I'm sure this question will be easy for you lot... :)
I'm simply trying to update an existing record in my database using the following:
Private Sub Button12_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button12.Click
If Not cnn.State = ConnectionState.Open Then
cnn.Open()
End If
cmd2.Connection = cnn
cmd2.CommandText = "UPDATE HireItemRecord SET HireItemBeginDate = " & TextBox45.Text & _
" ,HireItemEndDate = " & TextBox44.Text & _
" ,HireItemCost = " & TextBox16.Text & _
" ,PaymentMethod = " & TextBox17.Text & _
" ,Staff_Id = " & TextBox19.Text & _
" ,HireItemNotes = " & TextBox18.Text & _
" ,HireItemReturnDate = " & TextBox43.Text & _
"WHERE HireRecord_Id = " & TextBox13.Text
cmd2.ExecuteNonQuery()
ds1.Clear()
daHireItemRecord.Fill(ds1, "PersonDetails")
cnn.Close()
End Sub
However no matter what record is selected and whatever details are in the boxes I keep getting this same error over and over:
SqlException was unhandled
Incorrect syntax near '12'.
When there is absolutely nothing in the textboxes the error changes to:
Incorrect syntax near ','.
I'm very new to this and I just can't seem to understand why this is happening.
Thank you very much for your help. :)
So much wrong with this.
You need a space after each comma, not before it.
You should be escaping your values before using them in the query. If I put "0 WHERE 1=1 -- " in any of your text boxes, it'll trash your entire table.
You should ALWAYS name your form controls properly. If I sent you back to this code in a year's time and told you there was a problem with TextBox44, would you know what it means? Same goes for your variables. Sometimes it's ok to have i, x or tbl for a variable name, but in general they should be descriptive.
Example for #2, where I've put "'1/1/1999' WHERE 1=1 --" into TextBox45:
`UPDATE HireItemRecord SET HireItemBeginDate = '1/1/1999' WHERE 1=1 -- , HireItemEndDate...`
Everything after the -- becomes a comment, so you get this:
`UPDATE HireItemRecord SET HireItemBeginDate = '1/1/1999' WHERE 1=1`
Can you imagine what would happen if I executed that query? Nothing good.
You should use parameterized queries, as per the recommendations in this question: Algorithm to avoid SQL injection on MSSQL Server from C# code?
You should never use string concatenation to build SQL. It leaves you open to SQL Injection attacks. Try using the SQLCommand object provided in .Net. This allows you to "parameterize" your query and you don't have to worry about where to put " and '.
It will also allow you add parameters naturally without having to convert them to strings. Something like this:
Dim command As New SqlCommand("SELECT * FROM Table", connection)
command.Parameters.Add("#ID", SqlDbType.Int)
command.Parameters("#ID").Value = customerID
I stole that code from the documentation about SQL Parameters here.
Related
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
If NamaBukuBox.Text = " " Or PngrngBukuBox.Text = " " Or PnrbtBukuBox.Text = " " Or JmlhBukuBox.Text = " " Then
MsgBox("Isi Semua Kolom Informasi")
Else
Con.Open()
Dim query = "Insert into BukuTbl values('" & NamaBukuBox.Text & "','" & PngrngBukuBox.Text & "','" & PnrbtBukuBox.Text & "'," & JmlhBukuBox.Text & ")"
Dim cmd As SqlCommand
cmd = New SqlCommand(query, Con)
cmd.ExecuteNonQuery() '** this line is error
MsgBox("Buku Telah Ditambahkan")
Con.Close()
End If
End Sub
I don't know what to do
what makes the error and how to solve it?
This is a very risky way of writing code. User input would be inserted directly into SQL. If your user inputs any apostrophe, your SQL will fail.
For example, try entering Abc's into the NamaBukuBox text box. Check your resulting SQL. In the worst case scenario, a user could inject SQL and delete data and tables.
In your case, it is likely the input from the user that is causing the SQL to fail. Please use parameters to input user data into SQL. Do not concatenate user input direct in SQL. You SQL should look something like:
Insert into BukuTbl values(#NamaBukuBox,#PngrngBukuBox,#PnrbtBukuBox,#JmlhBukuBox)
This question already has answers here:
vb.net escape reserved keywords in sql statement
(2 answers)
Closed 5 years ago.
