Can anyone please correct that MySql code, - mysql

In here "FromSt" and "EndSt" are variables.
I wanna run that code in Vb.net.
MySql console command:
select st_distance from addst WHERE st_name IN ("value1","value1");
VB.net code:
Using FindSqlS As MySqlCommand = New MySqlCommand("SELECT st_distance FROM addst WHERE st_name = '" & FromSt & "OR" & "'st_name ='" & EndSt & "'", conn)

Looks like you left out a quote and added an extra one in another place. Try this and see if it fixes your issue:
Using FindSqlS As MySqlCommand = New MySqlCommand("SELECT st_distance FROM addst WHERE st_name = '" & FromSt & "'" & " OR " & "st_name ='" & EndSt & "'", conn)

Using FindSqlS As MySqlCommand = New MySqlCommand("SELECT st_distance FROM addst WHERE st_name = '" & FromSt & "'" & " OR " & "st_name ='" & EndSt & "'", conn)

Related

UPDATE query syntax error in vb.net using mysql

here my query if anyone can spot error
str = "update student set course='" & ComboBox1.Text & "',name='" &
TextBox2.Text & "',f_name='" & TextBox3.Text & "',address='" & TextBox4.Text
& "' ,tel_no='" & TextBox5.Text & "',qualification='" & TextBox6.Text &
"',remarks='" & TextBox7.Text & "',school/college='" & TextBox8.Text &
"',fee='" & TextBox10.Text & "' where reg_no=" & TextBox9.Text & " "
Here is a better way to build this query:
str = "update student " &
" set course= #course, name= #name, f_name= #fname, address= #address," &
" tel_no= #tel, qualification = #qualification, remarks= #remarks," &
" `school/college`=#school, fee= #fee" &
" where reg_no= #regno"
Using cn As New MySqlConnection("connection string here"), _
cmd As New MySqlCommand(str, cn)
'Use actual column types/lengths from your DB here
cmd.Parameters.Add("#course", MySqlDbType.VarChar, 15).Value = ComboBox1.Text
cmd.Parameters.Add("#name", MySqlDbType.VarChar, 25).Value = TextBox2.Text
cmd.Parameters.Add("#fname", MySqlDbtype.VarChar, 25).Value = TextBox3.Text
cmd.Parameters.Add("#address", MySqlDbType.VarChar, 120).Value = TextBox4.Text
cmd.Parameters.Add("#tel", MySqlDbType.VarChar, 25).Value = TextBox5.Text
cmd.Parameters.Add("#qualification", MySqlDbType.VarChar, 40).Value = TextBox6.Text
cmd.Parameters.Add("#remarks", MySqlDbType.VarString).Value = TextBox7.Text
cmd.Parameters.Add("#school", MySqlDbType.VarChar, 40).Value = TextBox8.Text
cmd.Parameters.Add("#fee", MySqlDbType.Decimal, 6, 2).Value = Convert.ToDecimal(TextBox10.Text)
cmd.Parameters.Add("#regno", MySqlDbType.Int32).Value = Integer.Parse(TextBox9.Text)
cn.Open()
cmd.ExecuteNonQuery()
End Using
This does a number of things for you:
It prevents sql injection attacks
It allows you to accept data that includes things like single quotes ('). The code you have will fail if someone puts in a single quote.
It handles things like date formatting for the sql automatically.
It's faster, because the database server can cache the execution plan after it compiles the query, and use statistics over time to get better execution plans.
It closes the db connection more reliably. The current code leaves the database connection hanging open if an exception is thrown.

