I am having the following exception when passing the query through executereader:
incorrect syntax near )"...
How do I write the 0 here?
Here's the whole query:
string query = "select distinct BillNumber,PatientName,MobileNo,DueAmount from PaymentView where RequestDate between '" + fromDate.ToString("yyyy-MM-dd") + "' and '" + toDate.ToString("yyyy-MM-dd") + "' and DueAmount>'"+value+"')";
Extra Closing bracket at end of query. Also DueAmount should not be wrap into single quotes remove it.
and DueAmount>'"+value+"')";
------------^
Note : This may lead to SQL Injection attack, My suggestion is use Sql Parameter.
Related
I have a query like this
Dim view_src_14 As String = GetParameterValue("ViewSrc14")
Dim calendar_date_14 As String = GetParameterValue("CalendarDate14")
select calendar_date,view_src,sum(effective) effective_total, sum(ineffective) ineffective_total
from wrk_alert_effectiveness
where calendar_date='" + calendar_date_14 + "' and '" + view_src_14 + "'
group by 1,2
order by 1 desc;
calender_date_14 and view_src_14 are variables... when I run the query it bring this error:
invalid input syntax for type date: ""
Where do i make the changes??
I don't think this is specific enough for an answer, but it is too long for a comment.
You are trying to execute a SQL statement where you pass in values for constants in the statement. This is allowed and a part of SQL -- using parameters. There are two types of parameters, named parameters and positional parameters.
select calendar_date, view_src,
sum(effective) as effective_total, sum(ineffective) as ineffective_total
from wrk_alert_effectiveness
where calendar_date = #date1 and #date2
group by 1, 2
order by 1 desc;
Often, these are represented by ? for anonymous parameters. Sometimes named ones are introduced with colons.
The exact syntax depends on your database and the application interface you are using. My point is that you should learn about parameters and how to use them.
"select calendar_date, view_src, sum(effective) effective_total,
sum(ineffective) ineffective_total
from wrk_alert_effectiveness
where calendar_date= '" + #CalendarDate + "' AND " + #ViewSrc + "
group by 1,2
order by 1 desc;"
I am a little lost on how to incorporate TWO Where in my sql statement in my asp.
I am trying to get the userID and password entered previously and compare it with what I have in my database created on SQL:
I think my problem comes from my double quotation and single quotation.
UserID is a number in my database and Password is a short text.
var mycon = new ActiveXObject("ADODB.Connection");
var myrec = new ActiveXObject("ADODB.Recordset");
mycon.Open("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\\Users\\Omnivox.mdb");
var txtpassword = Request.QueryString("txtpassword");
var txtuserID = parseInt (Request.QueryString("txtuserID"));
var sql;
sql = "SELECT UserID, UserPassword FROM UserOmnivox WHERE UserID=" +txtuserID+ " AND UserPassword='" + txtpassword + "';";
myrec.Open(sql, mycon);
thank you
UPDATE: It is still not working. The error massage is : no value given for one or more required parameters for the line myrec.Open(sql,mycon)
Change
sql = "SELECT * FROM UserOmnivox WHERE UserID=" +txtuserID "AND UserPassword="'+txtpassword';
to
sql = "SELECT * FROM UserOmnivox WHERE UserID=" +txtuserID + " AND UserPassword='"+txtpassword+"'";
If you'd done any kind of basic debugging, like LOOKING at the query string you're generating, you'd have seen this:
sql = "SELECT [..snip..] UserID=" +txtuserID "AND UserPassword="'+txtpassword
^^--- no space
^--- missing +
which produces
SELECT .... UserID=1234AND userPassword
^^---syntax error, no such field '1234AND'
And then, yes, your quotes are wrong too
sql = "SELECT ... UserID=" +txtuserID "AND UserPassword="'+txtpassword
^------------------^-- one string
^-----------------^-- another string
^---???
It should be
sql = "SELECT * FROM UserOmnivox WHERE UserID=" +txtuserID + " AND UserPassword='" + txtpassword + "';";
I find another more flexible solution is better. Sometimes based on conditions you have one where condition, in others you have zero, and in others you have two. If you go down these paths they don't solve that issue. The following does.....
Some sql query
where 1=1 -- ## A condition that will always be true and does nothing to your query.
and first optional where clause
and second optional where clause
This way if you don't have the first where clause in a given situation but you do have the second you are not missing the words "where". You always have the where and you optionally add any array of "and" parts to your where statement. 100% flexibility in this method works for all challenges. Plus it is easier to follow code once you get past the wtf is this 1=1 nonsense reaction.
When i am trying to execute the following command i get the following output error.