Im having a error but i dont know what part but i check my tables but it is the exact column im using ms access2010 as database and every time i add a new record theres a msgbox that show (syntax error in insert into statement) heres my code:
Public Class Form1
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)
End Sub
Private Sub GroupBox1_Enter(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles GroupBox1.Enter
End Sub
Private Sub Button1_Click_1(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim add As String = "insert into setplan(ma,planqty,side,start,end,total,remarks) values ('" & cmbshift.SelectedItem & "','" & txtplqty.Value & "','" & cmbside.SelectedItem & "','" & timestart.Text & "','" & timeend.Text & "','" & txttotal.Text & "','" & txtrem.Text & "')"
Dim connection As String = "Provider=Microsoft.Ace.Oledb.12.0; Data Source=C:\Users\Administrator\Documents\plan.mdb; Persist Security Info=False;"
Using conn As New OleDb.OleDbConnection(connection)
Try
conn.Open()
If cmbshift.SelectedItem = "" Then
MsgBox("Please Select Shift Schedule")
ElseIf txtplqty.Value = 0 Then
MsgBox("Please Input Plan Quantity")
ElseIf cmbside.SelectedItem = "" Then
MsgBox("Please select Side")
ElseIf timestart.Text = "" Then
MsgBox("Please Select A Start Time")
ElseIf timeend.Text = "" Then
MsgBox("Please Select A Start Time")
ElseIf timeend.Text = timestart.Text Then
MsgBox("Time end must not be equal to Time Start")
Else
MsgBox(add)
Dim cmd As New OleDb.OleDbCommand(add, conn)
cmd.ExecuteNonQuery()
MsgBox("New Schedule Added")
End If
conn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
End Using
End Sub
Private Sub timestart_ValueChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles timestart.ValueChanged
End Sub
End Class
start and end words are unique for sql so those keywords might cause the problem. Try to switch those column names into something like startTime and endTime and check if that works.
As has been addressed in the comments, it would be much better if you were to make this a parameterized query instead of concatenating the strings into an explicit SQL command. That being said, however, using your example, there are a couple of things that could be causing the error you describe, some of which have been mentioned in the comments (and the answer from Atilla).
Start and End are reserved keywords in SQL. Using them as column names can cause unexpected behavior when executing a query against those columns from a .NET application through OleDb. There are basically two ways to get around this:
Rename these columns in the database - Atilla suggested StartTime and EndTime, which would probably work nicely.
If renaming the columns is not an option (these columns are used by some other system/process you have in place), your best bet is to modify the query. Since it appears that you're working with an Access database (.mdb) file, you can enclose the column names in your query in square brackets (e.g., [Start] and [End]).
I've actually taken to enclosing all of my table and column names this way when working with Access databases because we have some databases with column names that include spaces and such, so this helps tremendously.
You also need to take into account the actual data types of the columns into which you're attempting to INSERT the data. Again, since it seems that you're using an Access database file, there are a couple of syntactical things to look at.
Values being inserted into a Date/Time field should be wrapped with the # character instead of the ' character.
Numeric field types (e.g., Number or Currency) should not be wrapped with the ' character (or any other characters, for that matter).
If the string values you intend to insert into text fields (e.g., Short Text or Long Text) contain any of a number of "special/invalid characters" including single and/or double quotation marks, these need to be "cleaned up" before executing the query. If this is the case (or potentially could be the case), you could create a method to clean up the string value prior to use in your SQL command. See an example at the bottom of this post in which most, if not all of the potentially invalid characters are simply stripped from the string value.
Please note that, for the purposes of this answer, I've used the data type names from the MS Access UI rather than the actual OleDb/Odbc data types to try to simplify things.
Without knowing the actual data types used in your database table or the values that are coming from the form controls, I can only make assumptions, but, if I absolutely had to use this type of query building (meaning, it's not possible to make it parameterized for some reason), I would probably create the query to looks something more like this:
Dim add As String = "INSERT INTO setplan " & _
"([ma], [planqty], [side], [start], [end], [total], [remarks]) " & _
"VALUES ('" & cmbshift.SelectedItem & "', " & _
txtplqty.Value & ", " & _
"'" & cmbside.SelectedItem & "', " & _
"#" & timestart.Text & "#, " & _
"#" & timeend.Text & "#, " & _
txttotal.Text & ", " & _
"'" & txtrem.Text & "')"
This assumes that the [start] and [end] columns are Date/Time columns, and the [planqty] and [total] columns are some type of Number columns (Integer, Single, etc.).
