I have written this query:
String sql = "Update db " +
"SET LName = '"+txtLName.getText()+"'," +
"ATC_Code = '"+txtATCcode.getText()+"'," +
"ATC_Name= '"+txtATCname.getText()+"'," +
"Course_Name = '"+txtCourseName.getText()+"'," +
"Course_Fee = '"+txtCourseFee.getText()+"'," +
"Where FName = '"+txtFName.getText()+"' ";
And I got an error like:
Malformed SQL Statement: Expected ',', found 'Anuja'`.
Statement:Update db SET LName = 'df',ATC_Code = '323',ATC_Name= 'sd',Course_Name = 'd',Course_Fee = '534',Where FName = 'Anuja'
Remove last , for Set statement:
String sql = "Update db " +
"SET LName = '"+txtLName.getText()+"'," +
"ATC_Code = '"+txtATCcode.getText()+"'," +
"ATC_Name= '"+txtATCname.getText()+"'," +
"Course_Name = '"+txtCourseName.getText()+"'," +
"Course_Fee = '"+txtCourseFee.getText() + //here does not need '
"Where FName = '"+txtFName.getText()+"' ";
On a side note, this kind of sql command generation(concatenating strings that contains some values) are suspect to SQL injection attacks, to prevent this type of attacks, use paramaters and set the parameters values instead. See SQL injection for more information.
Update db
SET LName = 'df',
ATC_Code = '323',
ATC_Name= 'sd',
Course_Name = 'd',
Course_Fee = '534',
Where FName = 'Anuja'
Only will change remove last comma ','
Update db
SET LName = 'df',
ATC_Code = '323',
ATC_Name= 'sd',
Course_Name = 'd',
Course_Fee = '534'
Where FName = 'Anuja'
Related
I have a SQL query where I have to pass a string in my where, my string can have a simple quote in the name of the program and at the same time break the string and create an error in my request.
Yes I would just like to skip the code, but the actual logic has been done so that we are able to modify the code, so I can't just trust that.
Here is the query in my ASP.NET MVC 5 project:
IQueryable<ListeProgrammesCol> query = db.Database.SqlQuery<ListeProgrammesCol>(
"SELECT id AS offreID, nomProgramme AS nom, codeProgramme AS code, dateAjout, dateLastUpdate, gestionEnLigne " +
"FROM tbl_offreCol " +
"WHERE FK_etablissement = " + instId +" AND offreType = 3 AND archive = 0 AND codeProgramme = '" + code + "' AND nomProgramme = '" + progNom + "' " +
"ORDER BY nomProgramme").AsQueryable();
And here is the query if you want to text in SQL Server Management Studio:
SELECT
id AS offreID, nomProgramme AS nom, codeProgramme AS code,
dateAjout, dateLastUpdate, gestionEnLigne
FROM
tbl_offreCol
WHERE
FK_etablissement = 923000
AND offreType = 3
AND archive = 0
AND codeProgramme = '351.A0'
AND nomProgramme = 'RAC en Techniques d'éducation spécialisée'
ORDER BY
nomProgramme
This is the problem: d'éducation
//////UPDATE
I decided to use linq to make my request, so I no longer need to use quotes. Here is the query:
var query = (from oc in db.tbl_offreCol
where oc.FK_etablissement == instId
&& oc.offreType == 3
&& oc.archive == 0
&& oc.codeProgramme == code
&& oc.nomProgramme == progNom
select new ListeProgrammesCol
{
offreID = oc.id,
nom = oc.nomProgramme,
code = oc.codeProgramme,
dateAjout = oc.dateAjout,
dateLastUpdate = oc.dateLastUpdate,
gestionEnLigne = oc.gestionEnLigne
}).OrderBy(x => x.nom).AsQueryable();
Dummy in SQL here needing to update an extended property of a stored procedure. Can only find info on updating table contents, not properties.
Needing to send a query to a database from a C# function.
It would read something like;
string query = "Update StoredProcedureName SET caption = 'newValue' WHERE caption = 'oldValue' "
Where caption is the name of an extended property.
here you can find info about how to update an extended property
https://msdn.microsoft.com/en-us/library/ms186885.aspx
example :
string query = "EXEC sp_updateextendedproperty ";
query += " #name = N'Caption' ";
query += " ,#value = 'newValue.' ";
query += " ,#level0type = N'Schema', #level0name = dbo ";
query += " ,#level1type = N'Procedure', #level1name = STOREDPROCNAME ";
query += " ,#level2type = N'Property', #level2name = Caption; ";
than send your query to your database as you did before
I try to prevent SQL injection in SQL query. I used following code to do it but unfortunately I faced some problem. The query is not running in oracle DB:
strQuery = #"SELECT PASSWORD FROM IBK_USERS where upper(user_id) =upper(:UserPrefix) AND user_suffix=:UserSufix AND STATUS_CODE='1'";
//strQuery = #"SELECT PASSWORD FROM IBK_CO_USERS where user_id = '" + UserPrefix + "' AND user_suffix='" + UserSufix + "' AND STATUS_CODE='1'";
try
{
ocommand = new OracleCommand();
if (db.GetConnection().State == ConnectionState.Open)
{
ocommand.CommandText = strQuery;
ocommand.Connection = db.GetConnection();
ocommand.Parameters.Add(":UserSufix", OracleDbType.Varchar2,ParameterDirection.Input);
ocommand.Parameters[":UserSufix"].Value = UserSufix;
ocommand.Parameters.Add(":UserPrefix", OracleDbType.Varchar2,ParameterDirection.Input);
ocommand.Parameters[":UserPrefix"].Value = UserPrefix.ToUpper();
odatareader = ocommand.ExecuteReader();
odatareader.Read();
if (odatareader.HasRows)
{
Your parameters shouldn't contain the semicolon :. This is just an indicator in your query that the variable that follows is a parameter, but you don't have to supply that on the .NET side:
ocommand.Parameters["UserSufix"] = ...
