We Keep Coding

Why does this parameterized sql query not return results?

I am taking over a VB project and with my limited VB skills I cannot get the following to parameterized query to return results:
Dim strSQLUser As String = "Select Name, CompanyID from Users where UserName = #UserName"
dbCommand = New SqlCommand(strSQLUser, dbConn)
dbCommand.Parameters.AddWithValue("#UserName", User)
dr = dbCommand.ExecuteReader
However this is the original code that does work:
Dim strSQLUser As String = "Select Name, CompanyID from Users where UserName ='" & User & "'"
dbCommand = New SqlCommand(strSQLUser, dbConn)
dr = dbCommand.ExecuteReader
As you can see the original code was vulnerable to sql injection and needs to be fixed.
Extra - Here is the line that does the reading:
While dr.Read
DbUser = dr.GetValue(0).ToString
DbCompany = dr.GetValue(1).ToString
End While

Try this:
Dim strSQLUser As String = "Select Name, CompanyID from Users where UserName =#UserName"
dbCommand = New SqlCommand(strSQLUser, dbConn)
dbCommand.Parameters.AddWithValue("#UserName", User.Text)
dr = dbCommand.ExecuteReader
Also the better approach is provide the value as:
dbCommand.Parameters.Add("#UserName", SqlDbType.VarChar).Value = User.Text
Assuming User to be the varchar ie., text type.

When using parameters you do not specify the quotes around parameters '. All the parameters are automatically converted to their respective column types such as date, nvarchar etc. So no more quotes.
Dim strSQLUser As String = "Select Name, CompanyID from Users where UserName =#UserName"

How to update data in table datagridview in vb.net

i used this coding for my update button to update data in my table in datagridview but it is still shows error. i need some help to solve this problem
Dim MyItems As Integer
Dim MyItemNo As Integer
Dim ItemDescription As String
MyItems = GridViewItems.CurrentRow.Index
MyItemNo = GridViewItems.Item(0, MyItems).Value
ItemDescription = GridViewItems.Item(1, MyItems).Value
Dim SqlQuery As String = " UPDATE ITEMS = '" & MyItems & "'WHERE Item_No = " & MyItemNo & ""
Dim SqlCommand As OleDbCommand
With SqlCommand
.CommandText = SqlQuery
.Connection = conn
.ExecuteNonQuery()
End With

Your use of the UPDATE sql statement is wrong. The correct syntax is
UPDATE <tablename> SET <field1> = <value>, <field2> = <value> WHERE <field3> = <value>
but there is also the problem of string concatenation that should be addressed.
So you could rewrite your code as
Dim SqlQuery As String = "UPDATE yourTableName SET ITEMS = ? WHERE Item_No = ?"
Dim SqlCommand As OleDbCommand
With SqlCommand
.CommandText = SqlQuery
.Connection = conn
.Parameters.AddWithValue("#p1", MyItems)
.Parameters.AddWithValue("#p2", MyItemNo)
.ExecuteNonQuery()
End With
This is an example of a parameterized query. You should always use this approach when you need to pass values submitted by your user to your database. Without this your code is open to SQL Injection and other parsing problems

VB.Net Parameterized LIKE query

I am writing a code that will filter account numbers with the format zone-rate-customer_number. An example of that is 125-12-35, where 125 is the zone, 12 is the rate and 35 is the customer number. In my search textbox, I want to enter the zone and the customer number, this will exclude the rate. Here is my code
Dim search As String = txtsearch.Text
Dim sql As String = "SELECT * FROM tblCustomer WHERE [account no] LIKE '%' + #search + '%'"
Dim cmd As OleDbCommand = New OleDbCommand()
cmd.Connection = Con
cmd.CommandType = CommandType.Text
cmd.CommandText = sql
cmd.Parameters.AddWithValue("[account no]", search)
How can I be able to search in my table using only the zone and customer number?

