SAMPLE CODE:
Dim sql As String = "SELECT * FROM " + tblName + " WHERE needsTranslation = 'True' AND dataText LIKE " & "'" & alpha & "%" & "'" & " ORDER BY dataText;"
da = New SqlDataAdapter(sql, strConnection)
OP:
I would like to create a SQL query that returns all records when the first letter of a string matches my variable. I am coding this in an ASP.net code behind page in vb.net.
SELECT * FROM " + tblName + " WHERE textData = ' & alpha & "
In this exmample textData is a string of text and alpha is a single letter a through z or A through Z.
I don't need the criteria to be case sensitive, but I do need only the first letter of textData to match alpha.
I have tested the LIKE comparator and it does not return all records that begin with alpha.
What is the best way to do this? Any and all help will be appreciated.
thanks again,
The LIKE operator is what you'd want to use, but you have to use the % wildcard character like so:
SELECT * FROM MyTable WHERE textData LIKE 'a%'
SQL has sub-string operator SUBSTR() or SUBSTRING()
select * from tableName where substr( textData ) in ( 'A', 'B', 'C', ... );
I couldn't add to the comments on one of the other posts, but I'll strongly second the need to use a parameterized query for these reasons (you can include usage of the like operator with the wildcard % like the other answer correctly summarized to answer your question):
It will protect you from making mistakes with single quotes, especially if the user enters a search string that includes them
(they will cause your query to fail).
It protects you from SQL injection exploits. Example, a user were able to input the value of the variable "alpha" in the above
example they could enter something like:
'; DELETE FROM ;
If the user you were using had excessive database rights, they could
wreak all kinds of havoc (or they could potentially get access to
data they shouldn't have access to).
Related
I am a little lost on how to incorporate TWO Where in my sql statement in my asp.
I am trying to get the userID and password entered previously and compare it with what I have in my database created on SQL:
I think my problem comes from my double quotation and single quotation.
UserID is a number in my database and Password is a short text.
var mycon = new ActiveXObject("ADODB.Connection");
var myrec = new ActiveXObject("ADODB.Recordset");
mycon.Open("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\\Users\\Omnivox.mdb");
var txtpassword = Request.QueryString("txtpassword");
var txtuserID = parseInt (Request.QueryString("txtuserID"));
var sql;
sql = "SELECT UserID, UserPassword FROM UserOmnivox WHERE UserID=" +txtuserID+ " AND UserPassword='" + txtpassword + "';";
myrec.Open(sql, mycon);
thank you
UPDATE: It is still not working. The error massage is : no value given for one or more required parameters for the line myrec.Open(sql,mycon)
Change
sql = "SELECT * FROM UserOmnivox WHERE UserID=" +txtuserID "AND UserPassword="'+txtpassword';
to
sql = "SELECT * FROM UserOmnivox WHERE UserID=" +txtuserID + " AND UserPassword='"+txtpassword+"'";
If you'd done any kind of basic debugging, like LOOKING at the query string you're generating, you'd have seen this:
sql = "SELECT [..snip..] UserID=" +txtuserID "AND UserPassword="'+txtpassword
^^--- no space
^--- missing +
which produces
SELECT .... UserID=1234AND userPassword
^^---syntax error, no such field '1234AND'
And then, yes, your quotes are wrong too
sql = "SELECT ... UserID=" +txtuserID "AND UserPassword="'+txtpassword
^------------------^-- one string
^-----------------^-- another string
^---???
It should be
sql = "SELECT * FROM UserOmnivox WHERE UserID=" +txtuserID + " AND UserPassword='" + txtpassword + "';";
I find another more flexible solution is better. Sometimes based on conditions you have one where condition, in others you have zero, and in others you have two. If you go down these paths they don't solve that issue. The following does.....
Some sql query
where 1=1 -- ## A condition that will always be true and does nothing to your query.
and first optional where clause
and second optional where clause
This way if you don't have the first where clause in a given situation but you do have the second you are not missing the words "where". You always have the where and you optionally add any array of "and" parts to your where statement. 100% flexibility in this method works for all challenges. Plus it is easier to follow code once you get past the wtf is this 1=1 nonsense reaction.
I saw this in some ASP code and didnt understand the last line, specifically all the apostrophies and quotation marks between Name= and AND. what is being appended? why do we need both?
uName = getRequestString("UserName");
uPass = getRequestString("UserPass");
sql = "SELECT * FROM Users WHERE Name ='" + uName + "' AND Pass ='" + uPass + "'"
The code is building a query that looks like this:
SELECT * FROM Users WHERE Name = 'foo' AND Pass = 'bar'
It passes in the text from the uName and uPass variables into the query string.
This is very dangerous though - it's an open door for SQL Injection.
That is very simple, you have the start of a string sentence with double quotes. Double quotes indicate the start and the end or part of a string.
for example, if you have
sql ="SELECT * FROM USERS"
your sentence takes all the value; if you have:
sql = "SELCT * FROM USERS"
whereSentence = " WHERE id = 1"
wholeSql = sql + whereSentence
with the + (plus symbol) you are concatening all the string.
With the simple quotes you are adding the simple quote in the string and concatening the other parts of the sentence.
For example if
uName = 'John' and uPass = 'McDonals'
sql = "SELECT * FROM Users WHERE Name ='" + uName + "' AND Pass ='" + uPass + "'"
your final sentence should be
SELECT * FROM Users WHERE Name = 'John' And Pass = 'McDonals'.
Is a simple way to say that the name is John McDonals as String, but the parameters are variables, depending the request
The first quotation (') mark is in the SQL lateron. The second quotation mark ("), marks the String literal for ASP.
After parsing, the query will be something like:
SELECT * FROM Users WHERE Name ='name' AND Pass ='password'
Which is why you need the ', because your intention is to give the DBMS a string.
This code is building a complete string for the SQL request. Presumably, this is connected to a webpage that asks for the username and password to be submitted in a block.
The uName and uPass strings will be set to something like this:
uName = "John";
uPass = "qwerty";
When the sql string gets created, the SQL query needs to put quotes around the string values, so the final query will look like this:
sql = "SELECT * FROM Users WHERE Name ='John' AND Pass ='qwerty'"
If you wrote:
SELECT x from y where y.name = martin
you would get an error. You need apostrophes to denote a string, like so:
SELECT x from y where y.name = 'martin'
Quotes are because someone appends a variable to a string, then appends another string and first character of that string, the apostrophe, is a closing apostrophe after my martin example.
Don't do that though, I mean don't append variables to strings, unless you know what you are doing. Use parameterized queries.
I'm trying to count the number of records in a table that meet a certain criteria. My preference is to use SQL, not Dcount, as I want to get better at SQL. Here's my current code below:
Dim countString As String
Dim count
countString = "SELECT COUNT(*) FROM `Engagement Letters` WHERE 'Client ID' = " & Me.cboSelectClient
count = CurrentDb.OpenRecordset(countString).Fields(0).Value
Yeah I know, I've used spaces in my tables and field names - I will change that. Though I think I should still be able to run this query as is, so I will leave it as is for now.
When I run the above, I get runtime error 3464 - data type mismatch in criteria expression. I've had the below dcount function work fine:
count = DCount("[Engagement Letter ID]", "Engagement Letters", "[Client ID] = " & Me.cboSelectClient)
And also the below COUNT query without the WHERE works fine:
"SELECT COUNT(*) FROM `Engagement Letters`"
My knowledge of SQL is very minimal, and my knowledge of more advanced VBA is also quite minimal, so I'm not sure where I'm going wrong. Can anyone help me with this?
Try building your string like this.
countString = "SELECT COUNT(*) FROM [Engagement Letters]" & vbCrLf & _
"WHERE [Client ID] = " & Me.cboSelectClient
Debug.Print countString
Use square brackets around object (table and field) names which include spaces or any characters other than letters, digits, and the underscore character.
For the table name, you used `Engagement Letters`, and the backticks appear to work the same as square brackets. Perhaps they always work equally well, but I don't know for sure because I use the brackets exclusively. And brackets instead of backticks might help you avoid this mistake ...
WHERE 'Client ID' = " & Me.cboSelectClient
... that was asking the db engine to compare the literal string, "Client ID", to the numerical value (?) you pulled from cboSelectClient.
I used vbCrLf between the 2 parts of the SELECT statement because I find that convenient when examining the completed string (via Debug.Print).
I am using Microsoft Access 2000, and need to pass in a parameter that is a comma-delimited string. The comma-delimited string is for an IN clause of the where statement. An example of this would be:
SELECT * FROM Table1 WHERE Field1 IN (#MyValues)
where #MyValues might be something like 1,2,3
However, when I pass in 1,2,3 the Access parameter doesn't seem to accept the input. Is there a good split string function in Access SQL that will solve this issue? Or is there another way of tackling this problem?
For reference on what I am doing, I am trying to use parameterized SQL in .NET to get a result set.
EDIT:
Below is an example of some simplified .NET code that would call this query:
OleDbCommand cmd = new OleDbCommand("SELECT * FROM Table1 WHERE Field1 IN (#MyValues)");
cmd.Parameters.Add("#MyValues","1,2,3");
What about this:
SELECT * FROM Table1 WHERE #MyValues Like "%" & Field1 "%"
This should check to see if the value in the field is included as a substring of your #MyValues parameter. Now, this could be problematic if any of the individual values in #MyValues are substrings of each other:
SELECT * FROM Table1 WHERE "2, 5, 10" Like "%" & Field1 "%"
In that case, "1" in Field1 would match, but it shouldn't. So, it might be that you'd need to format the numbers or delimit them some other way, such as:
SELECT * FROM Table1 WHERE " 2 5 10 " Like "% " & Field1 " %"
Or, alternatively:
SELECT * FROM Table1 WHERE ", 2, 5, 10," Like "%, " & Field1 ",%"
I'm not sure how this would perform, but it at least would allow parameterization.
At first, your question looked a little familiar. Then it started looking REALLY familiar. Then I realized I had the same question not long ago. My solution was to toss the parameters into this function:
Public Function IsIn( _
ByVal value As Variant, _
ParamArray theset() As Variant) _
As Boolean
Dim i As Long
For i = LBound(theset) To UBound(theset)
If value = theset(i) Then
IsIn = True
Exit Function
End If
Next
End Function
In your sample SQL code, you could do something like:
SELECT * FROM Table1 WHERE IsIn(Field1,array(1,2,3))=true;
(Like you, I also think that a procedure like this one should have been built into Access. Perhaps it is in 2007 or 2010.)
Edit
See Is there a NotIn("A","B") function in VBA?
Can you put them in another table and do a join?
If you don't want to create another table, that's ok. What does your ADO code and query syntax look like?
From your edited code above, I don't think you need to use the cmd object's parameters collection. Just modify your sql to embed your parameter values:
OleDbCommand cmd = new OleDbCommand("SELECT * FROM Table1 WHERE Field1 IN (1,2,3)");
You would use the .parameters collection if you had a parametrized query in the mdb, which you don't. Your sql is in source code.
I'm using VBA excel 2003,SQL 2005 to make a sql query call and inside my sql statement I'm using '+' operator to concatenate two strings.
dim query as string
query = "Select distinct ', '+emailaddress1 "
query = query & "from contact "
would this work inside vba? My query returns too many records in excel but not in SQL?
Please just focus on this 2 lines of code and not worry about the rest of my sql call, I'm just wondering whether or not this specific string would work?
Your code will return a column where each row would be an email address with a comma in front of it. If that is what you want, then yes, it will work.
If, on contrary, you want a single string where all email addresses would be listed, separated with commas, that'd be
query = "declare #foo varchar(max);"
query = query & "select distinct #foo = isnull(#foo,'') + emailaddress1 + ', ' from contact;"
query = query & "select left(#foo, len(#foo)-2);"