VB.NET | MySQL: A fatal error encountered during command executation

I'm despairing because an mysql error is in my code and I didn't find any helpful answer.
Code:
cn.ConnectionString = "Server=" & host.Text & ";User Id=" & user.Text & ";Password=" & password.Text & ";Database=" & database.Text & ";"
cmd.Connection = cn
Try
cn.Open()
cmd.CommandText = "LOAD DATA LOCAL INFILE '" & directory.Text & "' INTO TABLE " & database.Text & "." & table.Text & ";"
MsgBox(cmd.CommandText)
dr = cmd.ExecuteReader
Catch exError As MySqlException
MsgBox("Error: " & exError.Message, MsgBoxStyle.Critical)
End Try
cn.Close()
Screenshot of the error:
http://i.imgur.com/gkEsspQ.png
Edit: Screenshot 2 of the error (more detailed): http://i.imgur.com/iyOsAxr.png
When I use this line:
cmd.CommandText = "LOAD DATA LOCAL INFILE 'D:/Bibliothek/Desktop/test.txt' INTO TABLE test.test;
it works.
I think this is the problem.
When you use VB.Net values in MySQL query Remember to start like this '" and end like this "'
'" textbox1.text "'

You have error syntax VB.Net MySql

I want update mysql database table in vb.net, i try and i got problem with that. this is my source
MysqlConn = New MySqlConnection
MysqlConn.ConnectionString =
"server=db4free.net;port=3306;userid=***;password=***;database=***"
Dim Reader As MySqlDataReader
Try
MysqlConn.Open()
Dim Query As String
Query = "update member set (Name='" & Val(TextBox1.Text) + Val(TextBox6.Text) & "' WHERE Username='" & TextBox8.Text & "'"
Command = New MySqlCommand(Query, MysqlConn)
Reader = Command.ExecuteReader
MysqlConn.Close()
Catch ex As Exception
MsgBox(ex.Message)
Finally
MysqlConn.Dispose()
End Try
If i do this source, i got error code like this
TextBox1.Text = 10
TextBox6.Text = 20
TextBox8.Text = John
Here's what you have
"update member set (Name='" & Val(TextBox1.Text) + Val(TextBox6.Text) & "' WHERE Username='" & TextBox8.Text & "'"
render:
update member set (Name='30' WHERE Username='John'
-
What you probably want is to remove the bracket
"update member set Name='" & Val(TextBox1.Text) + Val(TextBox6.Text) & "' WHERE Username='" & TextBox8.Text & "'"
resulting in :
update member set Name='30' WHERE Username='John'
My suggestion to you as a preference for building these strings is to separate the parameters more often. It keeps things neat and easy.
ex:
dim x as string = (Val(TextBox1.Text) + Val(TextBox6.Text)).tostring
dim cmd as string =
"update member " &
"set Name=" & "'" & x & "' " &
"WHERE Username=" & "'" & TextBox8.Text & "'"

Wrong Data being sent to Mysql database from VB.net through paramatized insert statement