First, you should collect the "zone" and "customer_number" separately (e.g., in separate text boxes). Then you can do a LIKE search using
' test data
Dim zone As String = "125"
Dim customer_number As String = "35"
Using cmd As New OleDbCommand
cmd.Connection = con
cmd.CommandText =
"SELECT * FROM tblCustomer WHERE [account no] LIKE ?"
cmd.Parameters.AddWithValue("?", zone & "-%-" & customer_number)
Using rdr As OleDbDataReader = cmd.ExecuteReader
Do While rdr.Read
Console.WriteLine(rdr("account no"))
Loop
End Using
End Using

I can not read from database Visual basic

Dim conStr As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=D:\databaseVB\bakery.accdb"
Dim conn As New OleDbConnection(conStr)
Dim cmd As New OleDbCommand
Dim reader As OleDbDataReader
Dim Item(5) As String
Dim key = TextBox1.Text
conn.Open()
cmd.Connection = conn
1>>>>> 'cmd.CommandText = "SELECT * FROM Member WHERE number = 3"
2>>>>> cmd.CommandText = "SELECT * FROM Member WHERE number = '" & key & "'"
MessageBox.Show(cmd.CommandText)
reader = cmd.ExecuteReader()
While reader.Read
Item(0) = reader("Number").ToString
Item(1) = reader("FirstName").ToString
Item(2) = reader("LastName").ToString
Item(3) = reader("User").ToString
Item(4) = reader("Pass").ToString
End While
MessageBox.Show(Item(1).ToString)
conn.Close()
from 1>>> I can read Item in databaes
from 2>>> I can not read Item

Try using a parameterized query string:
cmd.CommandText = "SELECT * FROM Member WHERE number = #Number"
After this add your parameters.
//cmd.Parameters.Add("#Number", SqlDbType.Int).Value = 3;
//It is better to use .TryParse(), incase your users write non numerical values in the Textbox
cmd.Parameters.Add("#Number", SqlDbType.Int).Value = (int)TextBox1.Text;
Additionally you need to watch your data types. 3 is of type int, but TextBox1.Text is of type string. You need to parse the string to int in order for it to work.
This should do the trick and prevent ugly syntax juggling, while mixing strings and variables; And prevent you from SQL Injection attacks.

OleDBDataAdapter Fill error Select statement using VB.net and MS access

Help, My code fails on da.fill(dt). The error says OleDBexception was unhandled
no value given for one or more required parameter
My code
Dim Conn As OleDb.OleDbConnection = New OleDb.OleDbConnection
Dim connString As String
Dim da As OleDb.OleDbDataAdapter
Dim dt As New DataTable
Dim oCmd As OleDb.OleDbCommand
Dim SQLString As String
connString = "PROVIDER=Microsoft.Jet.OLEDB.4.0;Data Source =" & sRemoteAccessFolder & "Projects.MDB"
Conn.ConnectionString = connString
Conn.Open()
SQLString = "select * from tblProjects where ProjectNumber='10100'"
da = New OleDb.OleDbDataAdapter(SQLString, Conn)
da.Fill(dt)
Any idea?
thx u

This line has problems probably:
SQLString = "select * from tblProjects where ProjectNumber='10100'"
The field ProjectNumber has to match what is in the table. If there is a space, then you need to include brackets:
SQLString = "select * from tblProjects where [Project Number]='10100'"
If it's a numeric field, then drop the quotes:
SQLString = "select * from tblProjects where [Project Number]=10100"
If you still have errors, then make sure you have a table called tblProjects in the database.
As always, make sure to use Parameters instead of doing the sql statement completely by hand. That will avoid potential sql injection issues.

I haven't used it for long time. But may be do as follow.
connString = "PROVIDER=Microsoft.Jet.OLEDB.4.0;Data Source =" & sRemoteAccessFolder & "Projects.MDB"
Conn.ConnectionString = connString
Conn.Open()
Dim oCmd As new OleDb.OleDbCommand
oCmd.CommandText= "select ...."
Dim da As OleDb.OleDbDataAdapter
Dim dt As New DataTable
da = New OleDb.OleDbDataAdapter(oCmd)
da.Fill(dt)

The same thing happened in my project as well.
SQLString = "select * from tblProjects where ProjectNumber='10100'"
I followed the same and concluded this way it helped me. The correct statement which worked for me is
SQLString = "select * from tblProjects where [ProjectNumber]='10100'"