Trouble with updating database data - sql

I'm having trouble with my UPDATE statement in which I'm trying to update table data through WHERE clause, which gives me error of data miss-match.
sqL = "UPDATE Customer SET name= '" & txtName.Text & "', adress= '" & txtAdress.Text & "', contact = '" & txtContact.Text & "' WHERE Customer_ID = '" & txtCustomerID.Text & "'"
I've also tried
sqL = "UPDATE Customer SET name= '" & txtName.Text & "', adress= '" & txtAdress.Text & "', contact = '" & txtContact.Text & "' WHERE Customer_ID = '" & Convert.ToInt32(txtCustomerID.Text) & "'"
with no luck.

Please use a parameterised query which is much cleaner and safer:
If you are on c#:
string sql = "UPDATE Customer SET name= #name, adress=#address, contact = #contact" +
" WHERE Customer_ID = #id";
using(SqlConnection conn = new SqlConnection("yourConnectionString"))
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.AddWithValue("#name",txtName.Text);
cmd.Parameters.AddWithValue("#address",txtAdress.Text);
cmd.Parameters.AddWithValue("#contact",txtContact.Text);
/*
NOTE: Make sure Textbox value is convertible to Customer_ID data type
before executing the query. It should be done before the using statement.
Use string.Trim() method to remove any space characters at start/end
*/
cmd.Parameters.AddWithValue("#id",txtCustomerID.Text.Trim());
conn.Open();
cmd.ExecuteNonQuery();
}

It looks like the data type of Customer_ID is an int. In that case, remove the single quotes from around your convert statement.
sqL = "UPDATE Customer SET name= '" & txtName.Text & "', adress= '" & txtAdress.Text & "', contact = '" & txtContact.Text & "' WHERE Customer_ID = " & Convert.ToInt32(txtCustomerID.Text)
But do double check the data type in your table to be sure.

Your query will not compile :-
The string concatenation operator in C# is plus sign not ampersand.
however as kaf advised always use parametrized queries.
Try using plus sign instead of an ampersand.
"UPDATE Customer SET name= '" + txtName.Text + "', adress= '" + txtAdress.Text + "', contact = '" + txtContact.Text + "' WHERE Customer_ID = '" + txtCustomerID.Text + "'"
If customer ID is int ,convert it to int .

Related

Incorrect Syntax Near "("

So I was trying to do Update my database using buttons in VB.Net. I tried following different syntax in Updating tables but it still come up with the same error. It is so frustrating because we are running out of time to finish our system because of this. Please help me :'(
So this is my code wherein it will called after the button is clicked. What is wrong with my syntax here?
Public Sub UpdateClient(Client_ID As Integer, _ClientName As String, _Company_Add As String, _Email_Add As String,
_Tin_No As String, _Contact_Person As String, _Mobile_No As String, _Telephone_No As String,
_Remarks As String, _User As String)
Try
Dim strInsert As String = "UPDATE CLIENTS SET (ClientID = '" & Client_ID & "', ClientName = '" & _ClientName & "', Company_Add = '" & _Company_Add & "', Email_Add = '" & _Email_Add & "', Tin_No = '" & _Tin_No & "', Contact_Person = '" & _Contact_Person & "', Mobile_No = '" & _Mobile_No & "', Telephone_No = '" & _Telephone_No & "', Remarks = '" & _Remarks & "', User_ = '" & _User & "') WHERE (ClientID = '" & Client_ID & "') "
SQLCon.Open()
SqlCmd = New SqlCommand(strInsert, SQLCon)
SqlCmd.ExecuteNonQuery()
SQLCon.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
End Sub
Then here is my code on the button event:
Public Sub Update_Client()
SQL.UpdateClient(ClientIDLabel1.Text, txtCnamee.Text, txtCadd.Text, txtEadd.Text, txtTin.Text, txtCper.Text, txtMno.Text, txtTel.Text, txtRem.Text, User_Label1.Text)
End Sub
I'm pretty sure the error is in my sql string. What could it be? Please please help me :'(
P.s. I'm new to using VB.Net. Please bear with me :( Thank you.
Here is the immediate problem with your code: the syntax of UPDATE is as follows:
UPDATE <table> SET <field1>=<value1>, <field2>=<value2> ...
Note that the list of variables that you set is not enclosed in parentheses. You need to remove ( and ) from your parenthesized list to fix the syntax problem in your SQL:
Dim strInsert As String = "UPDATE CLIENTS SET ClientID = '" & Client_ID & "', ClientName = '" & _ClientName & "', Company_Add = '" & _Company_Add & "', Email_Add = '" & _Email_Add & "', Tin_No = '" & _Tin_No & "', Contact_Person = '" & _Contact_Person & "', Mobile_No = '" & _Mobile_No & "', Telephone_No = '" & _Telephone_No & "', Remarks = '" & _Remarks & "', User_ = '" & _User & "' WHERE (ClientID = '" & Client_ID & "') "
However, there is a much bigger problem: your program can be broken by =SQL injection attacks, which is very dangerous. You need to rewrite your SQL to accept parameters, and use parameterized SQL to fix this vulnerability. See an answer to this question for a quick example of how to parameterize your query.

