WHERE clause of SELECT command
-
Hello everybody! A newer problem on a newer day :) This time, I am facing a very basic issue in the following code:
Private Function GetDataSource(strCampusName) As DataTable Dim cmdText As String = "SELECT \* from tblStaffInfo tbl WHERE tbl.CampusName = " + strCampusName Dim conxnString As String = "Data Source=Raabi\\SQLEXPRESS; Initial Catalog=StaffReport; Integrated Security=True" Dim DGVadapter As New SqlDataAdapter() Dim ds As New DataSet() Dim conxn As New SqlConnection(conxnString) Dim cmd As SqlCommand = conxn.CreateCommand() Try cmd.CommandText = cmdText DGVadapter.SelectCommand = cmd conxn.Open() DGVadapter.Fill(ds) Return ds.Tables(0) conxn.Close() Catch ex As Exception MsgBox("Error: " & ex.Message) End Try End FunctionError: Invalid column name 'whatever' Even if I use, for example;
Dim cmdText As String = "SELECT * from tblStaffInfo tbl WHERE tbl.CampusName = CityCampus"
I receive the same error. Any help, please!
-
Hello everybody! A newer problem on a newer day :) This time, I am facing a very basic issue in the following code:
Private Function GetDataSource(strCampusName) As DataTable Dim cmdText As String = "SELECT \* from tblStaffInfo tbl WHERE tbl.CampusName = " + strCampusName Dim conxnString As String = "Data Source=Raabi\\SQLEXPRESS; Initial Catalog=StaffReport; Integrated Security=True" Dim DGVadapter As New SqlDataAdapter() Dim ds As New DataSet() Dim conxn As New SqlConnection(conxnString) Dim cmd As SqlCommand = conxn.CreateCommand() Try cmd.CommandText = cmdText DGVadapter.SelectCommand = cmd conxn.Open() DGVadapter.Fill(ds) Return ds.Tables(0) conxn.Close() Catch ex As Exception MsgBox("Error: " & ex.Message) End Try End FunctionError: Invalid column name 'whatever' Even if I use, for example;
Dim cmdText As String = "SELECT * from tblStaffInfo tbl WHERE tbl.CampusName = CityCampus"
I receive the same error. Any help, please!
Sorry everybody, I was committing a syntax error. It must be:
Dim cmdText As String = "SELECT * from tblStaffInfo tbl WHERE tbl.CampusName = '" & strCampusName & "'"
It is resolved.
-
Sorry everybody, I was committing a syntax error. It must be:
Dim cmdText As String = "SELECT * from tblStaffInfo tbl WHERE tbl.CampusName = '" & strCampusName & "'"
It is resolved.
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^] Query Parameterization Cheat Sheet | OWASP[^]
Private Function GetDataSource(strCampusName) As DataTable
Dim conxnString As String = "Data Source=Raabi\SQLEXPRESS;Initial Catalog=StaffReport; Integrated Security=True"
Dim cmdText As String = "SELECT * from tblStaffInfo tbl WHERE tbl.CampusName = @CampusName"Using conxn As New SqlConnection(conxnString) Using cmd As New SqlCommand(cmdText, conxn) cmd.Parameters.AddWithValue("@CampusName", strCampusName) Dim DGVadapter As New SqlDataAdapter(cmd) Dim ds As New DataSet() DGVadapter.Fill(ds) Return ds.Tables(0) End Using End UsingEnd Function
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
