I'm getting the title error when attempting to execute the following:
sInsertInto = "INSERT INTO 5why (date, op_id, serial, why1, why2, why3, why4, why5, root_cause, lessons) VALUES (" + _
"'" + f_date + "', " + _
"'eccross', " + _
" '" + f_partnum + "', " + _
" '" + f_first + "', " + _
" '" + f_second + "', " + _
" '" + f_third + "', " + _
" '" + f_fourth + "', " + _
" '" + f_fifth + "', " + _
" '" + f_root + "'" + _
" '" + f_lessons + "'" + _
")"
The value count should be fine here; but its not for whatever reason and I cannot get this error to resolve.
You seem to be missing a comma, specifically after the f_root line. I would think this would be a syntax error due to the two strings 'f_root' 'f_lessons', but I guess not.
Your query is vulnerable to injection. You should be using parameterized queries with prepared statements. Depending upon the variable values, this may also be the problem.
Related
I am getting this error:
Syntax error (missing operator) in query expression '10'
My code:
string MySQL3 = "Update RegisterDatabase Set ";
MySQL3 += "uName ='" + Request.Form["uname"] + "', pName ='" + Request.Form["pname"] + "', idNumber ='" + Request.Form["id"] + "', age =" + Request.Form["age"] + "', pass ='" + Request.Form["pass"] + "', email ='" + Request.Form["email"] + "'";
MySQL3 += " Where uName ='" + Session["uname"];
System.Data.OleDb.OleDbCommand o_command3 = new System.Data.OleDb.OleDbCommand(MySQL3, o_con);
o_con.Open();
o_command3.ExecuteNonQuery();
o_con.Close();
BTW I know my code is prone to SQL Injection attack, but this is for my school project so it doesn't really matter.
The problem is here
age =" + Request.Form["age"] + "+ "'
It should be
age =" + Request.Form["age"] + ", pass =
and
MySQL3 += " Where uName ='" + Session["uname"];
should be
MySQL3 += " Where uName ='" + Session["uname"] +"'";
String MySQL3 = "Update RegisterDatabase Set ";
MySQL3 += "uName ='" + Request.Form["uname"] + "', pName ='" + Request.Form["pname"] + "', idNumber ='" + Request.Form["id"] + "', age ='" + Request.Form["age"] + "', pass ='" + Request.Form["pass"] + "', email ='" + Request.Form["email"] + "'";
MySQL3 += " Where uName ='" + Session["uname"];
Just try above code.
Hope this will helps.
Can Any one help me to write a query by which i can fetch a record with specific date having specific value of a column. this query given below giving records with specific value but not filtering the date.
sql = "Select * from solarleads where Phone = '" + c_id.Text + "' OR AgentName Like '" + c_id.Text + "%' OR CallStatus Like '%" + c_id.Text + "%' OR CenterId = '" + c_id.Text + "' And Date >= '" + date1.Text + "' AND Date <='" + date2.Text + "' ORDER BY Id DESC ;";
You need to bracket the set of ORed conditions.
sql = "Select * from solarleads
where ( Phone = '" + c_id.Text + "' OR AgentName Like '" + c_id.Text + "%'
OR CallStatus Like '%" + c_id.Text + "%'
OR CenterId = '" + c_id.Text + "' )
And Date >= '" + date1.Text + "' AND Date <='" + date2.Text + "'
ORDER BY Id DESC ;"
Separate and condition by parenthesis, like -
sql = "Select * from solarleads where " +
"(Phone = '" + c_id.Text + "' " +
"OR AgentName Like '" + c_id.Text + "%' " +
"OR CallStatus Like '%" + c_id.Text + "%' " +
"OR CenterId = '" + c_id.Text + "' ) " +
"(And Date >= '" + date1.Text + "' AND Date <='" + date2.Text + "' )" +
"ORDER BY Id DESC ;";
Also check - Mysql or/and precedence?
I want to insert data in two different table on button click. So there are 2 insert queries with different credentials. The first insert query working properly but second is not executing. Here what I tried.
