"insert int register(name1,phone_no) values('" + sname.Text + "','" + phone_no.Text + "')"
The above query is not working in vb.net 2010.I'm using access database.A syntax error is showing in insert query statement.Can anybody help me...
Is this query verbatim from your code? If so, you misspelled "into":
insert into register(name1,phone_no) values('" + sname.Text + "','" + phone_no.Text + "')
It's worth pointing out, though, that you should be validating your input text to avoid sql injection attacks.
Related
I am trying to write basic insert statement. I have columns with date type. In C# I get datetimepicker value and convert it to string, then try to insert it with to_date. But it shows ORA-01756: quoted string not properly terminated. I found question related to this error, but it is not the same with my case. What is wrong with my script:
"Insert Into Booklets (id, exam, number_of_booklets, who_gave, when_gave, return_date) values(booklet_seq.NEXTVAL, '" + exam + "', '" + bookletNumbers + "', '" + whoGaveId + "', '" + "to_date(" + gaveTime + ", 'DD/MM/YYYY'))"
As Abra mentioned, you are ending up with
values ( ...., to_date(20/01/2020,'DD/MM/YYYY'), ... )
when you need to have
values ( ...., to_date('20/01/2020','DD/MM/YYYY'), ... )
but please, please, please do not proceed with the formatting of a SQL statement in this way if this is going to be building a true application for your workplace.
Building SQL statements by concatenation is probably the number 1 way people get hacked.
Here's a video I did on this, showing that there are tools out there that can hack your application in just a few minutes the moment you head down this path
https://youtu.be/GRh800IvllY
Binding makes your SQL immune to such hacks, eg
string sql = "select department_name from departments where department_id = " +
":department_id";
OracleCommand cmd = new OracleCommand(sql, conn);
cmd.CommandType = CommandType.Text;
OracleParameter p_department_id = new OracleParameter();
p_department_id.OracleDbType = OracleDbType.Decimal;
p_department_id.Value = 20;
cmd.Parameters.Add(p_department_id);
I'm making this program on Vb.net 2012 that has a connection to SQL Server 2012.
One of the columns of this database table is Description, and in some cases the date may include apostrophes, for example... 'chainsaw 15'3" X 1 1/2 X .050 X 3/4'
When I run the query the apostrophe that is between the data causes an error at the syntax of the query, this is the query line in VB.net.
CMD.CommandText =
"INSERT INTO Table_ARTICLES
(NUMPART, DESCRIPTION, LOCATION, MAX, ACTUAL, MIN, Unidad_de_medida)
VALUES ('" & txtNumParte.Text & "', '" & txtDescripcion.Text & "',
'" & txtLocaclizacion.Text & "', '" & txtMaximo.Text & "', '" & txtActual.Text & "',
'" & txtMin.Text & "', '" & cmbUnidad.Text & "')"
Does anybody know how to make this query accept those characters on the query?
As #pmbAustin pointed out, is a terrible idea to build sql statements via string concatenation due to SQL Injection attacks and other problems. The approach you should use is called a parametrized query:
CMD.CommandText = "INSERT INTO (NUMPART, DESCRIPTION, LOCATION, MAX, ACTUAL,
MIN, Unidad_de_medida)
VALUES (#NUMPART, #DESCRIPTION,#LOCATION,#MAX,#ACTUAL,#MIN,#UNIDAD_DE_MEDIDA)"
And then:
CMD.Parameters.Add("#NUMPART",txtNumParte.Text);
CMD.Parameters.Add("#DESCRIPTION",txtDescripcion.Text);
//...and so on
CMD.ExecuteNonQuery();
Please use parameterized SQL (i.e. stored procedures) to prevent SQL injection and the like.
As for your question, you would want to replace the single quote (apostrophe) with two single quotes before you add it as a parameter. This way the first one acts as an escape character which will allow for the apostrophe to be inserted into the database.
Example:
txtNumParte.Text.Replace("'", "''")
I have the following INSERT statement:
Dim SQLstr As String = "INSERT INTO dbo.OrderDetail (SysOrg, oID, pID, Qty, UntPrice)
VALUES ('" + sOrg + "','" + oID + "','" + pID + "','" + pQty + "',(CONVERT(Decimal,'" + pPrice + "')))"
It works fine in Visual Studio. But throws an error on the web server:
Error converting data type varchar to numeric
My connection string is connecting to the same remote database. What can I do?