HOWEVER: as mentioned above, it would be much preferred to make this a parameterized query. Check out the accepted answer to this SO question for more information on how to do this: VB.Net - Inserting data to Access Database using OleDb
Example of cleanup function for String values when concatenating SQL command:
Friend Function CleanStringForSQL(ByVal DirtyString As String) As String
Dim CleanString As String = DirtyString.Replace("'", "")
CleanString = CleanString.Replace("""", "")
CleanString = CleanString.Replace("*", "")
CleanString = CleanString.Replace("\", "")
CleanString = CleanString.Replace("/", "")
CleanString = CleanString.Replace(";", "")
CleanString = CleanString.Replace("%", "")
CleanString = CleanString.Replace("#", "")
CleanString = CleanString.Replace("(", "")
CleanString = CleanString.Replace(")", "")
CleanString = CleanString.Replace("[", "")
CleanString = CleanString.Replace("]", "")
Return CleanString
End Function
Which could then be used in your declaration statement for the SQL command string like:
...
"VALUES ('" & CleanStringForSQL(cmbshift.SelectedItem) & "', " & _
...
Got a new one for you, tried everything i could think of but without succes.
I want to be able to edit some textboxes and then update their records in the database. I use this code:
Private Sub btnUpdate_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUpdate.Click
connection.Open()
cmdupdate.CommandText = "UPDATE tbl_stal SET Locatie = '" & cbLocatienummer.Text & "', Coordinaten = '" & txtCoordinaten.Text & "' WHERE ID = '" & cbID.Text & "'"
cmdupdate.CommandType = CommandType.Text
cmdupdate.Connection = connection
cmdupdate.ExecuteNonQuery()
MsgBox("De gegevens zijn aangepast." & vbNewLine & "The data has been modified." & vbNewLine & "Die Daten sind angepasst.", MsgBoxStyle.OkOnly, "Voersoorten")
connection.Close()
cmdupdate.Dispose()
I am certain that the names of the database table and it's fields are correct, tried using both numerical and textbased settings on the table fields(as normally they should be numerical, but they might be text too. )
However, when i load some data from the datagridvieuw into the textboxes, change the coordinates(for example) and hit the updatebutton, it will give me the error that the datatypes don't match.
Apart from the above, what else can it be?
When you write data to a database table using any kind of sql text you should NEVER use string concatenation to build the SQL. This because you could have problems in the string supplied (what if one of these strings contains an embedded single quote?) and because taking the user input and attaching it to your command is a really dangerous practice that leads to Sql Injection
(Well MS-Access doesn't support multiple commands so you are a bit safer here)
So you should rewrite your query in this way
Dim cmdText = "UPDATE tbl_stal SET Locatie = ?, Coordinaten = ? WHERE ID = ?"
Using connection = new OleDbConnection(.....)
Using cmdUpdate = new OleDbCommand(cmdText, connection)
connection.Open()
cmdUpdate.Parameters.AddWithValue("#p1", cbLocatienummer.Text)
cmdUpdate.Parameters.AddWithValue("#p2", txtCoordinaten.Text)
cmdUpdate.Parameters.AddWithValue("#p3", Convert.ToInt32(cbID.Text))
cmdUpdate.ExecuteNonQuery()
End Using
End Using
Notice that you should provide a parameter with the exact datatype that matches the datatype of your field, strings for text fields, numbers for numeric fields.
I'm working in a small SQL Database program. The programs just there to view, edit and update the database records. Everything is working remarkably well considering I've never tried something like this before. I've managed to get the Add Records, Refresh Records and Delete Records functions working flawlessly. However, I've hit a little bump when trying to UPDATE a selected record.
To clarify, the SQL Table is displayed in a list view, from this list view the end-user can select a particular-record and either edit or delete it.
The edit button opens a new form window with text fields which are automatically filled with the current information of that record.
The code for the edit record form is:
Private Sub frmEdit_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
intDB_ID_Selected = CInt(frmMain.lvRec.SelectedItems(0).Text)
Call dispCaption()
Call dispInfo() 'Display the info of the selected ID
End Sub
Private Sub dispInfo()
SQL = "Select * from PersonsA " & _
"where Members_ID=" & intDB_ID_Selected & ""
With comDB
.CommandText = SQL
rdDB = .ExecuteReader
End With
If rdDB.HasRows = True Then
rdDB.Read()
Me.midtxt.Text = rdDB!Members_ID.ToString.Trim
Me.gttxt.Text = rdDB!Gamer_Tag.ToString.Trim
Me.sntxt.Text = rdDB!Screenname.ToString.Trim
Me.fntxt.Text = rdDB!First_Name.ToString.Trim
Me.lntxt.Text = rdDB!Last_Name.ToString.Trim
Me.dobtxt.Text = rdDB!DoB.ToString.Trim
Me.dobtxt.Text = rdDB!DoB.ToString.Trim
Me.emailtxt.Text = rdDB!E_Mail_Address.ToString.Trim
Me.teamptxt.Text = rdDB!Position.ToString.Trim
Me.ugctxt.Text = rdDB!Cautions.ToString.Trim
Me.recordtxt.Text = rdDB!Record.ToString.Trim
Me.eventatxt.Text = rdDB!Event_Attendance.ToString.Trim
Me.Mstattxt.Text = rdDB!Member_Status.ToString.Trim
End If
rdDB.Close()
End Sub
Private Sub dispCaption()
End Sub
Private Sub cmdUpdate_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles cmdUpdate.Click
Call disControl()
'Validation
If invalidUpdateEntry() = True Then
Call enaControl()
Exit Sub
End If
'Prompt the user if the record will be updated
If MsgBox("Are you sure you want to update the selected record?", CType(MsgBoxStyle.YesNo + MsgBoxStyle.DefaultButton2 + MsgBoxStyle.Question, MsgBoxStyle), "Update") = MsgBoxResult.Yes Then
'Update query
SQL = "Update PersonsA" & _
"SET Members_ID='" & Me.midtxt.Text.Trim & "'," & _
"Gamer_Tag='" & Me.gttxt.Text.Trim & "'," & _
"Screenname='" & Me.sntxt.Text.Trim & "'," & _
"First_Name='" & Me.fntxt.Text.Trim & "'," & _
"Last_Name='" & Me.lntxt.Text.Trim & "'," & _
"DoB='" & Me.dobtxt.Text.Trim & "'," & _
"E_Mail_Address='" & Me.emailtxt.Text.Trim & "'," & _
"Position='" & Me.teamptxt.Text.Trim & "'," & _
"U_G_Studio='" & Me.ugptxt.Text.Trim & "'," & _
"Cautions='" & Me.ugctxt.Text.Trim & "'," & _
"Record='" & Me.recordtxt.Text.Trim & "'," & _
"Event_Attendance='" & Me.eventatxt.Text.Trim & "'," & _
"Member_Status='" & Me.Mstattxt.Text.Trim & "'" & _
"WHERE Members_ID='" & intDB_ID_Selected & "'"
Call execComDB(SQL) 'Execute the query
Me.Close()
'*** Refresh the list
SQL = "Select * from PersonsA "
Call frmMain.dispRec(SQL)
'--- End of refreshing the list
Exit Sub
Else
Call enaControl()
End If
End Sub
As I've said, I've been able to do everything else using an extremely similar method, but when I try to UPDATE the record I get an error saying
An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll
Additional information: Incorrect syntax near 'Members_ID'.
I know it's this line that's the problem
"WHERE Members_ID='" & intDB_ID_Selected & "'"
Call execComDB(SQL) 'Execute the query
But referencing 'intDB_ID_Selected' has always worked before, and it's been set-up on the update form records load as intDB_ID_Selected = CInt(frmMain.lvRec.SelectedItems(0).Text)
I know this is a huge thread but if anyone could steer me in the right direction WITHOUT telling me to re-write the entire statement I'd be forever grateful.
EDIT1: I fixed the comma before the WHERE clause, but I'm still getting the same error.
Missing a space between
"Update PersonsA " & _
"SET Members_ID= ....
and (as already pointed out) a comma not needed before the WHERE
Said that, do a favor to yourself and to your users. Do not use string concatenation to build a sql command. Use always a parameterized query.
Just as an example
SQL = "Update PersonsA SET Members_ID=#id, Gamer_Tag=#tag, Screenname=#screen," & _
"First_Name=#fname,Last_Name=#lname,DoB=#dob,E_Mail_Address=#email," & _
"Position=#pos,U_G_Studio=#studio,Cautions=#caution,Record=#rec," & _
"Event_Attendance=#event, Member_Status=#stat " & _
"WHERE Members_ID=#id"
SqlCommand cmd = new SqlCommand(SQL, connection)
cmd.Parameters.AddWithValue("#id", Me.midtxt.Text.Trim)
..... so on for the other parameters defined above ....
cmd.ExecuteNonQuery();
Change "Member_Status='" & Me.Mstattxt.Text.Trim & "'," & _
to "Member_Status='" & Me.Mstattxt.Text.Trim & "'" & _
Looks like it was just an extra rogue comma!
On any error like this, use debugging provided with Visual Studio. Inspect the value of SQL, paste into MS SQL Management Studio - it has syntax highlight, and you should be able to spot the error easily.
To prevent further issues (including SQL injection vulnerability), separate this query into an embedded resource, and use parameters. Then it's easy to view, maintain (you can copy/paste between SQL Mgmt Studio and VS), and ultimately use it in code.
A side note, you don't need to use Call in VB.NET, just put a method name with parenthesis.
Everyone here has always been such great help, either directly or indirectly. And it is with grand hope that this, yet again, rings true.
For clarification sakes, the Stored Procedure is running under FireBird and the VB is of the .NET variety
I have a stored procedure (excerpt below, important bit is the WHERE)
select pn, pnm.description, si_number, entry_date, cmp_auto_key,
parts_flat_price, labor_flat_price, misc_flat_price, woo_auto_key,
wwt_auto_key
from parts_master pnm, wo_operation woo
where pn like :i_pn || '%'
and pnm.pnm_auto_key = woo.pnm_auto_key
into :pn, :description, :work_order, :entry_date, :cmp, :parts_price,
:labor_price, :misc_price, :woo, :wwt
I am trying to pass a parameter from a vb app, that uses the parameter I_PN, the code of which follows below (The variables for MyServer and MyPassword are determined form an earlier part of the code.)
Try
Dim FBConn As New FirebirdSql.Data.FirebirdClient.FbConnection()
Dim FBCmd As FirebirdSql.Data.FirebirdClient.FbCommand
Dim MyConnectionString As String
MyConnectionString = _
"datasource=" & MyServer & ";database=" & TextBox4.Text & "; & _
user id=SYSDBA;password=" & MyPassword & ";initial catalog=;"
FBConn = New FirebirdSql.Data.FirebirdClient. & _
FbConnection(MyConnectionString)
FBConn.Open()
FBConn.CreateCommand.CommandType = CommandType.StoredProcedure
FBCmd = New FirebirdSql.Data.FirebirdClient. & _
FbCommand("WIP_COSTS", FBConn)
FBCmd.CommandText = "WIP_COSTS"
FBConn.CreateCommand.Parameters. & _
Add("#I_PN", FirebirdSql.Data.FirebirdClient.FbDbType.Text). & _
Value = TextBox1.Text
Dim I_PN As Object = New Object()
Me.WIP_COSTSTableAdapter.Fill(Me.WOCostDataSet.WIP_COSTS, #I_PN)
FBConn.Close()
Catch ex As System.Exception
System.Windows.Forms.MessageBox.Show(ex.Message)
End Try
When I execute the VB.App and try to run the program, I get the following Error:
Dynamic SQL Error
SQL Error Code = -206
Column Unknown
I_PN
At Line 1, column 29
And I can't quite put my finger on what the actual problem is. Meaning, I don't know if my logic is incorrect on the VB side, or, on the Stored Procedure.
Any coding that is included is kludged together from examples I have found with various bits of code found during long sojourns of GoogleFu.
As anyone with more than a month or two of experience (unlike me) with VB can attest with merely a glance - my code is probably pretty crappy and not well formed - certainly not elegant and most assuredly in operational. I am certainly entertaining all flavors of advice with open arms.
As usual, if you have further questions, I will answer them to the best of my ability.
Thanks again.
Jasoomian
After a little rethinking and a bit more research, I finally got my code working..
Try
' Code for checking server location and required credentials
Dim FBConn As FbConnection
' Dim FBAdapter As FbDataAdapter
Dim MyConnectionString As String
MyConnectionString = "datasource=" _
& MyServer & ";database=" _
& TextBox4.Text & ";user id=SYSDBA;password=" _
& MyPassword & ";initial catalog=;Charset=NONE"
FBConn = New FbConnection(MyConnectionString)
Dim FBCmd As New FbCommand("WIP_COSTS", FBConn)
FBCmd.CommandType = CommandType.StoredProcedure
FBCmd.Parameters.Add("#I_PN", FbDbType.VarChar, 40)
FBCmd.Parameters("#I_PN").Value = TextBox1.Text.ToUpper
Dim FBadapter As New FbDataAdapter(FBCmd)
Dim dsResult As New DataSet
FBadapter.Fill(dsResult)
Me.WIP_COSTSDataGridView.DataSource = dsResult.Tables(0)
Dim RecordCount As Integer
RecordCount = Me.WIP_COSTSDataGridView.RowCount
Label4.Text = RecordCount
Catch ex As System.Exception
System.Windows.Forms.MessageBox.Show _
("There was an error in generating the DataStream, " & _
"please check the system credentials and try again. " &_
"If the problem persists please contact your friendly " &_
"local IT department.")
End Try
' // end of line
I had also thought that I would need to make changes to the actual stored procedure, but, this turned out to be incorrect.
The code may not be pretty, and I need to do more work in my TRY block for better error handling; but, it works.
Thanks to all who chimed in and helped me get on track.
Try changing this:
FBConn.CreateCommand.Parameters. & _
Add("#I_PN", FirebirdSql.Data.FirebirdClient.FbDbType.Text). & _
Value = TextBox1.Text
... to this:
FBCmd.Parameters.AddWithValue("#I_PN", TextBox1.Text)
Basically, you want to add stored procedure parameters to the Command object, not the Connection object.
Andreik,
Here is the entire stored Procedure. And our Firebird is Version 1.5.3, written with IbExpert version 2006.12.13, Dialect 3
Begin
For
select pn, pnm.description, si_number, entry_date, cmp_auto_key, parts_flat_price,
labor_flat_price, misc_flat_price, woo_auto_key, wwt_auto_key
from parts_master pnm, wo_operation woo
where pn like :i_pn || '%'
and pnm.pnm_auto_key = woo.pnm_auto_key
into :pn, :description, :work_order, :entry_date, :cmp, :parts_price,
:labor_price, :misc_price, :woo, :wwt
Do begin
labor_hours = null;
work_type = null;
parts_cost = null;
labor_cost = null;
ro_cost = null;
customer = null;
select company_name
from companies
where cmp_auto_key = :cmp
into :customer;
select work_type
from wo_work_type
where wwt_auto_key = :wwt
into :work_type;
select sum(sti.qty*stm.unit_cost)
from stock_ti sti, stock stm, wo_bom wob
where sti.wob_auto_key = wob.wob_auto_key
and sti.stm_auto_key = stm.stm_auto_key
and wob.woo_auto_key = :woo
and sti.ti_type = 'I'
and wob.activity <> 'Work Order'
and wob.activity <> 'Repair'
into :parts_cost;
select sum(sti.qty*stm.unit_cost)
from stock_ti sti, stock stm, wo_bom wob
where sti.wob_auto_key = wob.wob_auto_key
and sti.stm_auto_key = stm.stm_auto_key
and wob.woo_auto_key = :woo
and sti.ti_type = 'I'
and wob.activity = 'Repair'
into :ro_cost;
select sum(wtl.hours*(wtl.fixed_overhead+wtl.variable_overhead+wtl.burden_rate)),
sum(wtl.hours)
from wo_task_labor wtl, wo_task wot
where wtl.wot_auto_key = wot.wot_auto_key
and wot.woo_auto_key = :woo
into :labor_cost, :labor_hours;
suspend;
end
End
Hardcode - I responded in the comments to your suggestion.