I am trying to get multiple rows into a table hence my attempt to get the row number and put it into a for loop, the countC is exactly the same number of rows as the select statement, so the issue is not there
I'm using an oledb connection as my code is in vb asp.net but my database is in ms access 2003
For c As Integer = 1 To countC
Dim cmdstring As String
cmdstring = " INSERT INTO [KN - ProductionMachineAllocation] (BatchNo, ComponentID)
SELECT POH.BatchNo, SSCDD.ComponentID
FROM (
SELECT ROW_NUMBER() OVER (ORDER BY BatchNo ASC) AS rownumber
([KN - ProductionOrderHeader] AS POH
INNER JOIN [FG - End Product Codes] AS EPC
ON POH.ProductID = EPC.ProductID)
INNER JOIN ([KN - ProductionOrderDetails] AS POD
INNER JOIN [FG - Style Size Comp Def Details] AS SSCDD
ON POD.SizeID = SSCDD.SizeID)
ON (POH.BatchNo = POD.BatchNo)
AND (EPC.StyleID = SSCDD.StyleID)
WHERE POH.BatchNo = '" & BatchNo & "'
) AS temptablename
WHERE rownumber IN (" & c & ");"
Dim con As New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\Shantara Production IT.mdb")
Dim cmd As New OleDbCommand(cmdstring)
cmd.CommandType = CommandType.Text
cmd.Connection = con
cmd.Connection.Open()
cmd.ExecuteNonQuery()
cmd.Connection.Close()
Next
I found out that ms access doesn't support ROW_NUMBER() so I need to find another going through each row since ms access doesn't support multi row insert by insert into select statement such as mine, any suggestions around my problem?
Most databases are able to do all this work much more efficiently entirely in the database. Certainly in SQL Server I could get entire thing down to a single query. Access is a little different, since vbscript is its procedural language, rather than something more like t-sql. There's still probably a way to do it, but since what you have works, we can at least focus on making that better.
GridViews are visual constructs that will use up extra memory and resources. If Access won't do a real INSERT/SELECT, you can at least read direct from the previous result set into your insert. You can also improve on this significantly by using parameters and re-using a single open connection for all the inserts:
Dim cnString As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\Shantara Production IT.mdb"
Dim SQLDown As String = _
"SELECT DISTINCT POH.BatchNo, SSCDD.ComponentID
FROM ([KN - ProductionOrderHeader] AS POH
INNER Join [FG - End Product Codes] AS EPC
On POH.ProductID = EPC.ProductID)
INNER Join([KN - ProductionOrderDetails] AS POD
INNER Join [FG - Style Size Comp Def Details] AS SSCDD
On POD.SizeID = SSCDD.SizeID)
On (POH.BatchNo = POD.BatchNo)
And (EPC.StyleID = SSCDD.StyleID)
WHERE POH.BatchNo = ? "
Dim SQLUp As String = _
" INSERT INTO [KN - ProductionMachineAllocation]
(BatchNo, ComponentID)
VALUES( ?, ? )"
Dim dt As New DataTable
Using con As New OleDbConnection(cnString), _
cmd As New OleDbCommand(SQLDown, con)
'Guessing at parameter type/length here.
'Use the actual column type and size from your DB
cmd.Parameters.Add("#BatchNo", OleDbType.VarWChar, 10).Value = BatchNo
con.Open()
dt.Load(cmd.ExecuteReader())
End Using
Using con As New OleDbConnection(cnString), _
cmd As New OleDbCommand(SqlUp, con)
'Guessing at parameter types/lengths again
cmd.Parameters.Add("#BatchNo", OleDbType.VarWChar, 10)
cmd.Parameters.Add("#ComponentID", OleDbType.Integer)
'Connection is managed *outside of the loop*. Only one object created, only one negotiation with DB
con.Open()
For Each row As DataRow In dt.Rows
cmd.Parameters(0).Value = row(0)
cmd.Parameters(1).Value = row(1)
cmd.ExecuteNonQuery()
Next
End Using
Normally, with any ADO.Net provider you do not re-use your connection or command objects. You want a new connection object for every query sent to the DB to allow connection pooling to work correctly. Using the connection in a tight loop like this for the same query is one of the few exceptions.
I might be able to improve further by sticking with the active DataReader, rather than first loading it into a DataTable. That would allow us to avoid loading the entire result set into memory. You would only ever need one record in memory at a time. Certainly this would work for Sql Server. However, Access was designed mainly as a single-user database. It doesn't really like multiple active connections at once, and I'm not sure how it would respond.