Try
Dim str1 As String = "INSERT INTO yogaClasses (`yogaID`,`name`, `category`, `websiteName`, `email`, `phone1`, `phone2`, `mobileNumber`, `buildingName`, `streetName`, `landmark`, `areaName`, `city`, `State`, `zipCode`, `address`, slotTime1From, `slotTime1To`, `slotTime2From`, `slotTime2To`, fees, `overview`, `establishment`, `newBatchStart`, `yogaType`, `facilities`, payment, `status`, `username`, `password`) values ('" + ID + "','" + name + "', '" + businessCategory + "', '" + website + "', '" + email + "', '" + phoneNo1 + "', '" + phoneNo2 + "', '" + mobileNumber + "', '" + building + "', '" + street + "', '" + landpoint + "', '" + area + "', '" + city + "', '" + stateName + "', '" + zipCode + "', '" + fulladdress + "', '" + slot1A + "', '" + slot1B + "', '" + slot2A + "', '" + slot2B + "', '" + feesPay + "', '" + about + "', '" + foundYear + "', '" + startnewBatch + "', '" + selectedYoga + "', '" + selectedFacility + "', '" + payments + "', 'active', '" + mobileNumber + "', '" + membersAutoPassword.Text + "')"
Dim str2 As MySqlDataReader
Dim adapter As New MySqlDataAdapter
Dim command As New MySqlCommand
command.CommandText = str1
command.Connection = con
adapter.SelectCommand = command
con.Open()
str2 = command.ExecuteReader
con.Close()
Response.Redirect("business-added.aspx")
Catch ex As Exception
Response.Write(ex)
End Try
Try
Dim str2 As String = "INSERT INTO yogaAgeGroup (`6-15`, `16-20`, `21-25`, `26-30`, `31-35`, `35+`, `yogaID`) values('" + ageup1.Text + "', '" + ageup2.Text + "', '" + ageup3.Text + "', '" + ageup4.Text + "', '" + ageup5.Text + "', '" + ageup6.Text + "', '" + TextId.Text + "')"
Dim str3 As MySqlDataReader
Dim adapter As New MySqlDataAdapter
Dim command As New MySqlCommand
command.CommandText = str2
command.Connection = con
adapter.SelectCommand = command
con.Open()
str3 = command.ExecuteReader
con.Close()
Catch ex As Exception
Response.Write(ex)
End Try
The second query not executing. What I am doing wrong in this? Or Is it possible to execute both query in one?
Problem (in your 1st query)
con.Close()
Response.Redirect("business-added.aspx")
Move this line after second query con.Close()
Response.Redirect("business-added.aspx")
Because this line will redirect you to another page, so the rest of code won't be execute
So I'm writing a web app in vb.net and I've found myself a bit conceptually stumped with a particular database issue.
Essentially, I have 2 different "templates" for a form. In one, the user fills in a bunch of text fields and submits it, and it's all shipped off to the database. The second template is identical, except it tracks some additional information, so it submits more to the database. Rather than have a pair of tables with a lot of duplicate columns or a single table with a bunch of nulls, I made 1 table that tracks all the information shared by both templates and another table that stores all the "extra stuff" the 2nd template has.
The problem this has created is I need a way to pair the data from the two back together in order to search for the form and then pull the information out of the database. The collective forms are identified by a surrogate auto-incrementing key which is the primary key of the "shared" table. I attempted to set up a foreign key relationship with the "extra stuff" table, but doing so raised an issue on the application side where I'm not sure how to handle a foreign key that references an auto-increment in my insert statement.
To give a code example:
Dim sInsertInto As String
sInsertInto = "INSERT INTO 5why (date, op_id, serial, why1, why2, why3, why4, why5, root_cause, other_notes, lessons, define, template) VALUES (" + _
"'" + f_date + "', " + _
" '" + f_usr + "', " + _
" '" + f_partnum + "', " + _
" '" + f_first + "', " + _
" '" + f_second + "', " + _
" '" + f_third + "', " + _
" '" + f_fourth + "', " + _
" '" + f_fifth + "', " + _
" '" + f_root + "', " + _
" '" + f_notes + "', " + _
" '" + f_lessons + "', " + _
" '" + f_define + "', " + _
" '" + f_temp + "'" + _
")"
Dim sInsertInto2 As String
sInsertInto2 = "INSERT INTO 5why_mbusi (countermeasure, containment, check_it, standardize_counter, point_cause, method_procedure, group_leader, engineer, shop_am, shop_manager) VALUES (" + _
"'" + f_counter + "', " + _
" '" + f_containment + "', " + _
" '" + f_check + "', " + _
" '" + f_standardCounter + "', " + _
" '" + f_pointOfCause + "', " + _
" '" + f_methodAndProc + "', " + _
" '" + f_groupLeader + "', " + _
" '" + f_engineer + "', " + _
" '" + f_shop_A_M + "', " + _
" '" + f_shopManager + ", '" + _
")"
In the first insert statement I'm inserting all the shared information into the "shared" table. I don't have to worry about the auto-increment here because it's all being handled by the database. The second insert statement ships all the extras into the "extra stuff" table, but I can't insert all those things without figuring out something to put into the foreign key, as it can't be null for the purposes of establishing a relationship between the two sets of data. I'm operating under the impression that just setting the foreign key to AI as well would just start it back over at "1," it wouldn't match the AI being generated by the "shared" table.
Any ideas out there on how to handle it? This was kind of tricky to word, so if you need clarification about anything, let me know and I'll do my best to clear it up.
The standard way to handle this is for the second table to not declare its primary key as auto-increment. Instead, you must specify the value of the primary key in your INSERT statement.
If you insert into the second table immediately after the first table, you can use the special function LAST_INSERT_ID() as the value.
Example:
INSERT INTO table1 (foo) VALUES (1234); -- generates a new `id`
INSERT INTO table2 (id, bar) VALUES (LAST_INSERT_ID(), 'abcd');
The LAST_INSERT_ID() function returns the most recently generated auto-increment value by a prior INSERT statement in the same session. There is no chance that other people doing their own inserts in other sessions will compromise this.
PS: This is a separate issue from your original question, but FWIW you should learn to use query parameters instead of stringing together form fields with string concatenation. Using parameters is easier, faster, and more secure.
Stuggling a bit here. Trying to develop the code to link user input into my database, in the form of a book record. for example the user would be asked to enter their name address etc. But the code I have used does not seem to execute because I continually get the same error.
Line 12: Dim con As New SqlConnection
Line 13: Dim inscmd As New SqlCommand
Line 14: con.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings("Database.My.MySettings.Database1ConnectionString1").ConnectionString
Line 15: con.Open()
Line 16: inscmd.CommandText = ("insert into booking values('" + txtfirstname.Text + "', " + txtSurname.Text + "', " + txtAddressline1.Text + "', " + txtAddressline2.Text + "', " + txtPostcode.Text + "', " + txtTime.Text + "', " + txtPeople.Text + "', " + txtDropoff1.Text + "', " + txtDropoff2.Text + "', " + txtDropoffpost.Text + "")
It is line 14 that contains the error but I dont know why. This is my code;
Protected Sub btnsubmit_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnsubmit.Click
Dim con As New SqlConnection
Dim inscmd As New SqlCommand
con.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings("Database.My.MySettings.Database1ConnectionString1").ConnectionString
con.Open()
inscmd.CommandText = ("insert into booking values('" + txtfirstname.Text + "', " + txtSurname.Text + "', " + txtAddressline1.Text + "', " + txtAddressline2.Text + "', " + txtPostcode.Text + "', " + txtTime.Text + "', " + txtPeople.Text + "', " + txtDropoff1.Text + "', " + txtDropoff2.Text + "', " + txtDropoffpost.Text + "")
Print(inscmd.CommandText)
inscmd.Connection = con
inscmd.ExecuteNonQuery()
con.Close()
inscmd.Parameters.Clear()
MsgBox("Your booking has been successfully")
con.Close()
End Sub
Hopefully this will help you ( insert your code where need to )
Dim con As New SqlConnection
Dim myConString As String = getSQLString() ' GET YOUR CON String
' my function looks like this when returned
"Server=ServerExactLocationPath;Database=DataBase;User Id=UserName;Password=Password;"
Dim objcommand As SqlCommand = New SqlCommand
'con.ConnectionString = myConString
With objcommand
.Connection = con
Dim cmdText As String = ""
cmdText = "Insert into SitesStatus (SiteNumber,StatusName,Date,ByUser) values ('" & site & "','" & status & "','" & System.DateTime.Today.ToString("MM/dd/yyyy") & "','" & dbUiInitials & "')"
'PUT YOUR INSERT ABOVE
.CommandText = cmdText
End With
con.ConnectionString = myConString
con.Open()
objcommand.ExecuteNonQuery()
con.Close()
Catch ex As Exception
End Try
Return Nothing
insert into booking values('" + txtfirstname.Text + "', " + txtSurname.Text + "', " + txtAddressline1.Text + "', " + txtAddressline2.Text + "', " + txtPostcode.Text + "', " + txtTime.Text + "', " + txtPeople.Text + "', " + txtDropoff1.Text + "', " + txtDropoff2.Text + "', " + txtDropoffpost.Text + "
should be
insert into booking values('" + txtfirstname.Text + "', '" + txtSurname.Text + "', '" + txtAddressline1.Text + "', '" + txtAddressline2.Text + "', '" + txtPostcode.Text + "', " + txtTime.Text + "', '" + txtPeople.Text + "', '" + txtDropoff1.Text + "', '" + txtDropoff2.Text + "', '" + txtDropoffpost.Text + "')"
You should use the connection string wizard in the Project Settings window. Then try the test connection button, Make sure the type of the setting is ConnectionString
You should be able to get the connection string using this syntax if things are set up right.
con.ConnectionString = my.Settings.Database1ConnectionString1
strSQL = "INSERT INTO user_account_details" & _
"(lastname,firstname,middlename,usertype,reg_date_time,status)" & _
" VALUES ( " & _
" '" & txtLName.Text & "', " & _
" '" & txtFName.Text & "' , " & _
" '" & txtMName.Text & "' , " & _
" '" & cboUserType.Text & "' , " & _
" '#" & Now & "#', " & _
" 'Inactive' " & _
")"