sql subquery syntax asp.net - asp.net

I am trying to excute this sql query
Dim str As String = "UPDATE table1 SET " & _
"number = '" & strc & "'," & _
"code = '" & "123" & "'," & _
"line= '" & dd1.text & "'," & _
"sellr = '" & txtrun.text & "'," & _
"endu= '" & txtex1.value+txtex2.value & "'" & _
"WHERE number IN (select table1.number" & _
"FROM table1 INNER JOIN table2 ON table1.number = table2.number" & _
"WHERE ((table1.username)='" & session("username") & "' AND (table1.pass)='" & session("pass") & "' AND (table2.sellnum)='" & session("sellnum") & "'));"
there is a Syntax error in query expression and this is te first time I am using nested subquery
all the field are getting String values
So if someone can tell me what is the right approach to write this query I will be very grateful

You're missing spaces after table1.number and table2.number fields in the subquery.
I don't know where you're using this query, but you might want to read about SQL injection. When you stick strings together to build SQL, your code may be vulnerable to malicious users who put SQL code into the fields of your application.

Related

'SQL Problem' when trying to update Database in ASP.NET

i am currently learning the basics in ASP.NET and now at manipulating Database. It doesn't go to the Try section and straight away head to the Catch ex as Exception part which gives me the message box saying "Unsuccessful Operation or SQL problem.
dgvResult.Visible = True
Try
conn.Open()
dd.Connection = conn
dd.CommandText = "update [STUDENT]" &
"set [Matric]= '" & txtMatric.Text & "', " &
"[Name] ='" & txtName.Text & "'," &
"[Address] ='" & txtAddress.Text & "'," &
"[Telephone] ='" & txtTelephone.Text & "'," &
" where [Matric] ='" & txtMatric.Text & "' "
dd.ExecuteNonQuery()
dd.Dispose()
conn.Close()
MsgBox("Data Updated")
Catch ex As Exception
MsgBox("Unsucessful Operation or SQL Problem")
End Try
End Sub
My task is to edit some information in database and save it.

Visual Basic code from Microsoft Access does not work

Private Sub cmdAdd_Click()
'add data to table
CurrentDb.Execute "INSERT INTO Products(ProductCode, ProductName, Category, UnitPrice, UnitCost, QuantityInStock, SupplierCode) " & _
" VALUES (" & Me.txtProductCode & " , '" & Me.txtProductName & "' , '" & Me.cboCategory & "' , '" & Me.txtUnitPrice & "' , '" & Me.txtUnitCost & "' , '" & Me.txtQuantityInStock & "' , '" & Me.cboSupplierCode & "')"
'refresh data on list of form
ProductsSub.Form.Requery
End Sub
the code above is suppose to record the data that has been input from the interface, but it does not do anything. The same format of code was used in a different form and it worked. Really weird, but i don't how it was possible.
You'll need to debug this. One of the values you are referencing visa the Me object is not resolving. Place a breakpoint on the CurrentDB.Execute command, and hover over each Me reference (i.e. Me.txtProductCode) to make sure it is obtaining the correct value for the insert. If you have moved this to a library, you may want to use CodeDB.Execute instead of CurrentDB.Execute. I would also check the table to see if the actual INSERT is working as there may be an issue with the Requery event.

Incorrect syntax near the keyword 'close'

I have a section of code in one of my scripts that is getting an error in its syntax.
if(status <> true and Request.QueryString("selectId") = "undefined") then
strConn ="PROVIDER=foobar;Server=foo;Database=foo;Uid=bar;Pwd=bar;"
Set cnt = Server.CreateObject("ADODB.Connection")
set rs1 = CreateObject("ADODB.Recordset")
rs1.CursorLocation = adUseClient
cnt.ConnectionString= strConn
cnt.Open strConn
sql="Select * from rule1 where skucode='" & Request.Form("txthidden") & "' and letter1id ='" & Request.Form("lrt1") & "' and letter2id ='" & Request.Form("Select1") & "' and letter3id ='" & Request.Form("Select2") & "'"
rs1.Open sql,cnt,2,2
if not rs1.EOF then
Response.write("<script language=""javascript"">alert('Rules already exists!');</script>")
else
sql="INSERT INTO rule1 (letter1id,letter2id,letter3id,HTML,skucode) VALUES "
sql=sql & "('" & Request.Form("lrt1") & "',"
sql=sql & "'" & Request.Form("Select1") & "',"
sql=sql & "'" & Request.Form("Select2") & "',"
sql=sql & "'" & Request.Form("txthtml") & "',"
sql=sql & "'" & Request.Form("txthidden") & "')"
cnt.Execute sql
Response.write("<script language=""javascript"">alert('Rules Added successfully!');window.location='" & "viewrule1.asp?skucodes=" & Request.Form("txthidden") & "';</script>")
end if
rs1.Close
cnt.close
The error message I get is:
Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near the keyword 'close'.
/path/file.asp, line 75
Instead of closing it, you can detach it completely:
set cnt = Nothing
There shouldn't be a problem. All i think is if your data is too long or not. Sometimes it occurs when your row limit exceeds. SQL Server 6.5 allows a maximum row size of 1962 bytes and SQL Server 7.0 allows a maximum row size of 8060 bytes. Its just an assumption
Presuming it's the last line that's throwing the error, I'd replace it with:
If IsObject(cnt) Then
On Error Resume Next
If cnt.State = 1 Then ' 1 = adStateOpen '
cnt.Close
End If
Set cnt = Nothing
Err.Clear
On Error Goto 0
End If
cnt is probably already closed by the time it reaches that portion of your script which is why it's throwing the error. Checking its status before closing it needs to be wrapped in On Error Resume Next logic, otherwise it'll throw another error.