It would also be nice to be able to do all of this work in a transactional way, where there's never any risk of it failing part way through the loop and getting stuck with half the updates. Sql Server would handle this via a single INSERT/SELECT query or with an explicit transaction. But, again, this isn't the kind of the Access is designed for. It probably does have a way to do this, but I'm not familiar with it.
OK SO I finally found a way around it, it's a bit of a long process but basically I loaded the SELECT statement(with multiple rows) into a gridview table and the used a for loop to insert it into my insert into statement. bellow is my code:
Displaying into a table
Dim Adapter As New OleDbDataAdapter
Dim Data As New DataTable
Dim SQL As String
Dim con As New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\Shantara Production IT.mdb")
Dim cmd As New OleDbCommand()
grdvmachincomp.Visible = false
SQL = "SELECT DISTINCT POH.BatchNo, SSCDD.ComponentID
FROM ([KN - ProductionOrderHeader] AS POH
INNER Join [FG - End Product Codes] AS EPC
On POH.ProductID = EPC.ProductID)
INNER Join([KN - ProductionOrderDetails] AS POD
INNER Join [FG - Style Size Comp Def Details] AS SSCDD
On POD.SizeID = SSCDD.SizeID)
On (POH.BatchNo = POD.BatchNo)
And (EPC.StyleID = SSCDD.StyleID)
WHERE POH.BatchNo = '" & BatchNo & "'"
con.Open()
cmd.Connection = con
cmd.CommandText = SQL
Adapter.SelectCommand = cmd
Adapter.Fill(Data)
grdvmachincomp.DataSource = Data
grdvmachincomp.DataBind()
cmd.Connection.Close()
Insert into through for loop
For c As Integer = 0 To grdvmachincomp.Rows.Count - 1
Dim cmdstring As String
cmdstring = " INSERT INTO [KN - ProductionMachineAllocation] (BatchNo, ComponentID) VALUES('" & grdvmachincomp.Rows(c).Cells(0).Text & "', " & grdvmachincomp.Rows(c).Cells(1).Text & ");"
Dim con As New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\Shantara Production IT.mdb")
Dim cmd As New OleDbCommand(cmdstring)
cmd.CommandType = CommandType.Text
cmd.Connection = con
cmd.Connection.Open()
cmd.ExecuteNonQuery()
cmd.Connection.Close()
Next
Related
So I have a label which shows the username of the user. I've used this value to return their ID which I then attach to a label. I used execute scalar to do this because I wasn't sure how else to get a single value on a label.
This works fine. I then use the ID from the label and put it in another table. I can do this twice and then the page crashes saying...
"Subquery returned more than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the subquery is used as an expression."
However I don't understand. I don't pull anything from the second table on the page. I don't know why it would affect it. I feel like I've tried everything. Taking out the line that posts the ID to the label lets the page run but I need it there.
Label2.Text = User.Identity.Name
Dim connetionString As String
Dim cnn As SqlConnection
Dim cmd As SqlCommand
Dim sql As String
connetionString = "Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|\FYPMS_DB.mdf;Integrated Security=True"
sql = "SELECT SupID FROM Supervisor WHERE (Email = #Email)"
cnn = New SqlConnection(connetionString)
Try
cnn.Open()
cmd = New SqlCommand(sql, cnn)
cmd.Parameters.Add(New SqlParameter("#Email", User.Identity.Name))
Dim supid1 As Int32 = Convert.ToInt32(cmd.ExecuteScalar())
cmd.Dispose()
cnn.Close()
Label1.Text = supid1.ToString
Catch ex As Exception
MsgBox("Can not open connection ! ")
End Try
End Sub
This should return the first result for you. Also, it's a good idea to employ Using blocks for objects such as connections, commands, and readers.
Using cn = New SqlConnection("Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|\FYPMS_DB.mdf;Integrated Security=True")
cn.Open()
Using cmd = New SqlCommand("SELECT SupID FROM Supervisor WHERE Email = #Email", cn)
cmd.Parameters.AddWithValue("#Email", User.Identity.Name)
Using dr = cmd.ExecuteReader
If dr.Read Then
Label1.Text = CInt(dr("SupID"))
End If
End Using
End Using
End Using
If you are not sure there are multiple rows for same email in that table, you can change the query to following, that will work for you with executescalar.
SELECT TOP 1 SupID FROM Supervisor WHERE (Email = #Email)
Horribly sorry! But yes you were right! There was another query going on in the background that I never noticed that was affecting it all. So sorry
I am trying to create unique policies with a ASP webservice and an Oracle 10.2g database.
I used to have a select query and an insert query to create policy numbers
But yesterday the webservice was called from 2 different threads and in the same exactly time and two same policy numbers where created.
