ' ' + U.LastName AS FullName FROM User U ";
pst = conn.prepareStatement(sql);
rs = pst.executeQuery();
if (rs.next()) {
String fullname = rs.getString("FullName");
jtextfiel.setText(fullname);
//////or - short
jtextfiel.setText(rs.getString("FullName"));
}