In order to test whether a particular query against an MS Access "database" should be returning any records (it's not), I am running it in Access like so:
SELECT TOP 5 t_accounts.account_no as AccountID, IIF(ISNULL(t_accounts.name),'[blank]',t_accounts.name) AS Name
FROM t_accounts
INNER JOIN td_department_accounts ON (t_accounts.account_no = td_department_accounts.account_no)
WHERE (AccountID >= 1) AND type = 'DE'
The "Top 5" and the "AccountID >= 1" are hardcoded versions of what I'm using in the code:
cmd.CommandText =
string.Format(
#"SELECT TOP {0} t_accounts.account_no as AccountID, IIF(ISNULL(t_accounts.name),'[blank]',t_accounts.name) AS Name
FROM t_accounts
INNER JOIN td_department_accounts ON (t_accounts.account_no = td_department_accounts.account_no)
WHERE (AccountID >= #firstId) AND type = 'DE'", CountToFetch);
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("#firstId", FirstId);
Yet Access prompts me with:
(If I enter "1", it does then return a few records).
What must I do to get Access' query running process to straighten up and fly right? Or is it me that has vertigo?
UPDATE
Perhaps a clue is that with the C# code shown above, I get, "No value given for one or more required parameters." Why? The only parameter is firstId, and it's value is indeed supplied...?!?
UPDATE 2
Even though it works, running Code Analysis on it causes that august tool to wrinkle its brow, scowl, and growl:
CA2100 Review SQL queries for security vulnerabilities The query
string passed to 'OleDbCommand.CommandText.set(string)' in
'NRBQSQLRepository.GetNDepartmentsFromID(string, int)' could contain
the following variables 'CountToFetch'. If any of these variables
could come from user input, consider using a stored procedure or a
parameterized SQL query instead of building the query with string
concatenations.
From Why does Access want me to enter a parameter value?
Access displays the Enter Parameter Value dialog box when you open an
object that contains an identifier or expression that Access cannot
interpret.
In this case AccountID is the field alias for t_accounts.account_no. You tried to reference the field alias in the Where clause. You can't do that.
change
WHERE (AccountID >= 1) AND type = 'DE'
to
WHERE (t_accounts.account_no>= 1) AND type = 'DE'
Related
I have an SQL view, MyView, containing the column ID of type nvarchar.
I wish to create an Excel query which:
takes the values from a column in an Excel sheet,
composes a string corresponding to a WHERE clause for the ID column,
calls the SQL query using this parameter string.
As far as I can tell, I am trying to achieve something very analogous to
Excel cell Value as SQL query where statement
My solution is working fine on my own computer. However, when I try to share my solution with a colleague who has the same reading permissions for the database, I end up with a 'query referencing another query' problem which throws a formula.firewall error, and no data is loaded.
My solution is as follows:
I have created a data connection, Parameters, from the column named ID in Excel which contains my ID values:
let
Source = Excel.CurrentWorkbook(){[Name="Parameters"]}[Content],
#"Changed type" = Table.TransformColumnTypes(Source,{{"ID", type text}})
in
#"Changed type"
Next, I create my parameter string as a new data source, fnGetParameters:
let
Source = Excel.CurrentWorkbook(){[Name="Parameters"]}[Content],
AddString = Table.AddColumn(Source, "Custom", each "ID = " & "'" & [ID] & "' OR "),
RemoveID = Table.SelectColumns(AddString,{"Custom"}),
Custom = Text.Combine(RemoveID[Custom], ""),
Parameter = Text.Start(Custom,Text.Length(Custom)-4)
in
Parameter
which creates a nice string looking like e.g. 'ID = '1' OR ID = '2' OR ID = '3'' depending on the values in the column ID in Parameters.
Finally, I try to create my query:
let
Source = Sql.Database("MyServer", "MyDatabase",[Query="
SELECT *
FROM [MyDatabase].[dbo].[MyView]
WHERE " & fnGetParameters])
in
#"Source"
Incidentally, when removing the WHERE clause from the code above, it works fine on any computer:
let
Source = Sql.Database("MyServer", "MyDatabase",[Query="
SELECT *
FROM [MyDatabase].[dbo].[MyView]"])
in
#"Source"
so it is somehow the addition of the parameter string which causes an error.
When I run the code the line which filled my datatable says that there is no value given for one or more parameters
Order = New OleDb.OleDbDataAdapter("SELECT * FROM Orders WHERE
Driver_ID = " & ID, DBREF)
Order.Fill(dataODtable)
DGVorders.DataSource = dataODtable
The code says this:
An unhandled exception of type 'System.Data.OleDb.OleDbException'
occurred in System.Data.dll
Below is an image link to the database and table it is referencing.
(Database orders table)
If I try run the code without the where statement it runs without crashing.