So i changed the code to use a transation.
If the webservice is called from two different threads in the same time how will the transaction work?
Will the readcommited block the second thread or i will face the same problem again?
The select query will work or will there be a problem?
Public Function ExecutePolicyNumberTransaction(ByVal conet_key As String) As String
Dim policyno As String = ""
Dim sqlstring As String = ""
Dim conStr As String = ConfigurationManager.ConnectionStrings("con1").ConnectionString
Using connection As New OleDbConnection(conStr)
Dim transaction As OleDbTransaction
Try
connection.Open()
transaction = connection.BeginTransaction(IsolationLevel.ReadCommitted)
Dim insertcommand As New OleDbCommand()
insertcommand.Connection = connection
insertcommand.Transaction = transaction
sqlstring = " INSERT into POLICYNUMBERS ( " & _
" RECID, POLICYNO, REFERNCEKEY, ISUSED, ISUSEDDATE ) " & _
" (SELECT NVL(MAX(RECID),0)+1, concat('P0130',concat(to_char(SUBSTR('000000', 0, 6-length(to_char(NVL(MAX(RECID),0)+1)))),to_char(NVL(MAX(RECID),0)+1))), '" & ref_key & "', 1, sysdate " & _
" FROM POLICYNUMBERS )"
insertcommand.CommandText = sqlstring
insertcommand.ExecuteNonQuery()
transaction.Commit()
Dim selectcommand As New OleDbCommand()
selectcommand.Connection = connection
sqlstring = "SELECT POLICYNO FROM POLICYNUMBERS WHERE REFERNCEKEY = '" & ref_key & "'"
selectcommand.CommandText = sqlstring
policyno = selectcommand.ExecuteScalar()
Catch ex As Exception
Try
transaction.Rollback()
Catch
End Try
policyno = ""
End Try
End Using
Return policyno
End Function
In Oracle, readers don't block writers and writers don't block readers. So neither session will block the other.
In a multi-user environment, however, you cannot generate primary keys using MAX(key)+1 unless you specifically introduce some form of serialization. Unless you want to build slow, unreliable systems, you don't want to introduce serialization. Instead, you really, really, really want to be using a sequence to generate your keys. Sequences are specifically designed to give primary keys to multiple concurrent sessions with a minimal overhead.
CREATE SEQUENCE policy_recid_seq
START WITH 1
INCREMENT BY 1
CACHE 100;
INSERT INTO policynumbers
SELECT policy_recid_seq.nextval, ...
I'm looking for a suggestion for the best way to accomplish the following task. I need to run an SQL query that will pull up to 200 rows. With each row, I need to take the data from that row and insert it into another table. At first I thought I would nest database connections like the code example I've listed below. However I was wondering if this was the incorrect way of doing it and what would be a better way.
Any ideas?
Dim dbconn As New SqlConnection
Dim dbconn2 As New SqlConnection
dbconn = New SqlConnection(ConfigurationManager.ConnectionStrings("databaseName").ConnectionString
dbconn2 = New SqlConnection(ConfigurationManager.ConnectionStrings("databaseName").ConnectionString
dbconn.Open()
Dim cmd As New SQLCommand
Dim cmd2 As New SQLCommand
Dim UserReader As SqlDataReader
Dim cmdStringSource As String = "SELECT approx 25 fields WHERE fldRandomField = 26"
Dim cmdStringUpdate As String
cmd = New SQLCommnd(cmdStringSource, dbconn)
UserReader = cmdExecuteReader()
If UserReader.HasRows Then
While UserReader.Read()
cmdStringUpdate = "UPDATE tblUpdate SET a whole bunch of stuff from the cmdStringSource current record"
dbconn2.Open()
cmd2=New SQLCommand(cmdStringUpdate, dbconn2)
cmd2.ExecuteNonQuery()
dbconn2.close()
End While
End If
UserReader.Close()
dbconn.close()
Instead of doing this in the loop, with multiple connections and datareaders - do it entirely in the back end.
SQL Server supports Insert from select e.g.
INSERT INTO Table1 (field1, field2, field3 ...)
SELECT field1, field2, field3 FROM FROM Table2
WHERE <some condition>
Same goes for UPPDATE e.g.
UPDATE Table1
SET Table1.Field1 = Table2.Field1,
Table1.Field2 = Table2.Field2
Table1.Field3 = Table2.Field3
FROM Table1 INNER JOIN Table2
ON Table1.CommonField = Table2.CommonField
WHERE <some condition>
Just build this statement and call it once with a single connection and ExecuteNonQuery command.