Parsing Date from VB.NET for SQL INSERT

I have a web app with a form that I am trying to pass to an ASP.NET server (using VB.NET) and then on to a MS SQL Server table. The form uses a jQuery datepicker in several textboxes and formats them as MM/dd/yyyy. The form fields are then passed through a PageMethod to the web server which takes the various field values and combines them into a SQL UPDATE command.
I am constantly getting the following error whenever I try to execute the SQL command:
Conversion failed when converting date and/or time from character string.
Here is the code on the server:
Using myConn As New System.Data.SqlClient.SqlConnection(CString.ConnectionString)
myConn.Open()
Dim cmd As New System.Data.SqlClient.SqlCommand("UPDATE table " & _
"SET type = '" & type & "', " & _
"target = '" & "#target" & "', " & _
"patient = '" & patient & "', " & _
"dob = '" & "#dob" & "' " & _
"WHERE serial = '" & serial & "'", myConn)
cmd.Parameters.Add(SqlParameter("#target", Data.SqlDbType.Date))
cmd.Parameters.Add(SqlParameter("#dob", Data.SqlDbType.Date))
If target = "" Then
cmd.Parameters("#target").Value = Data.SqlTypes.SqlDateTime.Null
Else
cmd.Parameters("#target").Value = target
End If
If dob = "" Then
cmd.Parameters("#dob").Value = Data.SqlTypes.SqlDateTime.Null
Else
cmd.Parameters("#dob").Value = dob
End If
cmd.ExecuteNonQuery()
End Using
Note: I've tried about twenty different ways of parsing the dates, converting them to dates, changing around the formats and none of it has worked.
Note 2: The conditional statements at the end are simply to prevent empty date fields from being stored in the SQL DB as "1/1/1900", but rather as an actual SQL NULL value. From debugging though, it seems that this is not the issue - it is when there is an actual value that the error is fired.
If anyone can see what I'm doing wrong and how I might fix it, it would be greatly appreciated. Thanks in advance for your help!
You are mixing up your parameterized and non-parameterized parts (why aren't you parameterizing everything?)
Dim cmd As New System.Data.SqlClient.SqlCommand("UPDATE table " & _
"SET type = '" & type & "', " & _
"target = #target, " & _
"patient = '" & patient & "', " & _
"dob = #dob " & _
"WHERE serial = '" & serial & "'", myConn)
Are you including time? DateTime fields require date and time.

Excepted end of statement error in ASP

When inserting data into a database, the following error occurs
"Excepted end of statement"
sqlstr = "INSERT INTO tblContact (Email,FirstName,LastName,Comments) VALUES ('" & Email & "', '" & First Name & "','" & Last Name & "','" & Comments & "')"
objConn.Execute sqlstr
Try using single-word identifiers for your first-name and last-name variables:
sqlstr = "INSERT INTO tblContact (Email,FirstName,LastName,Comments) " & _
" VALUES ('" & Email & "', '" & FirstName & "','" & LastName & "','" & Comments & "')"
objConn.Execute sqlstr
Assuming you've got variables with those names in your VBScript, that'll solve your current problem with Expected end of statement.
Your second problem is your code's vulnerability to SQL injection.
To help fix that problem, see:
Classic ASP SQL Injection Protection
http://www.stardeveloper.com/articles/display.html?article=2008112501&page=1
You might have single quote in one of the values, resulting in invalid SQL. You have to escape single quotes, though better rewrite your code to use parameters instead.
sqlstr = "INSERT INTO tblContact (Email, FirstName, LastName, Comments) " & _
" VALUES ('" & Replace(Email, "'", "''") & "', '" & Replace(FirstName, "'", "''") & "', '" & Replace(LastName, "'", "''") & "', '" & Replace(Comments, "'", "''") & "')"
objConn.Execute sqlstr

Resources