How to use variables declared in the asp VB can be used in the SQL statement for classic ASP?
Problem:
I have a variable
dim username
username = Request.Form("username")
Now I want to use this variable in where clause in the sql statement as shown below:
adoRS.Source = "SELECT * FROM admin WHERE username= //This is where I want this variable to be..
What is the right syntax? Thankyou
dim username
username = Request.Form("username")
adoRS.Source = "SELECT * FROM admin WHERE username= '"+userName+"'"
Related
I have the following sql which I am trying to update through Excel VBA to MS Access database.
strSQL = "update validations set where_clause = 'purp_cd in('P1590','S1590','P1591','S1591')'
where row_id = 37"
This give a syntax error. I would like to get the syntax error eliminated
Help is sought from experts in this group
Venugopal
You have quotes inside your quoted string. Try double quoting the values:
strSQL = "update validations set where_clause = 'purp_cd in (''P1590'', ''S1590'', ''P1591'', ''S1591'')' where row_id = 37"
I'm trying to figure out if there is a better way to do this
Dim cmd As New SqlCommand
Dim sel As String
Dim obj As New DataHandler
sel = String.Format("SELECT * FROM Customers WHERE Country LIKE '{0}%'", txt_Input.Text)
cmd.CommandText = sel
Me.dgv_Customers.DataSource = obj.SqlDataRetriever(cmd)
Basically what im trying to do is have a textbox that whenever I type a letter, the grid refreshes itself by sending a Query to my SQL server searching for whatever its in the textbox using the LIKE() from SQL. I've been reading about SQL injection and so far everyone suggests to use parameter values (#value) for user input, but if I try to replace the {0} with that it doesn't work. I just wanna make sure that this is a valid way of doing this.
Thanks
Instead just concatenate the string like below. You should consider using parameterized query to avoid SQL Injection.
sel = "SELECT * FROM Customers WHERE Country LIKE '" + txt_Input.Text + "%'";
Use a parameterized query rather. See This Post
Dim cmd as New SqlCommand("SELECT * FROM Customers WHERE Country LIKE #param")
cmd.Parameters.Add("#param", txt_Input.Text +"%")
I have some trouble to debugging my query in vb.net.
I just wanna get full query with value inside it. I use parameters to add value in my query.
This is my code:
'Select query
Dim stm As String = "SELECT *, FORMAT(NOW(),'DD-MM-YYYY HH:NN:SS') as waktu FROM [user] WHERE [username]=? AND [password]=? AND active=TRUE"
Dim cmd As OleDbCommand = New OleDbCommand(stm, db)
'Parameters
Using md5Hash As MD5 = MD5.Create()
Dim pwd As String = GetMd5Hash(md5Hash, Me.tx_password.Text)
cmd.Parameters.Add("p1", OleDbType.VarChar, 25).Value = Me.tx_username.Text
cmd.Parameters.Add("p2", OleDbType.VarChar, 32).Value = pwd
End Using
'Execute Query
MsgBox(stm)
Dim reader As OleDbDataReader = cmd.ExecuteReader(CommandBehavior.SingleRow)
With this code, I just get result like this:
SELECT *, FORMAT(NOW(),'DD-MM-YYYY HH:NN:SS') as waktu FROM [user]
WHERE [username]=? AND [password]=? AND active=TRUE
How to get result like this:
SELECT *, FORMAT(NOW(),'DD-MM-YYYY HH:NN:SS') as waktu FROM [user]
WHERE [username]='adminUser' AND [password]='adminPassword' AND active=TRUE
Parameters are not concatenated into the command, they are sent separately to the database. Otherwise there will be no difference between using a parameterized query and using a concatenated one. (see the answer to a similar question here.)
This means that in order to debug your queries you will have to work a little harder then if your sql was concatenated by the vb.net code.
If your database supports stored procedure I recommend you start using them instead of parameterized queries. You will probably gain performance, and it will be easier to debug.
If not, you can copy the query as is to the sql editor, and use one of the debugger options to get the values of the parameters and copy them one by one to the sql editor.
Place this code below you have added the parameters and you'll have in debugSQL the SQL statement which will be executed
Dim debugSQL As String = cmd.CommandText
For Each param As SqlParameter In cmd.Parameters
debugSQL = debugSQL.Replace(debugSQL.ParameterName, debugSQL.Value.ToString())
Next
I have a registration form for users to submit and then when they click the activation link in their email, it activates their account (AccountActivated = true). This works fine, however, I also have a column called DateActivated set to smallinttime as the data type. I'm trying to find an SQL query that records the date that the account was activated.
This is the query I use to activate the account, so I'm guessing I need something similar to this:
Dim sqlQuery As String = "UPDATE RegisteredUsers SET AccountActivated=1 WHERE
UserId=#UserId AND UMaryEmail=#txtEmailAddress"
So maybe something like this?
Dim sqlQuery2 As String = "UPDATE RegisteredUsers SET DateActivated=?? WHERE
UserId=#UserId AND UMaryEmail=#txtEmailAddress"
If someone could weigh in on this and let me know what the command is to set current date to the field, I'd greatly appreciate it.
You can do it all in the same query:
Dim sqlQuery As String = "UPDATE RegisteredUsers SET AccountActivated=1,DateActivated=GetDate() WHERE UserId=#UserId AND UMaryEmail=#txtEmailAddress"
In Access 2007, I'm trying to use the NTlogin to retrieve a value from a table via a SQL query (see code below). WHen the form loads, I get an error message saying "Compile Error: Expected Function or Variable". Can someone tell me how to fix this error.
Private Sub Form_Load()
Dim UserName As String
Dim strSQL As String
Dim strDept As String
UserName = Environ("USERNAME")
strSQL = "SELECT DEPT FROM IDs WHERE NTLOGIN =" & UserName
strDept = DoCmd.RunSQL(strSQL)
cmdSave.Enabled = False
cmdEdit.Enabled = True
cmdPrevious.Enabled = True
cmdNext.Enabled = True
End Sub
I haven't touched Access for some time, so I don't recall: is Environ("USERNAME") returning the USERNAME environment variable?
If so, then you have a security hole in your code. Specifically, you're open to a SQL Injection attack.
Imagine that before they run Access, a user sets the USERNAME environment variable to something like
''; DROP TABLE IDS;
In that case, you'll be executing the statement:
SELECT DEPT FROM IDs WHERE NTLOGIN =''; DROP TABLE IDS;
You may not want that to happen...
You cannot use RunSQL with a select statement. It is only for action queries.
If you want a recordset, you can say, amongst other things:
strSQL = "SELECT DEPT FROM IDs WHERE NTLOGIN ='" & UserName & "'"
Set rs=CurrentDB.OpenRecordset(strSQL)
Where rs is DAO.Recordset