I have a query which only retrieves the records of the Description Field of Table 1 that do not match or contain the keywords available in the Keywords Field in Table 2. So the ones that match should not appear in the GridView, rather only the ones that do not match. I am trying to display the results of the SQL Query in a GridView, however I am getting the ones that match, which is not my requirement.
I tried running the SQL Query in SQL Server and it works really fine. Even in my web app it works fine, but only if I specify explicitly the keyword after the Like Statement. But rather I want it to span all the Keywords in Table2. Here is my code.
conn.Open()
For Each row As GridViewRow In Me.GridView1.Rows
For i As Integer = 0 To GridView2.Rows.Count - 1
Dim Records1 As String = GridView2.Rows(i).Cells(0).Text
Dim cmd = New SqlCommand("Select DISTINCT Description From DB.dbo.Table1 " +
"WHERE NOT EXISTS (Select * From [DB].dbo.Table2 WHERE " +
"Table1.Description LIKE '%' +TABLE2.Keywords + '%')", conn)
DA.SelectCommand = cmd
DA.Fill(dt)
GridView3.DataSource = dt
GridView3.DataBind()
cmd.ExecuteNonQuery()
cmd.Dispose()
DA.Dispose()
dt.Clear()
dt.Dispose()
Next
Next
GridView1 has the data from Table1 (The Description)
GridView2 has the data from Tabel2 (The Keywords)
GridView3 has the results of the query
However, as said before I am still getting the ones that match. Is there something wrong with the format of the query, something missing or written in an incorrect format? Any suggestions or thoughts would really be appreciated.
shouldn't that be:
WHERE Table1.Description LIKE #Grid)"
cmd.Parameters.AddWithValue("#Grid", "%" + GridView2.Rows(i).Cells(0).Text.ToString() + "%")
Better solution would be to do this from within a stored procedure and pass the #Grid parameter. IMHO
But, to answer your question specifically, this should work
For i As Integer = 0 To GridView2.Rows.Count - 1
Dim Records1 As String = GridView2.Rows(i).Cells(0).Text
Dim cmd = New SqlCommand("Select DISTINCT Description From DB.dbo.Table1 " +
"WHERE NOT EXISTS (Select * From [DB].dbo.Table2 WHERE " +
"Table1.Description LIKE "
"'%" + GridView2.Rows(i).Cells(0).Text.ToString() + "%')", conn)
DA.SelectCommand = cmd
DA.Fill(dt)
GridView3.DataSource = dt
GridView3.DataBind()
cmd.ExecuteNonQuery()
cmd.Dispose()
DA.Dispose()
dt.Clear()
dt.Dispose()
Next
I have this code
UPDATE OPENQUERY (db,'SELECT * FROM table WHERE ref = ''"+ Ref +"'' AND bookno = ''"+ Session("number") +"'' ')
How would I prevent SQL Injections on this?
UPDATE
Here's what i'm trying
SqlCommand cmd = new SqlCommand("Select * from Table where ref=#ref", con);
cmd.Parameters.AddWithValue("#ref", 34);
For some reason everything I try and add it doesn't seem to work I keep getting SQL Command mentioned below.
The error is this
'SqlCommand' is a type and cannot be used as an expression
I'm taking over someone else's work so this is all new to me and I would like do things the right way so if anyone can provide any more help on how to make my query above safe from SQL injections then please do.
UPDATE NO 2
I added in the code as VasilP said like this
Dim dbQuery As [String] = "SELECT * FROM table WHERE ref = '" & Tools.SQLSafeString(Ref) & "' AND bookno = '" & Tools.SQLSafeString(Session("number")) & "'"
But I get an error Tools is not declared do I need to specify a certain namespace for it to work?
UPDATE
Has anyone got any ideas on the best of getting my query safe from SQL injection without the errors that i'm experiencing?
UPDATE
I now have it so it work without the parameters bit here's my updated source code any idea why it won't add the parameter value?
Dim conn As SqlConnection = New SqlConnection("server='server1'; user id='w'; password='w'; database='w'; pooling='false'")
conn.Open()
Dim query As New SqlCommand("Select * from openquery (db, 'Select * from table where investor = #investor ') ", conn)
query.Parameters.AddWithValue("#investor", 69836)
dgBookings.DataSource = query.ExecuteReader
dgBookings.DataBind()
It works like this
Dim conn As SqlConnection = New SqlConnection("server='server1'; user id='w'; password='w'; database='w'; pooling='false'")
conn.Open()
Dim query As New SqlCommand("Select * from openquery (db, 'Select * from table where investor = 69836') ", conn)
dgBookings.DataSource = query.ExecuteReader
dgBookings.DataBind()
The error i'm getting is this
An error occurred while preparing a query for execution against OLE DB provider 'MSDASQL'.