I am trying to insert data to mysql from vb.net. When I use concatenated sql query, it works well but when I make it paramatized, no error is shown by the vb.net try and catch statement, but wrong values and some null values are sent.
MysqlConn = New MySqlConnection
MysqlConn.ConnectionString = "server=127.0.0.1;userid=root;password=root;database=my_mysql_database"
Dim READER As MySqlDataReader
Try
MysqlConn.Open()
Dim Query As String
'Query = "INSERT INTO my_mysql_database.edata(E_id,Name,Surname,Age,user_name,password, Gender)values('" & Txt_EID.Text & "', '" & Txt_Name.Text & "', '" & Txt_Surname.Text & "', '" & Txt_Age.Text & "', '" & Txt_User_Name.Text & "', '" & Txt_Password.Text & "', '" & Txt_Gender.Text & "')"'
Query = "INSERT INTO my_mysql_database.edata
values(E_id=#Eid, Name=#Name, Surname=#Surname, Age=#Age,
user_name=#UserName, password=#Pass, Gender=#Gender, DOB=#Dob,
Image=#Ima, Email=#Email)"
COMMAND = New MySqlCommand(Query, MysqlConn)
COMMAND.Parameters.AddWithValue("#Eid", Txt_EID.Text)
COMMAND.Parameters.AddWithValue("#Name", Txt_Name.Text)
COMMAND.Parameters.AddWithValue("#Surname", Txt_Surname.Text)
COMMAND.Parameters.AddWithValue("#Age", Txt_Age.Text)
COMMAND.Parameters.AddWithValue("#UserName", Txt_User_Name.Text)
COMMAND.Parameters.AddWithValue("#Pass", Txt_Password.Text)
COMMAND.Parameters.AddWithValue("#Gender", Txt_Gender.Text)
COMMAND.Parameters.AddWithValue("#Dob", DTP_Date.Value)
COMMAND.Parameters.AddWithValue("#Ima", Txt_Image.Text)
COMMAND.Parameters.AddWithValue("#Email", Txt_Email.Text)
READER = COMMAND.ExecuteReader
MsgBox("Added to Database")
MysqlConn.Close()
Catch ex As Exception
MessageBox.Show(ex.Message)
Finally
MysqlConn.Dispose()
End Try
When I do the paramatized way no error is shown, but a zero and all nulls are saved in mysql database.
During Debug I have checked the values stored in the parameters and they are correct, but what is sent to Mysql dataabse is a zero and all NULLS. What could be happening. How can Isend the correct values to Mysql Database
edit:
Here is a picture of datatypes
I might be off here, if that is the case someone can educate me. My SQL knowledge tells me your query is wrong.
You say that this one work:
Query = "INSERT INTO my_mysql_database.edata(E_id,Name,Surname,Age,user_name,password, Gender)values('" & Txt_EID.Text & "', '" & Txt_Name.Text & "', '" & Txt_Surname.Text & "', '" & Txt_Age.Text & "', '" & Txt_User_Name.Text & "', '" & Txt_Password.Text & "', '" & Txt_Gender.Text & "')"'
So why change the format of the second query? INSERT INTO Table Values (Column=Value)
Surely it is supposed to be INSERT INTO Table (Column) Values (Value). Hence your query should look like this:
Query = "INSERT INTO my_mysql_database.edata (E_id,Name,Surname,Age,user_name,password,Gender,DOB,Image,Email) Values (#Eid,#Name,#Surname,#Age,#UserName,#Pass,#Gender,#Dob,#Ima,#Email)
Also, I strongly suggest you setup E_id to be auto incremental. Adding the ID yourself seems a bit unecessary.

inserting windows form data from text and combo boxes into mysql database

i am working on an application which will allow the user to add a company via the form. i a struggling on inserting the data into the MySQL DB in the INSERT query. the query is sound as it will work when directly applied, however the application won't commit...here is my code below...
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
sqlconnection.Close()
Dim com As New MySqlCommand("INSERT INTO companies VALUES(company_id, '" & TextBox1.Text & "', '" & RichTextBox1.Text & "', '" & TextBox4.Text & "', '" & TextBox5.Text & "', '" & ComboBox6.Text & "', '" & TextBox2.Text & "', '" & TextBox7.Text & "', '" & TextBox3.Text & "', '" & ComboBox2.Text & "', '" & RichTextBox3.Text & "', '" & ComboBox5.Text & "', '" & RichTextBox2.Text & "', '" & ComboBox7.Text & "', '" & ComboBox1.Text & "', '" & ComboBox4.Text & "';", con)
con.Open()
com.ExecuteNonQuery()
con.Close()
MsgBox("committed")
Thanks in advance
That's what you get for not using parametrized query.
Probably in one or more of your textboxes or richtextboxes an apostrophe causes your string concatenation to confuse everything.
Suppose that TextBox1 contains 'Acme's Inc.'. Now your string query text becomes
INSERT INTO companies VALUES (company_id, 'Acme's Inc.',
^
See the syntax error caused by blindly string concatenation?
I can't write a complete replacement of your code here because so many controls with undescriptive names. However you should write something like this
Dim cmdText = "INSERT INTO companies VALUES (#companyID, #param1, #param2, ....etc")
Dim com as New MySqlCommand(cmdText, con)
com.Parameters.AddWithValue("#companyID", company_id)
com.Parameters.AddWithValue("#param1", textbox1.Text)
.... 'and so on'
con.Open()
com.ExecuteNonQuery()
Apart from the quoting problem, correct representation of dates and decimal numbers for the underlying database system you have another big problem. SQL Injection (This is just an instructive link because SQL Injection is a very large topic)
So at the end
NEVER USE STRING CONCATENATION TO BUILD SQL QUERIES.