Select query doesnt bring back values even though criteria is met VB.NET

Hello I'm coding a query that finds the shift if the date is correct and the username of the shift employee is selected. Usually there would be 7 labels for each day of the week but I narrowed it down for the sake of getting this part of the code to work, I've been stuck for an hour or so. Here is my code:
Dim strQuery as String = "SELECT [Time] FROM [ShiftDetails]" +
" WHERE ([Day] = '" & Label2.Text & "' & [Username] = '" & TextBox1.Text & "') " +
"Or ([Day] = '" & Label3.Text & "' & [Username] = '" & cboUser.Text & "')"
myCommand = New OleDbCommand(strQuery, myConnection)
Or here it is with colored syntax
http://prntscr.com/5oo6wz
When I did breakpoints I saw that label is the actual date and text is the username so theres nothing wrong with the label/textbox I dont think
don't use & for join conditions, use AND
myCommand = New OleDbCommand("SELECT DISTINCT [Time] FROM [ShiftDetails] WHERE ([Day] = '" & Label2.Text & "' AND [Username] = '" & TextBox1.Text & "') Or ([Day] = '" & Label3.Text & "' AND [Username] = '" & cboUser.Text & "')", myConnection)
Also I hope this is your test query and not the real one as it is prone to sql injection.

SQL access 2007 query error "Data type mismatch in criteria expression.”

I'm trying to make a query in Access 2007, but it keeps giving me this error
Data type mismatch in criteria expression.
The query is
Dim SqlQuery As String = "UPDATE FullNameTable
SET FirstName = '" & fname.Text & "',
MiddleName = '" & mname.Text & "',
LastName = '" & lname.Text & "'
WHERE ID = '" & id & "'"
Why do I get this error?

VBA SQL Syntax Problems

I have the following SQL:
SQL = "UPDATE [TBLTMP] SET TBLTMP24 '" & Me.TOWN & "' WHERE TBLTMP00 = '" & "1" & "';"
Table name TBLTMP
Field to update TBLTMP24
Record to update TBLTMP00
I want to store the value of ‘Me.Town’ in the field TBLTMP24 which is in the table TBLTMP, record number 1, anyone have any ideas what might work?
You're missing an = in your SQL Statement after TBLTMP24. You're statement should be:
SQL = "UPDATE [TBLTMP] SET TBLTMP24 = '" & Me.TOWN & "' WHERE TBLTMP00 = '" & "1" & "';"
I think all you need is to add = into your query, like below:
SQL = "UPDATE TBLTMP SET TBLTMP24 = '" & Me.TOWN & "' WHERE TBLTMP00 = '" & "1" & "';"
If you want to change some columns add commas, like below:
SQL = "UPDATE TBLTMP SET TBLTMP24 = '" & Me.TOWN & "', another_col = '" & Me.another & "' WHERE TBLTMP00 = '" & "1" & "';"

Update sql command in vb.net flaws?

i have this code made by myself researching,
it returns no error, it update(s) some of the data entered in textboxes but not all the fields
i check the codes near the field that is updating to compare it to the textboxes that do not
update.
but i dont see the difference, it just not update all fields, only some fields
Dim sqlconn As New SqlClient.SqlConnection
sqlconn.ConnectionString = "server = SKPI-APPS1;" & _
"Database = EOEMS;integrated security=true"
Dim myCommand As SqlCommand
Try
'update command
sqlconn.Open()
myCommand = New SqlCommand(
"UPDATE tblOfficeEquipmentProfile SET OE_Category = '" & cmbCategory.Text
& "',OE_SubCategory = '" & cmbSubCategory.Text
& "', OE_Name = '" & txtName.Text
& "', OE_User = '" & txtUser.Text
& "', OE_Brand = '" & cmbBrand.Text
& "', OE_Model = '" & cmbModel.Text
& "', OE_Specs = '" & txtSpecs.Text
& "', OE_SerialNo = '" & txtSerialNo.Text
& "', OE_PropertyNo = '" & txtPropertyNo.Text
& "', OE_MacAddress = '" & txtMacAddress.Text
& "', OE_Static_IP = '" & txtStaticIp.Text
& "', OE_Vendor = '" & cmbVendor.Text
& "', OE_PurchaseDate = '" & txtPurchaseDate.Text
& "', OE_WarrantyInclusiveYear = '" & cmbWarrantyInclusiveYear.Text
& "', OE_WarrantyStatus = '" & txtWarrantyStatus.Text
& "', OE_Status = '" & txtStatus.Text
& "', OE_Dept_Code = '" & cmbDeptCode.Text
& "', OE_Location_Code = '" & cmbLocationCode.Text
& "', OE_Remarks ='" & cmbRemarks.Text
& "' WHERE OE_ID = '" & txtOEID.Text & "'", sqlconn)
' ^^ (edited to separate lines for ease of viewing )
myCommand.ExecuteNonQuery()
MessageBox.Show("Office Equipment Profile Successfully Updated Records")
Catch ex As Exception
MsgBox(ex.Message)
End Try
Some troubleshooting suggestions:
Try a pattern like this:
Dim SQL As String = "UPDATE STaff Set Initials='RCH' WHERE Initials = 'RCH'"
myCommand = New SqlCommand(SQL, sqlconn)
Dim iCnt As Integer = myCommand.ExecuteNonQuery()
MessageBox.Show("Office Equipment Profile Successfully Updated " & iCnt & " Records")
Place a breakpoint on the second line and use the Text Visualizer to look at the SQL. You can also copy it and use in some other query tool to work on it and find the errors.
Also, capture the number of records changed (iCnt above) and do some QA and/or debug.
Injection: While your project may not be exposed to an injection attack you can step on your self by not making sure that the .Text values don't break the SQL. For example if any of the .Text contains an apostrophe the SQL will fail. You can write a Function to replace ' with '' and you'll be safe.
Or do each: OE_Location_Code = '" & cmbLocationCode.Text.replace("'","''")
This will convert "Fred's Room" to "Fred''s Room"