And it's because it isn't replacing the #investor with the 69836
Any ideas?
SOLUTION
Here is how I solved my problem
Dim conn As SqlConnection = New SqlConnection("server='h'; user id='w'; password='w'; database='w'; pooling='false'")
conn.Open()
Dim query As New SqlCommand("DECLARE #investor varchar(10), #sql varchar(1000) Select #investor = 69836 select #sql = 'SELECT * FROM OPENQUERY(db,''SELECT * FROM table WHERE investor = ''''' + #investor + ''''''')' EXEC(#sql)", conn)
dgBookings.DataSource = query.ExecuteReader
dgBookings.DataBind()
Now I can write queries without the worry of SQL injection
Try using a parameterized query here is a link http://www.aspnet101.com/2007/03/parameterized-queries-in-asp-net/
Also, do not use OpenQuery... use the this to run the select
SELECT * FROM db...table WHERE ref = #ref AND bookno = #bookno
More articles describing some of your options:
http://support.microsoft.com/kb/314520
What is the T-SQL syntax to connect to another SQL Server?
Edited
Note: Your original question was asking about distributed queries and Linked servers. This new statement does not reference a distributed query. I can only assume you are directly connecting to the database now. Here is an example that should work.
Here is another reference site for using SqlCommand.Parameters
SqlCommand cmd = new SqlCommand("Select * from Table where ref=#ref", con);
cmd.Parameters.Add("#ref", SqlDbType.Int);
cmd.Parameters["#ref"] = 34;
Edited:
Ok Jamie taylor I will try to answer your question again.
You are using OpenQuery becuase you are probably using a linked DB
Basically the problem is the OpenQuery Method takes a string you cannot pass a variable as part of the string you sent to OpenQuery.
You can format your query like this instead. The notation follows servername.databasename.schemaname.tablename. If you are using a linked server via odbc then omit databasename and schemaname, as illustrated below
Dim conn As SqlConnection = New SqlConnection("your SQL Connection String")
Dim cmd As SqlCommand = conn.CreateCommand()
cmd.CommandText = "Select * db...table where investor = #investor"
Dim parameter As SqlParameter = cmd.CreateParameter()
parameter.DbType = SqlDbType.Int
parameter.ParameterName = "#investor"
parameter.Direction = ParameterDirection.Input
parameter.Value = 34
Use parameters instead of concatenating your SQL query.
Assuming your database engine being SQL Server, here's a piece of code which I hope will help.
Using connection As SqlConnection = new SqlConnection("connectionString")
connection.Open()
Using command As SqlCommand = connection.CreateCommand()
string sqlStatement = "select * from table where ref = #ref and bookno = #bookno";
command.CommandText = sqlStatement
command.CommandType = CommandType.Text
Dim refParam As SqlDataParameter = command.CreateParameter()
refParam.Direction = ParameterDirection.Input
refParam.Name = "#ref"
refParam.Value = Ref
Dim booknoParam As SqlDataParameter = command.CreateParameter()
booknoParam.Direction = ParameterDirection.Input
booknoParam.Name = "#bookno"
booknoParam.Value = Session("number")
Try
Dim reader As SqlDataReader = command.ExecuteQuery()
' Do your reading job here...'
Finally
command.Dispose()
connection.Dispose()
End Try
End Using
End Using
To sum it all up, avoid SQL statement concatenation at all cost, and use parameterized quesries!
Here is an interesting link that brings you through SQL injection problem resolution on MSDN:
How To: Protect From SQL Injection in ASP.NET
use sqlparameters like:
SqlCommand cmd = new SqlCommand("Select * from Table where id=#id", con);
cmd.Parameters.AddWithValue("#id", 34);
you can use parameterized queries.
http://www.functionx.com/aspnet/sqlserver/parameterized.htm
SqlCommand cmd = new SqlCommand("Select * from Table where ref=#ref", con);
cmd.Parameters.AddWithValue("#ref", 34);
it does not work because it is written in C#, not VB.
Try something like
Dim cmd As New SqlCommand("Select * from Table where ref=#ref", con)
cmd.Parameters.AddWithValue("ref", 34)
My preferred way is to let Visual Studio handle it all by creating a DAL:
http://www.asp.net/data-access/tutorials/creating-a-data-access-layer-cs
Use LINQ. It parametrizes queries automatically.
Check out ORM as an alternative (very good way to go if you are building something medium-sized or big). It takes a little time to configure it, but then development becomes VERY fast. You choose from the native, Linq to SQL or Entity Framework, OR, try any other ORM which works with .NET.