The field DRIVER_ID is clearly a string, as such you need single quotes around the value you want to use for the WHERE clause.
But that would be wrong for a long list of reasons (Sql Injection, Parsing errors, automatic type conversion with incompatible locales).
So you really need to start using parameterized queries as soon as possible to avoid these misteps
Dim cmdText = "SELECT * FROM Orders WHERE Driver_ID = #drvID"
Order = New OleDb.OleDbDataAdapter(cmdText, DBREF)
Order.SelectCommand.Parameters.Add("#drvID", OleDbType.VarWChar).Value = ID
Order.Fill(dataODtable)
DGVorders.DataSource = dataODtable
Now the query is no more built concatenating together strings pieces (the main source for sql injection hacks) but you create a parameter object of the correct type and pass it to the database engine that will use it when needed.
Another benefit is the more clear code you get. In this case perhaps is not very evident but with more complex queries you will have a more clear understanding of what you are asking to do to the database.
You can try like this:
Order = New OleDb.OleDbDataAdapter("SELECT * FROM Orders WHERE
Driver_ID = '"& ID &"'", DBREF)
Order.Fill(dataODtable)
DGVorders.DataSource = dataODtable
maybe this will be the problem.
if Driver_ID is alphanumeric column, select query should be SELECT * FROM Orders WHERE Driver_ID = '" & ID & "' ;"
I'm currently using the following VB code to make a query against an Access Database, I would like to know is it possible to obtain what the SELECT statement that is being run and send that output to the console.
Dim QuestionConnectionQuery = New OleDb.OleDbCommand("SELECT Questions.QuestionID FROM Questions WHERE Questions.QuestionDifficulty=[X] AND ( Questions.LastDateRevealed Is Null OR Questions.LastDateRevealed < DateAdd('d',-2,Date() ) AND Questions.LastUsedKey NOT LIKE ""[Y]"" );", QuestionConnection)
QuestionConnectionQuery.Parameters.AddWithValue("X", questionDifficulty.ToString)
QuestionConnectionQuery.Parameters.AddWithValue("Y", strDatabaseKey)
Right now when I try to use: Console.WriteLine("Query: " & QuestionConnectionQuery.ToString)
I only get this:
Loop Question #1
Query: System.Data.OleDb.OleDbCommand
The short version comes down to this:
QuestionConnectionQuery.ToString
The QuestionConnectionQuery object is much more than just the text of your command. It's also the parameters, execution type, a timeout, and a number of other things. If you want the command text, ask for it:
QuestionConnectionQuery.CommandText
But that's only the first issue here.
Right now, your parameters are not defined correctly, so this query will never succeed. OleDb uses ? as the parameter placeholder. Then the order in which you add the parameters to the collection has to match the order in which the placeholder shows in the query. The code in your question just has X and Y directly for parameter placeholders. You want to do this:
Dim QuestionConnectionQuery AS New OleDb.OleDbCommand("SELECT Questions.QuestionID FROM Questions WHERE Questions.QuestionDifficulty= ? AND ( Questions.LastDateRevealed Is Null OR Questions.LastDateRevealed < DateAdd('d',-2, Date() ) AND Questions.LastUsedKey NOT LIKE ? );", QuestionConnection)
QuestionConnectionQuery.Parameters.Add("?", OleDbType.Integer).Value = questionDifficulty
QuestionConnectionQuery.Parameters.Add("?", OleDbType.VarChar, 20).Value = strDatabaseKey
I had to guess at the type and lengths of your parameters. Adjust that to match the actual types and lengths of the columns in your database.
Once you have made these fixes, this next thing to understand is that the completed query never exists. The whole point of parameterized queries is parameter data is never substituted directly into the sql command text, not even by the database engine. This keeps user data separated from the command and prevents any possibility of sql injection attacks.
While I'm here, you may also want to examine the WHERE conditions in your query. The WHERE clause currently looks like this:
WHERE A AND ( B OR C AND D )
Whenever you see an AND next to an OR like that, within the same parenthetical section, I have to stop and ask if that's what is really intended, or whether you should instead close the parentheses before the final AND condition:
WHERE A AND (B OR C) AND D
This will fetch the command text and swap in the parameter values. It isnt necessarily valid SQL, the NET Provider objects haven't escaped things yet, but you can see what the values are and what the order is for debugging:
Function GetFullCommandSQL(cmd As Data.Common.DbCommand) As String
Dim sql = cmd.CommandText
For Each p As Data.Common.DbParameter In cmd.Parameters
If sql.Contains(p.ParameterName) AndAlso p.Value IsNot Nothing Then
If p.Value.GetType Is GetType(String) Then
sql = sql.Replace(p.ParameterName,
String.Format("'{0}'", p.Value.ToString))
Else
sql = sql.Replace(p.ParameterName, p.Value.ToString)
End If
End If
Next
Return sql
End Function
Given the following SQL:
Dim sql = "INSERT INTO Demo (`Name`, StartDate, HP, Active) VALUES (#name, #start, #hp, #act)"
After parameters are supplied, you can get back this:
INSERT INTO Demo (`Name`, StartDate, HP, Active) VALUES ('johnny', 2/11/2010 12:00:00 AM, 6, True)
It would need to be modified to work with OleDB '?' type parameter placeholders. But it will work if the DbCommand object was created by an OleDBCOmmandBuilder, since it uses "#pN" internally.
