What is wrong in my code
-
Dim remarks As String
remarks = "Under Process"
Dim CmdER As New OleDbCommand
Dim MyReader As OleDb.OleDbDataReader
CmdER.Connection = Mycon
CmdER.CommandText = "select * from tblLoan where pisno= '" & (TxtPisNo.Text) And remarks = (remarks)MyReader = CmdER.ExecuteReader If MyReader.Read() Then MsgBox("An application of this Individual is already under process") TxtPisNo.Text = "" TxtPisNo.Focus() Exit Sub Elsethe data type pisno is longinteger and remarks is text and database is in Ms Access through this code I want to check duplicate entry. means if an application of individual is already under process in database but I am getting an error message that "Conversion from string "Select* from tblloan" to type boolean is not valid. :( :( :( :( :( :(
-
Dim remarks As String
remarks = "Under Process"
Dim CmdER As New OleDbCommand
Dim MyReader As OleDb.OleDbDataReader
CmdER.Connection = Mycon
CmdER.CommandText = "select * from tblLoan where pisno= '" & (TxtPisNo.Text) And remarks = (remarks)MyReader = CmdER.ExecuteReader If MyReader.Read() Then MsgBox("An application of this Individual is already under process") TxtPisNo.Text = "" TxtPisNo.Focus() Exit Sub Elsethe data type pisno is longinteger and remarks is text and database is in Ms Access through this code I want to check duplicate entry. means if an application of individual is already under process in database but I am getting an error message that "Conversion from string "Select* from tblloan" to type boolean is not valid. :( :( :( :( :( :(
Ram A Singh wrote:
CmdER.CommandText = "select * from tblLoan where pisno= '" & (TxtPisNo.Text) And remarks = (remarks)
You're missing quotes around the last part of your query. You're also leaving your system wide-open to SQL Injection[^]. Don't concatenate strings to build the query; use a parameterised query instead:
CmdER.CommandText = "select * from tblLoan where pisno = ? and remarks = ?"
' The parameter names don't matter; OleDb only cares about the order.
CmdER.Parameters.AddWithValue("@p0", TxtPisNo.Text)
CmdER.Parameters.AddWithValue("@p1", remarks)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Ram A Singh wrote:
CmdER.CommandText = "select * from tblLoan where pisno= '" & (TxtPisNo.Text) And remarks = (remarks)
You're missing quotes around the last part of your query. You're also leaving your system wide-open to SQL Injection[^]. Don't concatenate strings to build the query; use a parameterised query instead:
CmdER.CommandText = "select * from tblLoan where pisno = ? and remarks = ?"
' The parameter names don't matter; OleDb only cares about the order.
CmdER.Parameters.AddWithValue("@p0", TxtPisNo.Text)
CmdER.Parameters.AddWithValue("@p1", remarks)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thank u for your prompt reply I have tried your code but it did not work and following code worked for me
CmdER.CommandText = "select * from tblLoanapplication where pisno= " & TxtPisNo.Text & " and remarks = '" & (remarks) & "'"
:thumbsup::thumbsup:
-
Thank u for your prompt reply I have tried your code but it did not work and following code worked for me
CmdER.CommandText = "select * from tblLoanapplication where pisno= " & TxtPisNo.Text & " and remarks = '" & (remarks) & "'"
:thumbsup::thumbsup:
It may work for you now, with just a single test case or two, but what if someone typed:
'';DROP TABLE tblLoadapplicationor even worse, into the TxtPisNo or (remarks) textboxes?? Goodbye database! I'd be willing to bet that the account your code is using to connect to the database has full SA permissions to everything, doesn't it? What could possibly go wrong with that?! THAT'S why you use parameterized queries and not this string concatenation crap you're using now.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak -
It may work for you now, with just a single test case or two, but what if someone typed:
'';DROP TABLE tblLoadapplicationor even worse, into the TxtPisNo or (remarks) textboxes?? Goodbye database! I'd be willing to bet that the account your code is using to connect to the database has full SA permissions to everything, doesn't it? What could possibly go wrong with that?! THAT'S why you use parameterized queries and not this string concatenation crap you're using now.
A guide to posting questions on CodeProject[^]
Dave KreskowiakI get the feeling we are fighting a losing battle pointing this out. There seem to be more and more questions like this every week, and even when you point it out more than once, the same person continues to use concatenation in their answers. I just hope that none of them works for my bank.
Use the best guess
-
I get the feeling we are fighting a losing battle pointing this out. There seem to be more and more questions like this every week, and even when you point it out more than once, the same person continues to use concatenation in their answers. I just hope that none of them works for my bank.
Use the best guess
Yeah, I think you're right. It seems that if they stumble upon something (stupid, simple) that works, that they think this must be the correct way to do it without understanding ANYTHING about what they're really doing and why.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak
