need help with SQL
-
hello, this is a sql statement that i m trying to use in a Window application in .NET. query: <pre>string selCmd = "SELECT eInfo.EmpID, eInfo.Name, lInfo.LeaveEnteredOn, lInfo.LeaveFrom, lInfo.LeaveTo, lInfo.LeaveType" + "FROM lmsEmpInfo AS eInfo INNER JOIN lmsLeaveInfo AS lInfo ON lInfo.EmpID = eInfo.EmpID" + "WHERE (lInfo.LeaveGranted = 0)";</pre> the problem is this query works fine when i m running it on the SQL server management studio, but gives an error of "Incorrect syntax near AS", when i try to execute it with the following code: <code> SqlDataAdapter myAd = new SqlDataAdapter(); SqlConnection myCon = new SqlConnection(); DataSet myDs = new DataSet(); myCon.ConnectionString = Properties.Settings.Default.LeaveMgmtConnectionString.ToString(); myAd.SelectCommand = new SqlCommand(selCmd, myCon); myAd.Fill(myDs, "Recent_Leaves");</code> Please help me to rectify this mistake......... I would also like to have suggestions on How can i change the entire row collection of a DataGridView with the SelectedIndexChange event of a combobox and that too according to query that is being fired at the same event any help or assistance is greatly appreciated!! regards
-
hello, this is a sql statement that i m trying to use in a Window application in .NET. query: <pre>string selCmd = "SELECT eInfo.EmpID, eInfo.Name, lInfo.LeaveEnteredOn, lInfo.LeaveFrom, lInfo.LeaveTo, lInfo.LeaveType" + "FROM lmsEmpInfo AS eInfo INNER JOIN lmsLeaveInfo AS lInfo ON lInfo.EmpID = eInfo.EmpID" + "WHERE (lInfo.LeaveGranted = 0)";</pre> the problem is this query works fine when i m running it on the SQL server management studio, but gives an error of "Incorrect syntax near AS", when i try to execute it with the following code: <code> SqlDataAdapter myAd = new SqlDataAdapter(); SqlConnection myCon = new SqlConnection(); DataSet myDs = new DataSet(); myCon.ConnectionString = Properties.Settings.Default.LeaveMgmtConnectionString.ToString(); myAd.SelectCommand = new SqlCommand(selCmd, myCon); myAd.Fill(myDs, "Recent_Leaves");</code> Please help me to rectify this mistake......... I would also like to have suggestions on How can i change the entire row collection of a DataGridView with the SelectedIndexChange event of a combobox and that too according to query that is being fired at the same event any help or assistance is greatly appreciated!! regards
Sujay chakraborty wrote:
string selCmd = "SELECT eInfo.EmpID, eInfo.Name, lInfo.LeaveEnteredOn, lInfo.LeaveFrom, lInfo.LeaveTo, lInfo.LeaveType" + "FROM lmsEmpInfo AS eInfo INNER JOIN lmsLeaveInfo AS lInfo ON lInfo.EmpID = eInfo.EmpID" + "WHERE (lInfo.LeaveGranted = 0)";
First of all there should be some space in the string where u concat the 3 strings... and for ur other query pls clear ur question a bit more...
When you fail to plan, you are planning to fail.