To get or set the text of the command that will be run, use the CommandText property.
To print the results, you need to actually execute the query. Call its ExecuteReader method to get an OleDbDataReader. You can use that to iterate over the rows.
Dim reader = QuestionConnectionQuery.ExecuteReader()
While reader.Read
Console.WriteLine(reader.GetValue(0))
End While
reader.Close()
If you know the data type of the column(s) ahead of time, you can use the type-specific methods like GetInt32. If you have multiple columns, change the 0 in this example to the zero-based index of the column you want.
Access 2013 - Reference an Unbound text box on a Form
I am currently trying to use an unbound text box [Text161] on a Form name [DCM_Gap_Servers] to sort information through a table. I want the query that I created to be able to take the users input from [DCM_Gap_Servers]![Text161] as the field that is being sorted from the table names 'Server'.
This is the SQL I am using right now in the query:
SELECT * FROM Servers WHERE "Forms![DCM_Gap_Servers]![Text161]" IS NULL
** I have already Tried:
"Forms![DCM_Gap_Servers]![Text161]" ; (Forms![DCM_Gap_Servers]![Text161]); Forms.[DCM_Gap_Servers]![Text161]
This will work at any time if I replace the Text Box reference with the actual Field name I am using, but since there are hundreds of combinations of fields, I need the reference to work.
I have looked all over, and I can't seem to find the correct answer. I am willing to do it in VBA if needed, whatever it takes to get the filtering done correctly.
Thank You.
It is:
SELECT * FROM Servers WHERE Forms.[DCM_Gap_Servers].[Text161] IS NULL
but that will just select all records whenever your textbox is Null.
So it rather is:
SELECT * FROM Servers WHERE SomeField = Forms.[DCM_Gap_Servers].[Text161]
To use the form value as a field name, you must use concatenated SQL:
strSQL = "SELECT * FROM Servers WHERE " & Forms![DCM_Gap_Servers]![Text161].Value & " IS NULL"
This you might pass to the SQL property of an existing query object:
MyQueryDef.SQL = strSQL
Or:
Constant SQL As String = "SELECT * FROM Servers WHERE {0} IS NULL"
FieldName = Forms![DCM_Gap_Servers]![Text161].Value
MyQueryDef.SQL = Replace(strSQL, "{0}", FieldName)
Of course, take care the the field name isn't a zero length string.
I have a report builder 3.0 report that has several parameters on it. Specifically, an account number (Defined as char(12) in the database). The database is a vendor supplied database, so I have zero control over the database schema.
My question is when I have a free form parameter for account id, how is that transformed into the query sent to the sql database?
The way I handle these free form fields is that I have a user defined function:
Public Function ConvertStringtoArray(sourceString as String) As string()
Dim arrayOfStrings() As String
Dim emptyString as String = " "
If String.IsNullOrEmpty(sourceString) Then
arrayOfStrings = emptyString.Split(",")
Else
arrayOfStrings = sourceString.Replace(" ", "").Split(",")
End If
return arrayOfStrings
End Function
And the parameter is defined as:
#AcctList = code.ConvertStringToArray(Parameters!AcctList.Value)
The sql query has this in the where clause:
Ac.Account_ID In (#AcctList)
My question is how does it build the In Clause. Will it literally be something like:
Where Ac.Account_ID In (N'Acct1',N'Acct2').
I'm thinking it is, and the reason I think it's important is the query when I am running it in SSMS will run in less than 1 Second if my where clause has Where Ac.Account_ID In ('TGIF').. But it will take 13+ Seconds if I have Where Ac.Account_ID In (N'TGIF'). The total dataset returned is only 917 Rows.
The database I am querying is a 2008 R2 SP2, with the compatibility set to SQL 2008.
You assumption is correct for the predicate of 'where thing in (#parameter)' actually being 'where thing in ('value1', 'value2', etc). Provided that #parameter allows multiple values. However you can tie a parameter to a query as well as using code. You can have a dataset other than your main dataset like a simple 'Select value from values' where the values would be a table of values needed for a parameter choice. This is often much more efficient unless you have to do a string split.