This question already has answers here:
Problem with querying sql server from vb
(3 answers)
Closed 2 years ago.
i am having this problem for quite some time now and cannot figure out the solution..
i have a productid that i get as a result of sql query. The data type of productid in database is int
Dim scheduleid As Integer
cmd.CommandText = "Insert into DeploymentSchedules (scheduleName) values('Schedule');select Scope_Identity();"
scheduleid = cmd.ExecuteScalar()
Now when i want to insert it into another table ...
cmd.CommandText = "Insert into
locationsSchedule(LocationName,length,width,height,floor,walls,permIeter,scheduleid)
values('" + strRoomName + "','" + txtLength.Text + "','" + txtWidth.Text + "','" +
txtHeight.Text + "','" + wallSTring + "','" + floorString + "','" + perimeterStrin +
"','" + scheduleid + "')"
cmd.ExecuteScalar()
I am having error
Conversion from string "Insert into locationsSchedule(Lo" to type 'Double'
is not valid.
I know it has something to do with integer as when i remove product id it is working .Please help
THank you
You have ' around your scheduleid which will cast the int to string. Remove them and all should be fine (maybe you have to do this for other columns also):
"'," + scheduleid + ")"
BTW: Ever heard of SQL-Injection?
Does changing from
cmd.ExecuteScalar()
to
cmd.ExecuteNonQuery()
remove the error for you?
In your first example you are returning the recently created unique id for the row. In the second query you're not. Either change as shown here or return an integer from your query.
Oh, and look at other ways of building SQL strings (parametrised queries!)
code:
string query1 = #"UPDATE global_mapping set escape_id = " +
dataGridView1.Rows[i].Cells[2].Value + ",function_id = " +
dataGridView1.Rows[i].Cells[3].Value + ",function_name = '" +
dataGridView1.Rows[i].Cells[4].Value + "',parameter_name = '" +
dataGridView1.Rows[i].Cells[5].Value + "',parameter_validity = '" +
dataGridView1.Rows[i].Cells[6].Value + "',statusparameter_id = " +
dataGridView1.Rows[i].Cells[7].Value + ",acb_datatype = '" +
dataGridView1.Rows[i].Cells[8].Value + "',data_type_id = " +
dataGridView1.Rows[i].Cells[9].Value + ",bit_size = " +
dataGridView1.Rows[i].Cells[10].Value + ",validity_status ='" +
dataGridView1.Rows[i].Cells[11].Value + "',validity_func = '" +
dataGridView1.Rows[i].Cells[12].Value + "'WHERE global_mapping.parameter_id =" +
dataGridView1.Rows[i].Cells[1].Value + "";
OleDbCommand cmd1 = new OleDbCommand(query1, conn);
cmd1.ExecuteNonQuery();
code ends:
When I execute the above code I get an error stating "Syntax error in Update statement".
Can someone please tell me how to resolve this?
It looks like you need to add a space before your WHERE clause.
Hope this helps,
Bill
Wow. Can we say... SQL Injection?
Try using Parameters. Not only will you protect yourself, but your SQL will become MUCH more readable.
Never use string concatenation for building SQL queries. Use SQL parameters.
Yikes!
Please provide the final query1 value and try to format it so we can get a better picture of it. My guess is a missing ' or something.
I'd say you're missing some quotes in there but your code is such a pig-sty I can't tell. If you won't fix your code then at the minimum give us a dump of query1 so we can read your actual query.
And use parameters or stored procedures like the previous responses said. All it takes is one of your variables to get overwritten with something nasty and your server will be wide open to anyone deleting your tables or worse.
Even if this is a local "safe" database you should unlearn your bad habits now.
Put
Console.WriteLine(query1)
before OleDbCommand cmd1 = new OleDbCommand(query1, conn);
See the value of query1 printed to console window.
Does the SQL Statement look OK? I guess not - you will now be able to find a field which is non-numeric and is blank in the grid.
And, use parameters as others have said.