("INSERT INTO Leaves (EmpID,TotalLeavesRemaining,Year)
SELECT EmpID,TotalLeavesRemaining,'" + year + "'
FROM Leaves
WHERE Year = '" + yearbefore + "' ", con)
Additional information: Conversion from string
INSERT INTO Leaves (EmpID,TotalL" to type 'Double' is not valid.
When i run the command directry through the sql management studio the query does its job !
If you really need to concatenate SQL string then convert your year to string or join using & instead of +
("INSERT INTO Leaves (EmpID,TotalLeavesRemaining,Year)
SELECT EmpID,TotalLeavesRemaining,'" + year.ToString + "'
FROM Leaves
WHERE Year = '" + yearbefore.ToString + "' ", con)
If you put single quotes around your year number it makes it a string. But apparently your year column is of type double. (Why? Shouldn't' it be of type int?). Remove the single quotes!
And also use command parameters. This makes it safer, less error prone and also faster, as the SQL-Server can cache the query and reuse it without having to recompile it and to create an execution plan again.
using (var cmd new SqlCommand(#"INSERT INTO Leaves (EmpID, TotalLeavesRemaining, Year)
SELECT EmpID,TotalLeavesRemaining, #year
FROM Leaves
WHERE Year = #yearbefore", con)) {
cmd.Parameters.AddWithValue("#year", 2015);
cmd.Parameters.AddWithValue("#yearbefore", 2014);
...
}
Note that you don't need any quotes around parameters, even for string parameters. They free you from escaping strings, formatting numbers and dates.
If you want to use multiline strings, use verbatim strings introduced with an #. These string literals can span multiple lines and don't interpret the backslash (\) as an escape character. Single quotes can be escaped by double single quotes.
First time using Access and wanted to make an update query that uses a variable for its table name. Now, I've gotten myself into a web of nothing good. When I get to the part the SQL code is needed for, I get Runtime error 3075 - Missing operator in '(((" + enteredid + ".todayDate)=Format(Now()','""Short Date"")))' I've never coded in SQL, so I have no clue what operators are needed.
My code:
strSQL = "UPDATE " + enteredid + " SET " + enteredid + ".signIn = Format(Now(),""Short Time"") WHERE (((" + enteredid + ".todayDate)=Format(Now()','""Short Date"")));"
My suggestions:
You can avoid the whole Format() issue in the WHERE clause by using the Date() function instead of trying to extract just the date part of Now().
Since you are doing an UPDATE on a single table you can just use the field (column) names without the TableName. prefix.
To make your code more robust, enclose the table name in square brackets so it won't crash if the table name contains spaces or other "funny" characters.
So, the revised code would look more like this:
strSQL = _
"UPDATE [" + enteredid + "] SET " + _
"signIn = Format(Now(),""Short Time"") " + _
"WHERE todayDate = Date()"
Assume that we have this SQL statement:
UPDATE article SET saison='12E', mode='ECH', client='SAS', WHERE ID='3448fe81-1bec-e011-8546-001f3ccf8f20'
This SQL statement is generated by concatenated strings like this:
// saison change
procedure TarticleEditForm.saisonComboChange(Sender: TObject);
begin
SQLQuery := SQLQuery + 'saison=''' + saisonCombo.Text + ''',';
end;
// client change
procedure TarticleEditForm.clientComboChange(Sender: TObject);
begin
SQLQuery := SQLQuery + 'client=''' + clientCombo.Text + ''',';
end;
.
.
.
As you see, there is a comma before "WHERE" clause. How can I remove the last comma to have the correct statement:
UPDATE article SET saison='12E', mode='ECH', client='SAS' WHERE ID='3448fe81-1bec-e011-8546-001f3ccf8f20'
RMQ: the number of comma is not fixe, it can be 1, 2, 5...
thank you.
The solution is replacing ", WHERE" by "WHERE"
SQLQuery := StringReplace(SQLQuery , ', WHERE', 'WHERE', [rfReplaceAll]);
I am using this to trace every change in HISTORY Table.
Thank you all.
Rather than concatenating the changes to the SQL string as they happen, store them in a collection and build you SQL string after all the options have been evaluated.
Then you will know how many fields are going to be changed and build the statement correctly. Of course this will require you to store not only the value but also the name of the fild being changed:
[pseudo code]
for i=0 to fields_changed.count {
sql = sql + fields_changed(i).field_name + " = " + fields_changed(i).new_value
if i < fields_changed.count {
sql = sql + ", "
}
}
sql = sql + " WHERE ..."
EDIT: The other option you have is to simply perform a string replace on , WHERE with WHERE just before executing the statement; since the word 'where' is a reserved word and should not occur more than once in your SQL statement. This may be the simpler solution even if it feels like a bit of a hack.
another option is to reduce the length of the string by 1 character before appending the WHERE clause.