Here is my Code:
Dim CompanyName, _
CompanyDomain, _
CompanyEmail, _
CompanySupportPhone
Call GetEmailList
Sub GetEmailList
dim sql
dim companydata
sql = ""
sql = sql & " DECLARE #CompanyName VARCHAR(100);"
sql = sql & " DECLARE #CompanyDomain VARCHAR(100);"
sql = sql & " DECLARE #CompanyActivityEmail VARCHAR(100);"
sql = sql & " DECLARE #CompanySupportPhone VARCHAR(100);"
sql = sql & " SELECT"
sql = sql & " #CompanyName = CASE WHEN Setting = 'CompanyName'"
sql = sql & " THEN StringValue ELSE #CompanyName END,"
sql = sql & " #CompanyDomain = CASE WHEN Setting = 'CompanyDomain'"
sql = sql & " THEN StringValue ELSE #CompanyDomain END,"
sql = sql & " #CompanyActivityEmail = CASE WHEN Setting = 'CompanyActivityEmail'"
sql = sql & " THEN StringValue ELSE #CompanyActivityEmail END,"
sql = sql & " #CompanySupportPhone = CASE WHEN Setting = 'CompanySupportPhone'"
sql = sql & " THEN StringValue ELSE #CompanySupportPhone END"
sql = sql & " FROM ClientSettings"
sql = sql & " WHERE Setting in ('CompanyDomain','CompanyActivityEmail','CompanySupportPhone','CompanyName')"
sql = sql & " SELECT ISNULL(#CompanyName, '') AS CompanyName, ISNULL(#CompanyDomain, '') AS CompanyDomain, ISNULL(#CompanyActivityEmail, '') AS CompanyEmail, ISNULL(#CompanySupportPhone, '') AS CompanySupportPhone"
set companydata = getRecordset(sql)
CompanyName = companydata("CompanyName") ' LINE 80
CompanyDomain = companydata("CompanyDomain")
CompanyEmail = companydata("CompanyEmail")
CompanySupportPhone = companydata("CompanySupportPhone")
companydata.Close
Set companydata = Nothing
End Sub
This throws an error:
Line 80
Item cannot be found in the collection corresponding to the requested
name or ordinal.
I marked line 80 above. I run this exact same SQL in SQL Server Manager and it returns results:
CompanyName CompanyDomain CompanyEmail CompanySupportPhone
MyCompanyName http://localhost MyCompanyName#email.com 801-555-1212
Any idea what I am doing wrong here?
GetRecordSet correctly loads and processes the database call, this function works in 1,000 other places. I'm sure the problem isn't there.
Add
sql = sql & " SET NOCOUNT ON;"
as the first SQL statement.
SET NOCOUNT ON usage
I want to update a dataset in a DB2/AS400 table.
The problem is if I there is string parameter in the parameters list the command does not find a row to update.
For example: If I run the command only with the company number the command will succeed. If I run the command with the company number and facility number the command fails.
Does anyone have any idea?
IDbConnection cn = Tools.GetCnApp();
try
{
StringBuilder sql = new StringBuilder();
sql.AppendLine("UPDATE " + Tools.GetSchemeApp() + "/ChangeReasonAssignments");
sql.AppendLine(" SET Confirmed = #CONF, Confirmed_By = #CONFBY, Confirmed_At = #CONFAT");
sql.AppendLine(" WHERE Company = #CONO AND Facility = #FACI AND Department = #DEPT");
sql.AppendLine(" AND Production_Group = #PRGR AND Manufacturing_Order = #ORDR AND Order_Operation = #OPER");
sql.AppendLine(" AND Confirmed = 0");
IDbCommand cmd = cn.CreateCommand();
cmd.SetParameter("#CONO", this.CompanyNumber);
cmd.SetParameter("#FACI", this.FacilityNumber);
cmd.SetParameter("#DEPT", this.ProductionGroup.Department.Name);
cmd.SetParameter("#PRGR", this.ProductionGroup.Name);
cmd.SetParameter("#ORDR", this.ManufacturingNumber);
cmd.SetParameter("#OPER", this.OperationNumber);
cmd.SetParameter("#CONFBY", Base.User);
cmd.SetParameter("#CONFAT", DateTime.Now.ToString());
cmd.SetParameter("#CONF", 1);
cmd.CommandText = sql.ToString();
if (cmd.ExecuteNonQuery() > 0)
{
}
EDIT
The datatypes in database are:
Company: INTEGER
Facility: VARCHAR
Dpartment: VARCHAR
Production_Group: VARCHAR
Manufacturing_Order:INTEGER
Order_Operation: INTEGER
The datatypes in .NET are:
CompanyNumber: int
FacilityNumber: String
Departmentname: String
ProductionGroup: String
Manufacturingorder: int
OrderOperation: int
sql.ToString() results:
UPDATE TSAEDBDEV/ChangeReasonAssignments SET Confirmed = #CONF, Confirmed_By = #CONFBY, Confirmed_At = #CONFAT WHERE Company = #CONO AND Facility = #FACI AND Confirmed = 0
Try to set the string values into ': cmd.SetParameter("#DEPT", "'" + this.ProductionGroup.Department.Name + "'");