-
hello, this is a sql statement that i m trying to use in a Window application in .NET. query: <pre>string selCmd = "SELECT eInfo.EmpID, eInfo.Name, lInfo.LeaveEnteredOn, lInfo.LeaveFrom, lInfo.LeaveTo, lInfo.LeaveType" + "FROM lmsEmpInfo AS eInfo INNER JOIN lmsLeaveInfo AS lInfo ON lInfo.EmpID = eInfo.EmpID" + "WHERE (lInfo.LeaveGranted = 0)";</pre> the problem is this query works fine when i m running it on the SQL server management studio, but gives an error of "Incorrect syntax near AS", when i try to execute it with the following code: <code> SqlDataAdapter myAd = new SqlDataAdapter(); SqlConnection myCon = new SqlConnection(); DataSet myDs = new DataSet(); myCon.ConnectionString = Properties.Settings.Default.LeaveMgmtConnectionString.ToString(); myAd.SelectCommand = new SqlCommand(selCmd, myCon); myAd.Fill(myDs, "Recent_Leaves");</code> Please help me to rectify this mistake......... I would also like to have suggestions on How can i change the entire row collection of a DataGridView with the SelectedIndexChange event of a combobox and that too according to query that is being fired at the same event any help or assistance is greatly appreciated!! regards
Your code is subject to sql injection attacks with the string concatenation. Look up Colin Mackay's article on this site about preventing such attacks.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer "Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon "Not only do you continue to babble nonsense, you can't even correctly remember the nonsense you babbled just minutes ago." - Rob Graham
-
Your code is subject to sql injection attacks with the string concatenation. Look up Colin Mackay's article on this site about preventing such attacks.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer "Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon "Not only do you continue to babble nonsense, you can't even correctly remember the nonsense you babbled just minutes ago." - Rob Graham
"SELECT eInfo.EmpID, eInfo.Name, lInfo.LeaveEnteredOn, lInfo.LeaveFrom, lInfo.LeaveTo, lInfo.LeaveType " + " FROM lmsEmpInfo AS eInfo INNER JOIN lmsLeaveInfo AS lInfo ON lInfo.EmpID = eInfo.EmpID " + " WHERE (lInfo.LeaveGranted = 0)" When you try to form an Sql by Concating always insert one space before '"' Hope this helps Kan
-
Sujay chakraborty wrote:
string selCmd = "SELECT eInfo.EmpID, eInfo.Name, lInfo.LeaveEnteredOn, lInfo.LeaveFrom, lInfo.LeaveTo, lInfo.LeaveType" + "FROM lmsEmpInfo AS eInfo INNER JOIN lmsLeaveInfo AS lInfo ON lInfo.EmpID = eInfo.EmpID" + "WHERE (lInfo.LeaveGranted = 0)";
First of all there should be some space in the string where u concat the 3 strings... and for ur other query pls clear ur question a bit more...
When you fail to plan, you are planning to fail.
well first of all thanx for helping me out with such silly mistakes. I really appreciate that. well as far as my second doubt is concerned, what i m trying to do is to fetch records from the database to a DataGridView according to the query passed(i.e. a select command which will fill up the table in the dataset), what i m doing is m not externally attaching this DataGridView with the concerned table (from the properties of the datagridview), rather after filling up the dataset and the table m doing this in the SelectedIndexChanged event of the ComboBox: DataGridView1.DataSource = null; DataGridView1.DataMember = null; DataGridView1.Refresh(); myAD.Fill(ds,"tbl1"); //myAD is DataAdapter and ds is the DataSet DataGridView1.DataSource = ds; DataGridView1.DataMember = "tbl1"; DataGridView1.Refresh(); well this code works fine for the first time and fetches me the exact result, but when i change the item in the combobox it still keeps the previous previous recods and adds the new ones below. I want the previous records to disappear.I tried the method DataGridView1.Rows.Clear() but its giving me error. Please do explain me what is actually happening wrong because m new to this technology, your help is greatly awaited!!! :) Regards Sujay
-
"SELECT eInfo.EmpID, eInfo.Name, lInfo.LeaveEnteredOn, lInfo.LeaveFrom, lInfo.LeaveTo, lInfo.LeaveType " + " FROM lmsEmpInfo AS eInfo INNER JOIN lmsLeaveInfo AS lInfo ON lInfo.EmpID = eInfo.EmpID " + " WHERE (lInfo.LeaveGranted = 0)" When you try to form an Sql by Concating always insert one space before '"' Hope this helps Kan
Kanniah wrote:
When you try to form an Sql by Concating always insert one space before '"'
Are you really suggesting that this prevents a SQL Injection Attack? Please tell me that you are kidding, and that you know that this is absolute rubbish.
Deja View - the feeling that you've seen this post before.